User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 Build ID: 20160210153822 Steps to reproduce: Set up a server with the following ciphersuites : - ECDHE-RSA-AES128-SHA256 - DHE-RSA-AES128-SHA256 - AES128-SHA256 Try to connect with Firefox 44.* Actual results: Advanced info: ssl_error_no_cypher_overlap Expected results: I expected Firefox to support AES/SHA256 ciphersuites.
Firefox supported ciphersuites list in default configuration seems to be : Cipher Suites (11 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Dear reporter, please have look at Bug 1171791. According to this bug no support for SHA256_CBC will be added to NSS, the crypto libary which Firefox uses.
NSS already support those cipher suites (although Firefox does not enable them).
Okay, sorry I got this wrong then. Sending this bug back to Core.
(In reply to Iansus from comment #0) > User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 > Firefox/44.0 > Build ID: 20160210153822 > > Steps to reproduce: > > Set up a server with the following ciphersuites : > - ECDHE-RSA-AES128-SHA256 > - DHE-RSA-AES128-SHA256 > - AES128-SHA256 Hi, could you please show us the precise server config values you used for this testing, and indicate whether it's Apache or Nginx or ??, and what version of SSL library it's using? It would help us reproduce the issue more accurately so we can be sure we're addressing your exact request.
The comment has enough information. The server should enable ECDHE-RSA-AES128-GCM-SHA256. Firefox will not enable CBC_SHA256 cipher suites even when NSS supports them.
Hello, Thank you for your answers. I understand the reasons behind the lack of support. However I find the error message a bit aggressive for that situation: "The owner of **** has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website." Regards,
(In reply to Iansus from comment #7) > I understand the reasons behind the lack of support. However I find the > error message a bit aggressive for that situation: > > "The owner of **** has configured their website improperly. To protect your > information from being stolen, Firefox has not connected to this website." Yes, we've changed the message because the most common reason of no_cypher_overlap was RC4-only servers. Bug 1253166 will change the message back to a neutral one.