1247876 - assets.mozilla.org, partners.mozilla.org, events.mozilla.org all give a SSL_ERROR_NO_CYPHER_OVERLAP error

Status: RESOLVED WONTFIX

(Infrastructure & Operations :: SSL Certificates, task)

Description

[Gervase Markham [:gerv]]

Visiting assets.mozilla.org in my browser, 46.0a2 (Developer Edition) on Linux gives a SSL_ERROR_NO_CYPHER_OVERLAP error. Trying to use "outdated security" instead gives a SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT.

I have security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha manually disabled - when I enable them, the sites work. 

rbarnes: I'm fairly sure I've disabled these because we plan to do so in the future. Is that bug 1227519? Do we need to be working with our vendor here?

Gerv

Comment 1

[Gervase Markham [:gerv]]

I note also that the Qualys analysis:
https://www.ssllabs.com/ssltest/analyze.html?d=assets.mozilla.org
shows that there are a bunch of browsers that this site won't work in due to a cipher suite mismatch.

Gerv

Comment 2

[Ryan Watson [:w0ts0n]]

Doing a bit of digging and it appears webops/IT doesn't own or host these sites.
host -i events.mozilla.org
events.mozilla.org is an alias for mozillaportalevents.netx.net.
mozillaportalevents.netx.net is an alias for mozilla.netx.net.
mozilla.netx.net is an alias for container01.netx.net.
container01.netx.net is an alias for galileo.netx.net.
galileo.netx.net has address 198.145.10.107

A bugzilla search for these domains brings me to:
https://bugzilla.mozilla.org/show_bug.cgi?id=1124332
https://bugzilla.mozilla.org/show_bug.cgi?id=1135936

So I'm going to needinfo Lizz Noonan.

I'm also reaching out to the people in engagement engineering to see if they know more.

Comment 3

[Ryan Watson [:w0ts0n]]

word is that martell may also know more.

Comment 4

[Lizz Noonan - she/her (:lizzn)]

Martell isn't the right person for this. I am the DAM admin but you can work directly with NetX for any issues - jason@netx.net is their main dev contact. Want to make sure this isn't another duplicate of the XSS bug, Bug 1142658, Bug 1142955. Those are already being resolved with the vendor.

Comment 5

[Ryan Watson [:w0ts0n]]

Hey Lizz, where should I move this bug to? This is not a webops property so it isn't appropriate for us to work on this.

Comment 6

[Gervase Markham [:gerv]]

This is not a duplicate of their XSS bugs; this problem is at a much lower level, SSL negotiation. rbarnes: thoughts on whether we pursue this? (See comment #0.)

Gerv

Comment 7

[Richard Barnes [:rbarnes]]

Gerv: I think this is a problem with your local config.  Those ciphers are enabled by default:

https://dxr.mozilla.org/mozilla-central/source/netwerk/base/security-prefs.js#21

Comment 8

[Richard Barnes [:rbarnes]]

Also, FWIW: https://assets.mozilla.org works fine for me in current Nightly and DevEd.

Comment 9

[Gervase Markham [:gerv]]

(In reply to Richard Barnes [:rbarnes] from comment #7)
> Gerv: I think this is a problem with your local config.  Those ciphers are
> enabled by default:

I know. That's why I said: "I have security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha manually disabled - when I enable them, the sites work. rbarnes: I'm fairly sure I've disabled these because we plan to do so in the future. Is that bug 1227519? Do we need to be working with our vendor here?"

In other words, I'm not saying this is a current problem, but could it be a future problem? I rarely hit problems by having these ciphers disabled; this is the first one in a while.

Gerv

Comment 10

[Richard Barnes [:rbarnes]]

Oh, sorry.  In the long run, yes, we would like to get rid of DHE ciphersuites, and Bug 1227519 is the bug. But as I said in that bug, it's not really a priority.

Comment 11

[Ryan Watson [:w0ts0n]]

Since this is a potential "future problem" and rbarnes has stated it isn't a priority I'm going to close this as wont fix. This isn't a webops issue so if any further discussion is needed, perhaps bug 1227519 is a better place?