Closed Bug 1638369 Opened 2 years ago Closed 2 years ago

Enable TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384 ciphersuites


(Core :: Security, defect, P1)

76 Branch



Tracking Status
relnote-firefox --- 78+
firefox78 --- verified


(Reporter: ksenia, Assigned: keeler)




(Whiteboard: [psm-assigned])


(1 file)

This was initially reported in

When visiting "Secure connection failed" message appears in Firefox, but not in other browsers. This error is intermittent and site loads sometimes.

Steps to reproduce:
Visit and observe the page

Site loads

"Secure Connection Failed" error page

I have the same problem with the same error when visiting
Chromium works perfectly, Firefox does not.

Assignee: nobody → dkeeler
Severity: -- → S2
Priority: -- → P1
Whiteboard: [psm-assigned]

We have evidence that some sites have disabled ciphersuites with SHA-1-based
MACs due to attacks against SHA-1 (disregarding the fact that these attacks
don't necessarily apply to HMAC-SHA-1) while still relying on RSA key exchange.
Before this patch, PSM did not enable any ciphersuites with RSA key exchange
and non-SHA-1-based MACs. Consequently, Firefox would be unable to connect to
these sites while other browsers would.
This patch enables TLS_RSA_WITH_AES_128_GCM_SHA256 and
TLS_RSA_WITH_AES_256_GCM_SHA384, which are the only two ciphersuites (other
than grease) that Chrome enables that Firefox did not (before this patch).

:mt, we wanted to give you a heads-up that we suspect a blanket order to disable SHA-1 has resulted in a compatibility situation for Firefox that we're addressing by enabling TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384. Our hypothesis is that these sites are using RSA key exchange, disabled any ciphersuites with SHA-1-based MACs, and didn't bother to switch to better key exchange algorithms. Since Firefox doesn't enable any RSA key exchange ciphersuites that don't also have SHA-1-based MACs, we can't connect, while other browsers can. Let me know if you have any questions/concerns. Thanks!

Flags: needinfo?(mt)

Thanks for the heads up.

Yes, when people do silly things like this you end up with silly results. HMAC-SHA-1 isn't exactly awe-inspiring now, but it isn't broken in the same way that SHA-1 is, but we get people disabling it anyway without thinking. Or testing.

Technically, sites that don't support TLS_RSA_WITH_AES_128_CBC_SHA are non-compliant with the TLS 1.2 spec. And these suites are 1.2-only, so they are clearly busted. But "technically" isn't a great reason to have people stuck, I guess and they are better than TLS_RSA_WITH_AES_128_CBC_SHA in several ways.

This seems like something we should try to uplift to Beta if we get the opportunity. That is, if there is a new build this can ride along with.

Flags: needinfo?(mt)
Pushed by
enable some TLS ciphersuites with SHA-2-based MACs for compatibility r=jcj,kjacobs
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
Flags: qe-verify+

Is this worth uplifting to the 68 ESR?

I wouldn't argue strongly for it, given that we're releasing ESR 78 soon.

Confirmed the issue once with 78.0a1(2020-05-14-09) after several attempts.
Can mark as verified, after checking with 78.0b7 no issues occurred with the page-load.

Flags: qe-verify+

Release Note Request (optional, but appreciated)
[Why is this notable]: Goes hand-in-hand with, but we're exchanging these ciphersuites for the DHE ones that could have a compatibility impact.
[Affects Firefox for Android]: Yes
[Suggested wording]: To mitigate web compatibility issues from disabling DHE-based TLS ciphersuites, Firefox 78 enables two more AES-GCM SHA2-based ciphersuites.

relnote-firefox: --- → ?
Summary: Intermittent PR_CONNECT_RESET_ERROR Secure connection failed error when visiting → Enable TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384 ciphersuites

added to the 78 release notes draft

You need to log in before you can comment on or make changes to this bug.