Since 121.0 security.tls.version.enable-deprecated=true leads to hung while connecting github.com
Categories
(Core :: Networking: DNS, defect)
Tracking
()
People
(Reporter: Alexander_Sergey, Unassigned)
References
Details
Attachments
(1 file)
|
181.36 KB,
image/png
|
Details |
firefox_140.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Steps to reproduce:
This bug was initially reported at https://github.com/webcompat/web-bugs/issues/131475
After upgrate to Firefox 121.0 I was not able to connect to https://github.com. Developer tools shows me that DNS resolution and Connection steps both takes about 3 minutes and often without success, as I think.
On release 120.0.1 there is no such problem.
Steps to reproduce:
- Open
about:config - Set
security.tls.version.enable-deprecatedtotrue - Go to https://github.com
Actual results:
Loading of github.com almost never ends up. On one machine sometimes I was able to connect to it, but mostly it ends up with PR_CONNECT_RESET_ERROR.
Expected results:
Since this setting only enables (as I think) some deprecated chipersutes, it should not affect sites that does not use them (I speculate that github.com does not use deprecated suites). At least, this setting does not create problems in 120.0.1, so I think this is regression.
|
||
Comment 1•6 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•6 months ago
|
||
Hi, I can't reproduce with Firefox 121. Pinning down the change with mozregression could help, but handing over to Security::PMS, because this is likely TLS due to security.tls.version.enable-deprecated config.
|
||
Comment 3•6 months ago
|
||
Can you use the Firefox profiler (https://profiler.firefox.com/) to get a bit more insight? (be sure to select the socket thread and the dns resolver thread in custom settings)
|
||
Comment 4•6 months ago
|
||
Thank you for the report Alexander! Just to confirm what you've been able to test:
- Firefox 120 (clean profile) - Github.com works with
security.tls.version.enable-deprecatedset to true or false. - Firefox 121 (clean profile) - Github.com works with
security.tls.version.enable-deprecatedonly works if set to false.
Is that right? Have you been able to test 120 and 121 side by side on the same machine? If you are able, running mozregression as Manuel suggested would be very helpful to see if there's a particular commit which caused the problem.
Do you have access to a VPN or similar that you can use to repeat the test? Enabling deprecated ciphersuites changes your TLS fingerprint which some sites use for abuse detection purposes and it would be good check if the situation is any way specific to your IP or geographic location.
|
||
Updated•6 months ago
|
|
Reporter | |
Comment 5•6 months ago
|
||
First of all, I should apologise for incorrect info. This problem appeared not only in 120->121 upgrade, but also in ESR channel for 115.5.0esr->115.6.0esr (64-bit). The previous version is speculative and I get in from about:support update log.
Also, on this version GitHub is opened at the end, it just takes abnormally long time. I'll capture profiler traces from my Windows 11 Firefox 121 at weekend when I get my notebook. Firefox 121 was not able to open GitHub at all, at least at those times.
Dana, the profiles below from the 115.6.0esr from my Windows 7 machine when security.tls.version.enable-deprecated=true:
For the reference, the profile when security.tls.version.enable-deprecated=false:
All profiles includes opening https://github.com/ from a new tab.
Dennis, I try Firefox 120 at weekend and side by side with 121 as well. Could you show me where I can download Firefox 120? I was able to find Release Notes, but I do not see a download button for this specific version. All Firefox downloads link actually suggest to download only the latest version without ability to choice.
|
|
||
Comment 6•6 months ago
|
||
You can find old releases of Firefox here: https://archive.mozilla.org/pub/firefox/releases/
When you capture profiles, can you also include "ssl" in the custom thread settings? Thanks!
|
|
Reporter | |
Comment 7•6 months ago
|
||
What the setting? I do not see such setting:
I can enable all...
|
|
||
Comment 8•6 months ago
|
||
You can edit the field below where it says Add custom threads by name: (I don't know what it says in Russian - Google translate didn't come up with what's in that screenshot)
|
||
Comment 9•6 months ago
|
||
Experiencing the same issue 121.0.1 on the mac. Github works only with fresh profile until i've set false.
Actually, i can't even remember that i've ever changed it manually
|
|
Reporter | |
Comment 10•6 months ago
|
||
I repeated capture in 115.6.0esr from my Windows 7 machine with all threads captured (but I was unable to upload deprecated=true with hidden threads due to size, so probably it doesn't contain all threads. I unhide default set + DNS Resolver, Socket Thread and SSL threads):
security.tls.version.enable-deprecated=true(3m 36s without success): https://share.firefox.dev/4aPAhmCsecurity.tls.version.enable-deprecated=false(5.8s, success): https://share.firefox.dev/4aQPpQE
|
|
||
Comment 11•6 months ago
|
||
Thanks! Seems like a DNS issue.
|
||
Comment 12•6 months ago
|
||
I have the same issue with Firefox 78.11.0esr (64-bit) on Linux.
The problem occurred for the first time about 1–2 weeks ago. I have not performed any upgrade or configuration change (OS and/or web browser), so I am tending to think it was some DNS/TLS reconfiguration on GitHub web servers.
Switching security.tls.version.enable-deprecated=false does not solve the issue.
Also, I have Firefox 102.15.1esr (64-bit) on Windows 8.1: the issue is reproducible with setting security.tls.version.enable-deprecated to true (false by default).
|
|
||
Comment 13•5 months ago
|
||
(In reply to kiwi93872.ipoae from comment #12)
About two weeks ago the issue has disappeared mystically.
Still not sure if it was github-related, or some kind of (mis)configured DPI at the ISP level (as suggested here https://github.com/Feodor2/Mypal68/issues/348#issuecomment-1896466583).
|
||
Comment 14•3 months ago
|
||
Hey Alexander,
Based on the above comment, looks like the issue was resolved to a few users.
Do you still observe the issue?
|
|
||
Comment 15•3 months ago
|
||
(In reply to Sunil Mayya from comment #14)
Hey Alexander,
Based on the above comment, looks like the issue was resolved to a few users.
Do you still observe the issue?
github works on 124.0.2 with
security.tls.version.enable-deprecated=true
|
|
Reporter | |
Comment 16•3 months ago
|
||
Yes, at time of writing GitHub.com opens instantly even with security.tls.version.enable-deprecated=false in 115.9.1esr (64-bit).
Thank you for confirming.
Description
•