Closed
Bug 961418
Opened 12 years ago
Closed 11 years ago
AMO Support for TLS 1.2 and Forward Secrecy
Categories
(Cloud Services :: Operations: Marketplace, task)
Cloud Services
Operations: Marketplace
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gegard4321-bugzilla, Assigned: jason)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release)
Build ID: 20131205075310
Steps to reproduce:
Go to https://www.ssllabs.com/ssltest/analyze.html?d=addons.mozilla.org
Actual results:
AMO site does not support TLS v1.2 and the preferred cipher is RC4(undesirable) without Forward Secrecy(undesirable).
Expected results:
TLS 1.2 will be enabled by default in coming Firefox release, so AMO should support it as well. Ciphers with Forward Secrecy should be preferred over those who have not and RC4 should not be the preferred cipher. With TLS 1.2 enabled by default, BEAST will not be a problem, so no reason to use RC4. AES_GCM should be the preferred cipher. Same goes for marketplace.firefox.com
Reporter | ||
Comment 1•11 years ago
|
||
Firefox 28 has already been released, so please make this a high priority.
Reporter | ||
Updated•11 years ago
|
Severity: normal → major
Reporter | ||
Comment 2•11 years ago
|
||
It would be great if someone could take a look at this.
Updated•11 years ago
|
Assignee: nobody → jthomas
Component: Public Pages → Server Operations: AMO Operations
Product: addons.mozilla.org → mozilla.org
QA Contact: oremj
Version: unspecified → other
Updated•11 years ago
|
Component: Server Operations: AMO Operations → Operations: Marketplace
Product: mozilla.org → Mozilla Services
QA Contact: oremj → operations-mkt
Assignee | ||
Comment 3•11 years ago
|
||
Thanks for the report. We recently upgraded our loadbalancer software and enabled TLS 1.2 for marketplace.firefox.com and addons.mozilla.org.
We also made changes to the cipher suites listed below. Notable changes are that RC4 is disabled, PFS ciphersuites are preferred on marketplace.firefox.com and enabled on addons.mozilla.org.
AES GCM and other cipher suites are currently not supported by our LB. As support is added we will include them to the configuration.
./cipherscan marketplace.firefox.com
......
prio ciphersuite protocols pfs_keysize
1 DHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
2 DHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
3 AES128-SHA TLSv1,TLSv1.1,TLSv1.2
4 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
5 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
./cipherscan addons.mozilla.org
......
prio ciphersuite protocols pfs_keysize
1 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
2 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
3 DHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
4 DHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits
5 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 4•11 years ago
|
||
Thanks for your reply, good to see it has improved.
I would still advise improving DH keysize to 2048 bits or higher, and prefer PFS ciphersuites on addons.mozilla.org.
You need to log in
before you can comment on or make changes to this bug.
Description
•