If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

No support for ciphersuites AES*-SHA256 in Firefox 44

RESOLVED WONTFIX

Status

()

Core
Security: PSM
RESOLVED WONTFIX
2 years ago
2 years ago

People

(Reporter: Iansus, Unassigned)

Tracking

44 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20160210153822

Steps to reproduce:

Set up a server with the following ciphersuites :
- ECDHE-RSA-AES128-SHA256
- DHE-RSA-AES128-SHA256
- AES128-SHA256

Try to connect with Firefox 44.*


Actual results:

Advanced info: ssl_error_no_cypher_overlap


Expected results:

I expected Firefox to support AES/SHA256 ciphersuites.
(Reporter)

Comment 1

2 years ago
Firefox supported ciphersuites list in default configuration seems to be :

Cipher Suites (11 suites)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

Updated

2 years ago
Component: Untriaged → Security: PSM
Product: Firefox → Core

Updated

2 years ago
Assignee: nobody → nobody
Component: Security: PSM → Libraries
Product: Core → NSS
Version: 44 Branch → trunk

Comment 2

2 years ago
Dear reporter,

please have look at Bug 1171791. According to this bug no support for SHA256_CBC will be added to NSS, the crypto libary which Firefox uses.
See Also: → bug 1171791
NSS already support those cipher suites (although Firefox does not enable them).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID

Comment 4

2 years ago
Okay, sorry I got this wrong then. Sending this bug back to Core.
Assignee: nobody → nobody
Status: RESOLVED → UNCONFIRMED
Component: Libraries → Security: PSM
Product: NSS → Core
Resolution: INVALID → ---
See Also: bug 1171791
Version: trunk → 44 Branch
(In reply to Iansus from comment #0)
> User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101
> Firefox/44.0
> Build ID: 20160210153822
> 
> Steps to reproduce:
> 
> Set up a server with the following ciphersuites :
> - ECDHE-RSA-AES128-SHA256
> - DHE-RSA-AES128-SHA256
> - AES128-SHA256

Hi, could you please show us the precise server config values you used for this testing, and indicate whether it's Apache or Nginx or ??, and what version of SSL library it's using?

It would help us reproduce the issue more accurately so we can be sure we're addressing your exact request.
The comment has enough information. The server should enable ECDHE-RSA-AES128-GCM-SHA256. Firefox will not enable CBC_SHA256 cipher suites even when NSS supports them.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → WONTFIX
(Reporter)

Comment 7

2 years ago
Hello,

Thank you for your answers.
I understand the reasons behind the lack of support. However I find the error message a bit aggressive for that situation:

"The owner of **** has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website."

Regards,
(In reply to Iansus from comment #7)
> I understand the reasons behind the lack of support. However I find the
> error message a bit aggressive for that situation:
> 
> "The owner of **** has configured their website improperly. To protect your
> information from being stolen, Firefox has not connected to this website."

Yes, we've changed the message because the most common reason of no_cypher_overlap was RC4-only servers.
Bug 1253166 will change the message back to a neutral one.
You need to log in before you can comment on or make changes to this bug.