User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170125094131 Steps to reproduce: Visit https://capitolfax.com/ Actual results: URL disappears from the URL bar. Firebug shows 'aborted' response. Expected results: Webpage should load (see any other browser, or non-ESR version).
[Tracking Requested - why for this release]: NS_ERROR_NET_INADEQUATE_SECURITY in 48.0.1, works in 49.0.2 and later, with the issue in 47.0.2 and earlier (including 45.7.0esr). Works in 33.0, 35.0. With the issue in 37.0.2.
daniel - can you triage this.. HTTP_logging you will get a fine grained reason for inadequate_security. my guess is that its a server bug - negotiating an ilegal h2 suite (and also choosing h2) - and for later revisions we just don't offer the problematic combo in the handshake at all.. that would be INVALID - but maybe its something different.
SSL Labs perfectly identified the issue: https://dev.ssllabs.com/ssltest/analyze.html?d=capitolfax.com&hideResults=on > Firefox 47 / Win 7 R Server negotiated HTTP/2 with blacklisted suite > RSA 2048 (SHA256) | TLS 1.2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 Because this server prefers some blacklisted cipher suites over AES_128_GCM_SHA256, the connection fails. (Yet another example of "256-bit is always better than 128-bit" myth.) Firefox added support for TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. Unfortunately, it is very unlikely that we backport AES_256_GCM_SHA384 to ESR.
thanks emk.going to close this one as INVALID based on server behavior.
esr 45 is dead, please use esr 52