Closed Bug 1638369 Opened 8 months ago Closed 8 months ago

Enable TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384 ciphersuites

Categories

(Core :: Security, defect, P1)

76 Branch
Desktop
Unspecified
defect

Tracking

()

VERIFIED FIXED
mozilla78
Tracking Status
relnote-firefox --- 78+
firefox78 --- verified

People

(Reporter: ksenia, Assigned: keeler)

References

()

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

This was initially reported in https://github.com/webcompat/web-bugs/issues/52879

When visiting https://egov.ice.gov/sevis/ "Secure connection failed" message appears in Firefox, but not in other browsers. This error is intermittent and site loads sometimes.

Steps to reproduce:
Visit https://egov.ice.gov/sevis/ and observe the page

Expected:
Site loads

Actual:
"Secure Connection Failed" error page

I have the same problem with the same error when visiting https://www.netl.doe.gov/coal/tpg/coalfirst/DirectSupercriticalCo2
Chromium works perfectly, Firefox does not.

Assignee: nobody → dkeeler
Severity: -- → S2
Priority: -- → P1
Whiteboard: [psm-assigned]

We have evidence that some sites have disabled ciphersuites with SHA-1-based
MACs due to attacks against SHA-1 (disregarding the fact that these attacks
don't necessarily apply to HMAC-SHA-1) while still relying on RSA key exchange.
Before this patch, PSM did not enable any ciphersuites with RSA key exchange
and non-SHA-1-based MACs. Consequently, Firefox would be unable to connect to
these sites while other browsers would.
This patch enables TLS_RSA_WITH_AES_128_GCM_SHA256 and
TLS_RSA_WITH_AES_256_GCM_SHA384, which are the only two ciphersuites (other
than grease) that Chrome enables that Firefox did not (before this patch).

:mt, we wanted to give you a heads-up that we suspect a blanket order to disable SHA-1 has resulted in a compatibility situation for Firefox that we're addressing by enabling TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384. Our hypothesis is that these sites are using RSA key exchange, disabled any ciphersuites with SHA-1-based MACs, and didn't bother to switch to better key exchange algorithms. Since Firefox doesn't enable any RSA key exchange ciphersuites that don't also have SHA-1-based MACs, we can't connect, while other browsers can. Let me know if you have any questions/concerns. Thanks!

Flags: needinfo?(mt)

Thanks for the heads up.

Yes, when people do silly things like this you end up with silly results. HMAC-SHA-1 isn't exactly awe-inspiring now, but it isn't broken in the same way that SHA-1 is, but we get people disabling it anyway without thinking. Or testing.

Technically, sites that don't support TLS_RSA_WITH_AES_128_CBC_SHA are non-compliant with the TLS 1.2 spec. And these suites are 1.2-only, so they are clearly busted. But "technically" isn't a great reason to have people stuck, I guess and they are better than TLS_RSA_WITH_AES_128_CBC_SHA in several ways.

This seems like something we should try to uplift to Beta if we get the opportunity. That is, if there is a new build this can ride along with.

Flags: needinfo?(mt)
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5a7f6e78b0bb
enable some TLS ciphersuites with SHA-2-based MACs for compatibility r=jcj,kjacobs
Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
Flags: qe-verify+

Is this worth uplifting to the 68 ESR?

I wouldn't argue strongly for it, given that we're releasing ESR 78 soon.

Confirmed the issue once with 78.0a1(2020-05-14-09) after several attempts.
Can mark as verified, after checking with 78.0b7 no issues occurred with the page-load.

Status: RESOLVED → VERIFIED
Flags: qe-verify+

Release Note Request (optional, but appreciated)
[Why is this notable]: Goes hand-in-hand with https://bugzilla.mozilla.org/show_bug.cgi?id=1496639#c21, but we're exchanging these ciphersuites for the DHE ones that could have a compatibility impact.
[Affects Firefox for Android]: Yes
[Suggested wording]: To mitigate web compatibility issues from disabling DHE-based TLS ciphersuites, Firefox 78 enables two more AES-GCM SHA2-based ciphersuites.

relnote-firefox: --- → ?
Summary: Intermittent PR_CONNECT_RESET_ERROR Secure connection failed error when visiting https://egov.ice.gov/sevis/ → Enable TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384 ciphersuites

added to the 78 release notes draft

You need to log in before you can comment on or make changes to this bug.