Closed
Bug 1247904
Opened 8 years ago
Closed 8 years ago
No support for ciphersuites AES*-SHA256 in Firefox 44
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: jean.iansus, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 Build ID: 20160210153822 Steps to reproduce: Set up a server with the following ciphersuites : - ECDHE-RSA-AES128-SHA256 - DHE-RSA-AES128-SHA256 - AES128-SHA256 Try to connect with Firefox 44.* Actual results: Advanced info: ssl_error_no_cypher_overlap Expected results: I expected Firefox to support AES/SHA256 ciphersuites.
Firefox supported ciphersuites list in default configuration seems to be : Cipher Suites (11 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Updated•8 years ago
|
Assignee: nobody → nobody
Component: Security: PSM → Libraries
Product: Core → NSS
Version: 44 Branch → trunk
Comment 2•8 years ago
|
||
Dear reporter, please have look at Bug 1171791. According to this bug no support for SHA256_CBC will be added to NSS, the crypto libary which Firefox uses.
See Also: → 1171791
Comment 3•8 years ago
|
||
NSS already support those cipher suites (although Firefox does not enable them).
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Comment 4•8 years ago
|
||
Okay, sorry I got this wrong then. Sending this bug back to Core.
Assignee: nobody → nobody
Status: RESOLVED → UNCONFIRMED
Component: Libraries → Security: PSM
Product: NSS → Core
Resolution: INVALID → ---
See Also: 1171791 →
Version: trunk → 44 Branch
(In reply to Iansus from comment #0) > User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 > Firefox/44.0 > Build ID: 20160210153822 > > Steps to reproduce: > > Set up a server with the following ciphersuites : > - ECDHE-RSA-AES128-SHA256 > - DHE-RSA-AES128-SHA256 > - AES128-SHA256 Hi, could you please show us the precise server config values you used for this testing, and indicate whether it's Apache or Nginx or ??, and what version of SSL library it's using? It would help us reproduce the issue more accurately so we can be sure we're addressing your exact request.
Comment 6•8 years ago
|
||
The comment has enough information. The server should enable ECDHE-RSA-AES128-GCM-SHA256. Firefox will not enable CBC_SHA256 cipher suites even when NSS supports them.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → WONTFIX
Hello, Thank you for your answers. I understand the reasons behind the lack of support. However I find the error message a bit aggressive for that situation: "The owner of **** has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website." Regards,
Comment 8•8 years ago
|
||
(In reply to Iansus from comment #7) > I understand the reasons behind the lack of support. However I find the > error message a bit aggressive for that situation: > > "The owner of **** has configured their website improperly. To protect your > information from being stolen, Firefox has not connected to this website." Yes, we've changed the message because the most common reason of no_cypher_overlap was RC4-only servers. Bug 1253166 will change the message back to a neutral one.
You need to log in
before you can comment on or make changes to this bug.
Description
•