Closed Bug 1582416 Opened 6 years ago Closed 6 years ago

SSL_ERROR_NO_CYPHER_OVERLAP in private browsing mode with tls v1.3

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
69 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: sm145, Unassigned)

References

Details

Attachments

(1 file)

TomcatConfigurationWithTLSv1.3.txt
2.07 KB, text/plain
Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0

Steps to reproduce:

I configured a apache tomcat (9.0.11) connector like this:
<Connector port="8081"
protocol="HTTP/1.1"
...
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.3,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SH,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256, TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256" />

Actual results:

Accessing the page with Chrome, Safari works in normal mode and private mode.
Accessign the page with Firefox (69) in normal mode is working.

BUT, with FF in private mode I get a Secure Connection Failed message with the error:
SSL_ERROR_NO_CYPHER_OVERLAP

If I remove the new 5 TLSv1.3 cipher (TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256) then the page is also loading, but uses TLSv1.2.

Expected results:

Like without the private mode, the page should be loaded and TLSv1.3 should be used (or at least TLSv1.2).

Blocks: 1492361
Component: Untriaged → Security: PSM
Product: Firefox → Core

Can you run Firefox with the environment variable MOZ_LOG set to pipnss:4, connect to the site, and post the results here? Thanks! (also, a packet trace of the TLS handshake would be helpful)

Flags: needinfo?(sm145)

Sorry, it's now working after a complete restart of the system.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(sm145)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: