Closed
Bug 1474833
Opened 6 years ago
Closed 3 years ago
SSL_ERROR_NO_CYPHER_OVERLAP on https://ubs.cardcenter.ch
Categories
(Web Compatibility :: Site Reports, defect, P1)
Web Compatibility
Site Reports
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: tony, Unassigned)
References
Details
(Keywords: webcompat:needs-contact, Whiteboard: [needscontact])
Attachments
(1 file)
56.99 KB,
image/jpeg
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15
Steps to reproduce:
So far, Firefox on Mac OS always worked. Since a few weeks, the portal to access this major credit card site in Switzerland fails...
Use a MBP 2013 and with latest OS release and latest Firefox version 61.0.1
Actual results:
You can test this public site:
https://www.ubs.com/ch/en/swissbank/private/pay-and-save/cardservices/cards-online-portal.html
Press the green LOGIN button in the middle of site and you'll get this error in a new tab:
Secure Connection Failed (SSL_ERROR_NO_CYPHER_OVERLAP)
Expected results:
Try same link in Safari and Chrome and it will work when clinking page LOGIN
Comment 1•6 years ago
|
||
This doesn't need to stay hidden, as it's a public site.
Thanks for the report. I think this is something that the site needs to fix. Specifically, running their site through Qualys' SSL checks ( https://www.ssllabs.com/ssltest/analyze.html?d=ubs.cardcenter.ch ), I see:
- the cert chain is incomplete (so the server has not deployed one or more of the intermediary certificates which chain it to the root certificate of the CA from which UBS got a certificate)
- the server only supports the following algorithms:
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS 256
4 of these 8 are marked "WEAK" by Qualys, and I can only assume that Firefox doesn't support any of these 8 - I don't see any entries in about:config for them. If I enable "insecure fallback" for the domain through about:config, NSS throws a "PR_END_OF_FILE_ERROR"...
Mark, can you doublecheck if I've missed something?
Group: firefox-core-security
Flags: needinfo?(mgoodwin)
Summary: SSL_ERROR_NO_CYPHER_OVERLAP → SSL_ERROR_NO_CYPHER_OVERLAP on https://ubs.cardcenter.ch
Comment 2•6 years ago
|
||
I think Mark is a bit busy, Franziskus, could you have a quick look? Thanks!
Flags: needinfo?(mgoodwin) → needinfo?(franziskuskiefer)
Comment 3•6 years ago
|
||
Firefox doesn't have any of those cipher suites enabled [1]. It's a pretty bad set of cipher suites. This looks like advocacy to me.
But given that UBS is not a small site we might have to talk again about enabling some of these (for example TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256).
[1] https://searchfox.org/mozilla-central/rev/a80651653faa78fa4dfbd238d099c2aad1cec304/security/manager/ssl/nsNSSComponent.cpp#1315
Component: Untriaged → Security: PSM
Flags: needinfo?(franziskuskiefer)
Product: Firefox → Core
Updated•6 years ago
|
Flags: needinfo?(dkeeler)
Comment 4•6 years ago
|
||
Looking at https://www.ssllabs.com/ssltest/analyze.html?d=ubs.cardcenter.ch this would have never worked with Firefox. So my vote would be for reaching out to them before enabling more DHE ciphersuites.
Component: Security: PSM → Desktop
Flags: needinfo?(dkeeler)
Product: Core → Tech Evangelism
Version: 63 Branch → unspecified
Comment 5•6 years ago
|
||
Site is ranked 23 in Switzerland, setting as needscontact.
Flags: needinfo?(astevenson)
Whiteboard: [needscontact]
Updated•6 years ago
|
Flags: needinfo?(astevenson)
Priority: -- → P1
Assignee | ||
Updated•6 years ago
|
Product: Tech Evangelism → Web Compatibility
Comment 6•5 years ago
|
||
See bug 1547409. Moving webcompat whiteboard tags to keywords.
Keywords: webcompat:needs-contact
Comment 12•3 years ago
|
||
Restricting commenting because this bug appears to have become a spam trap.
Restrict Comments: true
Comment 13•3 years ago
|
||
Site no longer active
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•