Open Bug 1474833 Opened Last year Updated 2 months ago

SSL_ERROR_NO_CYPHER_OVERLAP on https://ubs.cardcenter.ch

Categories

(Web Compatibility :: Desktop, defect, P1)

defect

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: tony, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: webcompat:needs-contact, Whiteboard: [needscontact])

Attachments

(1 file)

56.99 KB, image/jpeg
Details
Attached image error.jpg
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15

Steps to reproduce:

So far, Firefox on Mac OS always worked. Since a few weeks, the portal to access this major credit card site in Switzerland fails...

Use a MBP 2013 and with latest OS release and latest Firefox version 61.0.1


Actual results:

You can test this public site:
https://www.ubs.com/ch/en/swissbank/private/pay-and-save/cardservices/cards-online-portal.html

Press the green LOGIN button in the middle of site and you'll get this error in a new tab:
Secure Connection Failed (SSL_ERROR_NO_CYPHER_OVERLAP)


Expected results:

Try same link in Safari and Chrome and it will work when clinking page LOGIN
This doesn't need to stay hidden, as it's a public site.

Thanks for the report. I think this is something that the site needs to fix. Specifically, running their site through Qualys' SSL checks ( https://www.ssllabs.com/ssltest/analyze.html?d=ubs.cardcenter.ch ), I see:

- the cert chain is incomplete (so the server has not deployed one or more of the intermediary certificates which chain it to the root certificate of the CA from which UBS got a certificate)
- the server only supports the following algorithms:

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits   FS 	128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   	128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits   FS 	128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   	256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits   FS 	256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   	256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS 	256

4 of these 8 are marked "WEAK" by Qualys, and I can only assume that Firefox doesn't support any of these 8 - I don't see any entries in about:config for them. If I enable "insecure fallback" for the domain through about:config, NSS throws a "PR_END_OF_FILE_ERROR"...

Mark, can you doublecheck if I've missed something?
Group: firefox-core-security
Flags: needinfo?(mgoodwin)
Summary: SSL_ERROR_NO_CYPHER_OVERLAP → SSL_ERROR_NO_CYPHER_OVERLAP on https://ubs.cardcenter.ch
I think Mark is a bit busy, Franziskus, could you have a quick look? Thanks!
Flags: needinfo?(mgoodwin) → needinfo?(franziskuskiefer)
Firefox doesn't have any of those cipher suites enabled [1]. It's a pretty bad set of cipher suites. This looks like advocacy to me.
But given that UBS is not a small site we might have to talk again about enabling some of these (for example TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256).

[1] https://searchfox.org/mozilla-central/rev/a80651653faa78fa4dfbd238d099c2aad1cec304/security/manager/ssl/nsNSSComponent.cpp#1315
Component: Untriaged → Security: PSM
Flags: needinfo?(franziskuskiefer)
Product: Firefox → Core
Flags: needinfo?(dkeeler)
Looking at https://www.ssllabs.com/ssltest/analyze.html?d=ubs.cardcenter.ch this would have never worked with Firefox. So my vote would be for reaching out to them before enabling more DHE ciphersuites.
Component: Security: PSM → Desktop
Flags: needinfo?(dkeeler)
Product: Core → Tech Evangelism
Version: 63 Branch → unspecified
Site is ranked 23 in Switzerland, setting as needscontact.
Flags: needinfo?(astevenson)
Whiteboard: [needscontact]
Flags: needinfo?(astevenson)
Priority: -- → P1
See Also: → 1492361
Product: Tech Evangelism → Web Compatibility

See bug 1547409. Moving webcompat whiteboard tags to keywords.

same problem popped up couple of times on https://bosscasino.com/ but i can't catch it

You need to log in before you can comment on or make changes to this bug.