Closed Bug 961418 Opened 12 years ago Closed 11 years ago

AMO Support for TLS 1.2 and Forward Secrecy

Categories

(Cloud Services :: Operations: Marketplace, task)

task
Not set
major

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: gegard4321-bugzilla, Assigned: jason)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release) Build ID: 20131205075310 Steps to reproduce: Go to https://www.ssllabs.com/ssltest/analyze.html?d=addons.mozilla.org Actual results: AMO site does not support TLS v1.2 and the preferred cipher is RC4(undesirable) without Forward Secrecy(undesirable). Expected results: TLS 1.2 will be enabled by default in coming Firefox release, so AMO should support it as well. Ciphers with Forward Secrecy should be preferred over those who have not and RC4 should not be the preferred cipher. With TLS 1.2 enabled by default, BEAST will not be a problem, so no reason to use RC4. AES_GCM should be the preferred cipher. Same goes for marketplace.firefox.com
Firefox 28 has already been released, so please make this a high priority.
Severity: normal → major
It would be great if someone could take a look at this.
Assignee: nobody → jthomas
Component: Public Pages → Server Operations: AMO Operations
Product: addons.mozilla.org → mozilla.org
QA Contact: oremj
Version: unspecified → other
Component: Server Operations: AMO Operations → Operations: Marketplace
Product: mozilla.org → Mozilla Services
QA Contact: oremj → operations-mkt
Thanks for the report. We recently upgraded our loadbalancer software and enabled TLS 1.2 for marketplace.firefox.com and addons.mozilla.org. We also made changes to the cipher suites listed below. Notable changes are that RC4 is disabled, PFS ciphersuites are preferred on marketplace.firefox.com and enabled on addons.mozilla.org. AES GCM and other cipher suites are currently not supported by our LB. As support is added we will include them to the configuration. ./cipherscan marketplace.firefox.com ...... prio ciphersuite protocols pfs_keysize 1 DHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 2 DHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 3 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 4 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 5 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ./cipherscan addons.mozilla.org ...... prio ciphersuite protocols pfs_keysize 1 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 2 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 3 DHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 4 DHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1 DH,1024bits 5 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Thanks for your reply, good to see it has improved. I would still advise improving DH keysize to 2048 bits or higher, and prefer PFS ciphersuites on addons.mozilla.org.
You need to log in before you can comment on or make changes to this bug.