Closed
Bug 593282
Opened 14 years ago
Closed 10 years ago
https://webmail.kabelbw.de uses a very weak (256-bit) Diffie-Hellman key for DHE_RSA SSL cipher suites.
Categories
(Tech Evangelism Graveyard :: German, defect)
Tech Evangelism Graveyard
German
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: Kuebler.Bernd, Assigned: wtc)
References
()
Details
(Keywords: regression)
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0b4) Gecko/20100818 Firefox/4.0b4 Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0b4) Gecko/20100818 Firefox/4.0b4 The site http://www.kabelbw.de/webmail can't be open with Firefox 4b4. No problem before with Firefox and with Internet Explorer. Error Code: ssl_error_rx_malformed_server_key_exch Reproducible: Always Steps to Reproduce: 1. got to url http://www.kabelbw.de/webmail 2. 3.
Comment 1•14 years ago
|
||
confirming with Seamonkey trunk but this could be a server issue
Status: UNCONFIRMED → NEW
Component: General → Security: PSM
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → psm
Summary: Kabelbw webmailer couldn't open the site → ssl_error_rx_malformed_server_key_exch
Version: unspecified → Trunk
Updated•14 years ago
|
Keywords: regression
Another server which proposes an extremely small DHE key (256 bits) in the SSL handshake. It identifies itself in the "Server" header as "Resin/3.0.12". (In reply to comment #0) > The site http://www.kabelbw.de/webmail can't be open with Firefox 4b4. No > problem before with Firefox and with Internet Explorer. Note that this http URL actually redirects to https://webmail.kabelbw.de/?l=de-DE&v=kabelbw.
Status: NEW → RESOLVED
Closed: 14 years ago
OS: Windows XP → All
Hardware: x86 → All
Resolution: --- → DUPLICATE
Comment 3•14 years ago
|
||
Server was behaving insecurely before FF 4b4, but FF wasn't detecting it until 4b4. Mozilla's solution for the next beta is to abandon forward secrecy. :(
Assignee | ||
Comment 4•14 years ago
|
||
Bernd: Thank you for the bug report. I'm going to use this bug report as a Technical Evangelism bug. Since you have a @kabelbw.de email address, are you an employee of Kabel BW? Or are you a customer of their Internet service? Can you help me forward the following message to the administrator of https://webmail.kabelbw.de? The server uses a very weak (256-bit) Diffie-Hellman key for DHE_RSA SSL cipher suites. To fix this server configuration problem, either - use a 1024-bit Diffie-Hellman key for the DHE_RSA SSL cipher suites, or - disable all DHE SSL cipher suites. The latter may be easier to do.
Assignee: nobody → wtc
Blocks: 583337
Status: RESOLVED → REOPENED
Component: Security: PSM → German
Product: Core → Tech Evangelism
QA Contact: psm → german
Resolution: DUPLICATE → ---
Summary: ssl_error_rx_malformed_server_key_exch → https://webmail.kabelbw.de uses a very weak (256-bit) Diffie-Hellman key for DHE_RSA SSL cipher suites.
Version: Trunk → unspecified
Assignee | ||
Comment 5•14 years ago
|
||
https://webmail.kabelbw.de/ has disabled all DHE SSL cipher suites. Marked the bug fixed.
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 6•14 years ago
|
||
Reopened the bug. The error is intermittent. Perhaps the website consists of multiple servers, and only some of them disabled DHE SSL cipher suites.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 7•14 years ago
|
||
This is the cipher suite list of a bad server of https://webmail.kabelbw.de/ captured by Qualys SSL Labs: SSL Report: webmail.kabelbw.de (213.46.255.23) Cipher Suites (sorted; server has no preference) TLS_RC4_128_EXPORT40_WITH_MD5 (0x20080) WEAK 40 TLS_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080) WEAK 40 TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK 40 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) WEAK 40 TLS_DES_64_CBC_WITH_MD5 (0x60040) WEAK 56 TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56 TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) WEAK 56 TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x62) WEAK 56 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64) WEAK 56 TLS_RC4_128_WITH_MD5 (0x10080) 128 TLS_RC2_128_CBC_WITH_MD5 (0x30080) 128 TLS_RSA_WITH_RC4_128_MD5 (0x4) 128 TLS_RSA_WITH_RC4_128_SHA (0x5) 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) 128 TLS_DES_192_EDE3_CBC_WITH_MD5 (0x700c0) 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) 168 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) 256 This is the cipher suite list of a good server of https://webmail.kabelbw.de/ captured by Qualys SSL Labs: SSL Report: webmail.kabelbw.de (213.46.255.23) Cipher Suites (sorted; server has no preference) TLS_RSA_WITH_NULL_MD5 (0x1) INSECURE 0 TLS_RSA_WITH_NULL_SHA (0x2) INSECURE 0 TLS_RC4_128_EXPORT40_WITH_MD5 (0x20080) WEAK 40 TLS_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080) WEAK 40 TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3) WEAK 40 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6) WEAK 40 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8) WEAK 40 TLS_DES_64_CBC_WITH_MD5 (0x60040) WEAK 56 TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56 TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x62) WEAK 56 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64) WEAK 56 TLS_RC4_128_WITH_MD5 (0x10080) 128 TLS_RC2_128_CBC_WITH_MD5 (0x30080) 128 TLS_RSA_WITH_RC4_128_MD5 (0x4) 128 TLS_RSA_WITH_RC4_128_SHA (0x5) 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_DES_192_EDE3_CBC_WITH_MD5 (0x700c0) 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
Status: REOPENED → ASSIGNED
Comment 8•14 years ago
|
||
I've contacted them via email form
Comment 9•10 years ago
|
||
I can't reproduce it with latest Nightly, so I'm marking this bug as WORKSFORME. If you still can reproduce it, please reopen this bug.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago → 10 years ago
Resolution: --- → WORKSFORME
Comment 10•9 years ago
|
||
I've been using this version of SeaMonkey since it came out and today is the first time I've seen this error: An error occurred during a connection to pop.1and1.com:995. SSL received a malformed Server Key Exchange handshake message. (Error code: ssl_error_rx_malformed_server_key_exch) This mailbox worked fine half an hour ago, but just now I got this error multiple times when trying to check mail. My other mailbox on the same domain is working fine. Build identifier: Mozilla/5.0 (Windows NT 5.1; rv:8.0.1) Gecko/20111121 Firefox/8.0.1 SeaMonkey/2.5
Comment 11•9 years ago
|
||
(In reply to Rez from comment #10) > I've been using this version of SeaMonkey since it came out and today is the > first time I've seen this error: > > An error occurred during a connection to pop.1and1.com:995. > SSL received a malformed Server Key Exchange handshake message. > (Error code: ssl_error_rx_malformed_server_key_exch) > > This mailbox worked fine half an hour ago, but just now I got this error > multiple times when trying to check mail. > > My other mailbox on the same domain is working fine. > > Build identifier: Mozilla/5.0 (Windows NT 5.1; rv:8.0.1) Gecko/20111121 > Firefox/8.0.1 SeaMonkey/2.5 Can you still reproduce it with latest version of SeaMonkey with a clean fresh new profile without any addons and plugins?
Flags: needinfo?(rividh)
Comment 12•9 years ago
|
||
It reproduced every time I tried to access that mailbox until I restarted SM, then it went away and I haven't seen it again. I think it goes to show the bug is still here, but what triggers it? I'd never seen it before and I've been using SM since it was new, and I've had that mailbox since 2003. Might it only happen in response to a particular server glitch, or to an unstable connection? (My DSL likes to cut out regularly cuz the phone line is ****, but that's not new.) I don't have a lot of add-ons, and have not added or updated any in a long time. Well, if I see it again, I'll know where to report it. Will be installing a fresh version pretty soon, and I can break anything. :)
Flags: needinfo?(rividh)
Updated•9 years ago
|
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•