Firefox 26+ no longer supports TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

RESOLVED INVALID

Status

()

Core
Security: PSM
RESOLVED INVALID
4 years ago
4 years ago

People

(Reporter: David Balažic, Unassigned)

Tracking

({regression})

27 Branch
x86_64
Windows 7
regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 (Beta/Release)
Build ID: 20140127194636

Steps to reproduce:

see bug 950858 comment 21

When I access a certain intranet HTTPS site with FF 27.0 on Windows 7 64bit, I get:

Secure Connection Failed

An error occurred during a connection to server:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

Using FF 26 crashes (bug 950858), while FF 25 (and older) works.

The site uses SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA and requires a client login.
Is the server using a certificate with a key that is 2048 bits or more? If not, it is likely that we're going to stop working with this site due to the small key.

What cipher suite are other browsers choosing?
Blocks: 934663
Component: Untriaged → Security: PSM
Keywords: regression
Product: Firefox → Core
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(david.balazic)
(Reporter)

Comment 2

4 years ago
Chrome says: Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Opera suggests: 168 bit 3-DES (DHE_DSS/SHA), but then when I aprove the certificate it gives:

Secure connection: fatal error (40) from server. 

 https://server_name:8443/path/ 

 Failed to connect to server. The reason may be that the encryption methods supported by the server are not enabled in the security preferences. 

 Please note that some encryption methods are no longer supported, and that access will not be possible until the website has been upgraded to use strong encryption.


Firefox 25 uses SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 112 bit keys)

The server key is DSA 1024 bits
Flags: needinfo?(david.balazic)

Comment 3

4 years ago
I am getting this error too.

https://www.citibank.com/us/citibusinessonline/
Secure Connection Failed
An error occurred during a connection to www.citibank.com. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

I have not yet talked to their support.

Comment 4

4 years ago
Same here https://fancyssl.hboeck.de/

Comment 5

4 years ago
Also happening when visiting BMO with security.tls.version.min set to 3.

Comment 6

4 years ago
Coming from bug "sec_error_invalid_key" which turned in "mozilla_pkix_error_inadequate_key_size" ( https://bugzilla.mozilla.org/show_bug.cgi?id=1084606 ), today after a beta update to FF34.0b3 I get the "ssl_error_no_cypher_overlap".

Updated

4 years ago
Duplicate of this bug: 1107375

Updated

4 years ago
Duplicate of this bug: 1107037
Changing the too generic summary.
Summary: ssl_error_no_cypher_overlap on a site → Firefox 26+ no longer supports TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Brian, do you think we need to add TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA back? (I don't.)
Flags: needinfo?(brian)
Everybody that came here due to a ssl_error_no_cypher_overlap error that isn't about the TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA cipher suite: please file a new bug. If you already filed a separate bug and it was marked as a duplicate of this bug, reopen the original bug or ask (you can needinfo?brian@briansmith.org) for it to be reopened.

No, I don't think we should add back TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. Some Googlers have told me they've removed all DSS support from BoringSSL which means Chrome won't support it either.

Marking this INVALID, which is a too-harsh way of saying "works as intended".
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(brian)
Resolution: --- → INVALID
(In reply to Brian Smith (:briansmith, :bsmith, use NEEDINFO?) from comment #11)
> Some Googlers have told me they've removed all DSS support from BoringSSL which
> means Chrome won't support it either.

Oh, good to know. Filed bug 1107787.
You need to log in before you can comment on or make changes to this bug.