User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15 Steps to reproduce: So far, Firefox on Mac OS always worked. Since a few weeks, the portal to access this major credit card site in Switzerland fails... Use a MBP 2013 and with latest OS release and latest Firefox version 61.0.1 Actual results: You can test this public site: https://www.ubs.com/ch/en/swissbank/private/pay-and-save/cardservices/cards-online-portal.html Press the green LOGIN button in the middle of site and you'll get this error in a new tab: Secure Connection Failed (SSL_ERROR_NO_CYPHER_OVERLAP) Expected results: Try same link in Safari and Chrome and it will work when clinking page LOGIN
This doesn't need to stay hidden, as it's a public site. Thanks for the report. I think this is something that the site needs to fix. Specifically, running their site through Qualys' SSL checks ( https://www.ssllabs.com/ssltest/analyze.html?d=ubs.cardcenter.ch ), I see: - the cert chain is incomplete (so the server has not deployed one or more of the intermediary certificates which chain it to the root certificate of the CA from which UBS got a certificate) - the server only supports the following algorithms: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS 128 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS 256 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS 256 4 of these 8 are marked "WEAK" by Qualys, and I can only assume that Firefox doesn't support any of these 8 - I don't see any entries in about:config for them. If I enable "insecure fallback" for the domain through about:config, NSS throws a "PR_END_OF_FILE_ERROR"... Mark, can you doublecheck if I've missed something?
Summary: SSL_ERROR_NO_CYPHER_OVERLAP → SSL_ERROR_NO_CYPHER_OVERLAP on https://ubs.cardcenter.ch
I think Mark is a bit busy, Franziskus, could you have a quick look? Thanks!
Flags: needinfo?(mgoodwin) → needinfo?(franziskuskiefer)
Firefox doesn't have any of those cipher suites enabled . It's a pretty bad set of cipher suites. This looks like advocacy to me. But given that UBS is not a small site we might have to talk again about enabling some of these (for example TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256).  https://searchfox.org/mozilla-central/rev/a80651653faa78fa4dfbd238d099c2aad1cec304/security/manager/ssl/nsNSSComponent.cpp#1315
Component: Untriaged → Security: PSM
Product: Firefox → Core
Looking at https://www.ssllabs.com/ssltest/analyze.html?d=ubs.cardcenter.ch this would have never worked with Firefox. So my vote would be for reaching out to them before enabling more DHE ciphersuites.
Component: Security: PSM → Desktop
Product: Core → Tech Evangelism
Version: 63 Branch → unspecified
Site is ranked 23 in Switzerland, setting as needscontact.
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.