https://capitolfax.com/ fails to load in ESR 45.7.0 on Windows, Mac, and Linux

RESOLVED INVALID

Status

()

Core
Networking: HTTP
RESOLVED INVALID
10 months ago
4 months ago

People

(Reporter: szuta, Unassigned)

Tracking

51 Branch
Points:
---

Firefox Tracking Flags

(firefox-esr45- wontfix, firefox51 unaffected, firefox52 unaffected, firefox53 unaffected, firefox54 unaffected)

Details

(URL)

(Reporter)

Description

10 months ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131

Steps to reproduce:

Visit https://capitolfax.com/


Actual results:

URL disappears from the URL bar. Firebug shows 'aborted' response.


Expected results:

Webpage should load (see any other browser, or non-ESR version).

Comment 1

10 months ago
[Tracking Requested - why for this release]:

NS_ERROR_NET_INADEQUATE_SECURITY in 48.0.1, works in 49.0.2 and later, with the issue in 47.0.2 and earlier (including 45.7.0esr). Works in 33.0, 35.0. With the issue in 37.0.2.
Status: UNCONFIRMED → NEW
Has STR: --- → yes
status-firefox51: --- → unaffected
status-firefox52: --- → unaffected
status-firefox53: --- → unaffected
status-firefox54: --- → unaffected
status-firefox-esr45: --- → affected
tracking-firefox-esr45: --- → ?
Component: Untriaged → Networking: HTTP
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
daniel - can you triage this.. HTTP_logging you will get a fine grained reason for inadequate_security. my guess is that its a server bug - negotiating an ilegal h2 suite (and also choosing h2) - and for later revisions we just don't offer the problematic combo in the handshake at all.. that would be INVALID - but maybe its something different.
Flags: needinfo?(daniel)

Comment 3

10 months ago
SSL Labs perfectly identified the issue:
https://dev.ssllabs.com/ssltest/analyze.html?d=capitolfax.com&hideResults=on
> Firefox 47 / Win 7  R		Server negotiated HTTP/2 with blacklisted suite
> RSA 2048 (SHA256)   |  TLS 1.2  |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1 

Because this server prefers some blacklisted cipher suites over AES_128_GCM_SHA256, the connection fails. (Yet another example of "256-bit is always better than 128-bit" myth.) Firefox added support for TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.

Unfortunately, it is very unlikely that we backport AES_256_GCM_SHA384 to ESR.
thanks emk.going to close this one as INVALID based on server behavior.
Status: NEW → RESOLVED
Last Resolved: 10 months ago
Flags: needinfo?(daniel)
Resolution: --- → INVALID
esr 45 is dead, please use esr 52
status-firefox-esr45: affected → wontfix
tracking-firefox-esr45: ? → -
You need to log in before you can comment on or make changes to this bug.