1474833 - SSL_ERROR_NO_CYPHER_OVERLAP on https://ubs.cardcenter.ch

Status: RESOLVED INCOMPLETE

(Web Compatibility :: Site Reports, defect, P1)

Description

[tony]

Attachment: error.jpg

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15

Steps to reproduce:

So far, Firefox on Mac OS always worked. Since a few weeks, the portal to access this major credit card site in Switzerland fails...

Use a MBP 2013 and with latest OS release and latest Firefox version 61.0.1


Actual results:

You can test this public site:
https://www.ubs.com/ch/en/swissbank/private/pay-and-save/cardservices/cards-online-portal.html

Press the green LOGIN button in the middle of site and you'll get this error in a new tab:
Secure Connection Failed (SSL_ERROR_NO_CYPHER_OVERLAP)


Expected results:

Try same link in Safari and Chrome and it will work when clinking page LOGIN

Comment 1

[:Gijs (he/him)]

This doesn't need to stay hidden, as it's a public site.

Thanks for the report. I think this is something that the site needs to fix. Specifically, running their site through Qualys' SSL checks ( https://www.ssllabs.com/ssltest/analyze.html?d=ubs.cardcenter.ch ), I see:

- the cert chain is incomplete (so the server has not deployed one or more of the intermediary certificates which chain it to the root certificate of the CA from which UBS got a certificate)
- the server only supports the following algorithms:

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits   FS 	128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   	128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits   FS 	128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   	256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits   FS 	256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   	256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS 	256

4 of these 8 are marked "WEAK" by Qualys, and I can only assume that Firefox doesn't support any of these 8 - I don't see any entries in about:config for them. If I enable "insecure fallback" for the domain through about:config, NSS throws a "PR_END_OF_FILE_ERROR"...

Mark, can you doublecheck if I've missed something?

Comment 2

[:Gijs (he/him)]

I think Mark is a bit busy, Franziskus, could you have a quick look? Thanks!

Comment 3

[Franziskus Kiefer [:franziskus]]

Firefox doesn't have any of those cipher suites enabled [1]. It's a pretty bad set of cipher suites. This looks like advocacy to me.
But given that UBS is not a small site we might have to talk again about enabling some of these (for example TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256).

[1] https://searchfox.org/mozilla-central/rev/a80651653faa78fa4dfbd238d099c2aad1cec304/security/manager/ssl/nsNSSComponent.cpp#1315

Comment 4

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Looking at https://www.ssllabs.com/ssltest/analyze.html?d=ubs.cardcenter.ch this would have never worked with Firefox. So my vote would be for reaching out to them before enabling more DHE ciphersuites.

Comment 5

[Adam Stevenson [:adamopenweb]]

Site is ranked 23 in Switzerland, setting as needscontact.

Comment 6

[Firefox Bug Husbandry Bot]

See bug 1547409. Moving webcompat whiteboard tags to keywords.

Comment 7

[g1vn]

same problem popped up couple of times on https://bosscasino.com/ but i can't catch it

Comment 8

[Bethoven Albright]

Apologies in advance to admins and other seniors. I still don't know how to find a solution to my problem, here I want to ask for help from mozilla seniors, because my website https://144.126.240.217/ cannot be accessed via the mozilla browser. Is there a bug wrong or my https or http is wrong? Please help, thank you all for the time and help given to me.

Comment 9

[slot88 online]

sometime i get the issues sama like this and i already try fix but its still same get errror, maybe anyone can help me? try to open my site at https://34.101.196.118/ cannot be acces normal on mozila firefox browser

Comment 10

[kingslot88]

https://kingslot88.org please check and visit my website..

Comment 11

[idwin oregon]

<a href="https://www.teamoregon.com/" rel="nofollow">https://www.teamoregon.com</a> the best game you can find here

Comment 12

[:Gijs (he/him)]

Restricting commenting because this bug appears to have become a spam trap.

Comment 13

[u597032]

Site no longer active