Summary: | www-client/firefox-24.7.0 - An error occurred during a connection to XXXXX. SSL peer selected a cipher suite disallowed for the selected protocol version. (Error code: ssl_error_cipher_disallowed_for_version) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Alexander Hartner <gentoo> |
Component: | Current packages | Assignee: | Mozilla Gentoo Team <mozilla> |
Status: | RESOLVED OBSOLETE | ||
Severity: | normal | CC: | alexander, gentoo |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | Screenshot of error message |
Description
Alexander Hartner
2014-08-04 18:42:42 UTC
emerge --info missing, please also provide a site that is failing. Found some more details here: https://support.mozilla.org/en-US/questions/1011995 emerge --info firefox Portage 2.2.8-r1 (default/linux/amd64/13.0, gcc-4.7.3, glibc-2.19-r1, 3.14.14-gentoo x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.14.14-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_E8400_@_3.00GHz-with-gentoo-2.2 KiB Mem: 3940924 total, 53256 free KiB Swap: 8388436 total, 8384856 free Timestamp of tree: Mon, 04 Aug 2014 06:45:01 +0000 ld GNU ld (GNU Binutils) 2.23.2 app-shells/bash: 4.2_p45 dev-java/java-config: 2.2.0 dev-lang/python: 2.7.7, 3.3.5-r1 dev-util/cmake: 2.8.12.2-r1 dev-util/pkgconfig: 0.28-r1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.12.6, 1.13.4 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.13 (virtual/os-headers) sys-libs/glibc: 2.19-r1 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://ftp.swin.edu.au/gentoo ftp://ftp.swin.edu.au/gentoo" LANG="en_AU" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync1.au.gentoo.org/gentoo-portage" USE="X acl amd64 apache2 berkdb bzip2 cli courier cracklib crypt cups cxx dlz dri fortran gd gdbm geoip gif gpm iconv ipv6 java jpeg jpeg2k maildir mmx modules multilib ncurses nls nptl nsplugin opengl openmp pam pcre png postfix postgres readline sasl session spamassassin sse sse2 ssl tcpd tiff truetype unicode vhosts xml xml2 xpm zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON ================================================================= Package Settings ================================================================= www-client/firefox-24.7.0 was built with the following: USE="alsa dbus jit minimal -bindist -custom-cflags -custom-optimization -debug -gstreamer -libnotify (-pgo) -pulseaudio (-selinux) -startup-notification -system-cairo -system-icu -system-jpeg -system-sqlite -test -wifi" ABI_X86="64" LINGUAS="-af -ak -ar -as -ast -be -bg -bn_BD -bn_IN -br -bs -ca -cs -csb -cy -da -de -el -en_GB -en_ZA -eo -es_AR -es_CL -es_ES -es_MX -et -eu -fa -fi -fr -fy_NL -ga_IE -gd -gl -gu_IN -he -hi_IN -hr -hu -hy_AM -id -is -it -ja -kk -km -kn -ko -ku -lg -lt -lv -mai -mk -ml -mr -nb_NO -nl -nn_NO -nso -or -pa_IN -pl -pt_BR -pt_PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv_SE -ta -ta_LK -te -th -tr -uk -vi -zh_CN -zh_TW -zu" CFLAGS="-march=native -pipe -mno-avx" CXXFLAGS="-march=native -pipe -mno-avx" It looks like a site where this is happening is still needed? https://www.grubhub.com seems to reproduce it reliably for me. https://www.grubhub.com recreates the problem for me. Created attachment 382702 [details]
Screenshot of error message
https://www.grubhub.com receates the issue for me even after setting security.ssl3.ecdhe_rsa_aes_256_sha to false in about:config. Maybe it is using a cypher other than ecdhe_rsa_aes_256_sha in this case. However the error message seems identifical. (In reply to Alexander Hartner from comment #7) > https://www.grubhub.com receates the issue for me [...] That site is correctly displayed with =www-client/firefox-31.0 with a clean profile. Could we promote v31 to stable, since v24 is having issues. v31 is the next stable candidate, and it will be stabilized in a couple of weeks. However according to upstream's bugzilla ( https://bugzilla.mozilla.org/show_bug.cgi?id=1042520 ) there has been no movement on this issue and so it's likely to still be a problem, just on different sites. So at this point i'm not ready to consider this bug fixed with a FF31 stabilization. Has anyone had issues with firefox-bin-24.7 ? Or is it just the from-source package? PS - FF31 for me opens https://www.grubhub.com without issue, and i don't have a clean profile. Are there any other URLs that would be good to test? (In reply to Ian Stakenvicius from comment #11) > Has anyone had issues with firefox-bin-24.7 ? Or is it just the from-source > package? Same error here on https://www.grubhub.com with =www-client/firefox-bin-24.7.0 The same emerge run that upgraded me to firefox-24.7.0 also upgraded to dev-libs/nspr-4.10.6-r1 from 4.10.6 and dev-libs/nss=3.16.3 from 3.16. Downgrading just firefox to 24.6.0 did not fix the issue. Downgrading nspr and nss to the old versions, however, did. Perhaps this is actually an issue with nspr/nss? That would explain why FF31 fixes it for grubhub, I think? (In reply to James Cline from comment #4) > It looks like a site where this is happening is still needed? > > https://www.grubhub.com seems to reproduce it reliably for me. Looks like this site allows only TLS 1.2. After changing security.tls.version.max from 1 (default) to 3 I'm able to open this site. For more info see: http://kb.mozillazine.org/Security.tls.version.* openssl also fails to connect using TLS 1.0: $ openssl s_client -tls1 -connect www.grubhub.com:443 CONNECTED(00000003) 2948831504016:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:338: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1408451165 Timeout : 7200 (sec) Verify return code: 0 (ok) --- (In reply to Alexander Tsoy from comment #14) > http://kb.mozillazine.org/Security.tls.version.* Asterisk is a part of URL so you need to copy-paste it SSL 3.0 also works, but according to [1] ECDHE-RSA is not allowed for SSL 3.0. Probably firefox tries to negotiate SSL 3.0 session and fails because indeed "peer selected a cipher suite disallowed for the selected protocol version". Looks like a server misconfiguration. $ openssl s_client -ssl3 -connect www.grubhub.com:443 CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA verify return:1 depth=0 serialNumber = TmZLN1jnwibD7qHi-gtt9btZLaQim3Nl, OU = GT73095724, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = *.grubhub.com verify return:1 --- Certificate chain 0 s:/serialNumber=TmZLN1jnwibD7qHi-gtt9btZLaQim3Nl/OU=GT73095724/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.grubhub.com i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFLTCCBBWgAwIBAgIDEeo8MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew HhcNMTQwNDA5MDQ0NTE5WhcNMTYwNzA5MTM0ODA2WjCBvDEpMCcGA1UEBRMgVG1a TE4xam53aWJEN3FIaS1ndHQ5YnRaTGFRaW0zTmwxEzARBgNVBAsTCkdUNzMwOTU3 MjQxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk U1NMKFIpMRYwFAYDVQQDDA0qLmdydWJodWIuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAyQLgQcTGLNbtE/MZhi79VjSJu4v7YCRcOZ7NC1o4foPR oIdTwZ5K/CwWonkD49q48YE8O3E361FD/MiMHd/sibj3Yn5Zl79Ja5Um2eT94Jeq /Ug4jqZQJwEEVCu7cBfpmpZETIoC8UefLyGadclUXfwNvfIQ/i92b2khiihHoXNY FiB8K+SDUMiv6fOxfenrxuCz/s0KpeRBQkCo4sbJCHa+IbWTMtYGS1MLJB7YCkqD 8nb1lmdB7YjDF0zTwb+kVDfJ7bGBb6ZmF7HnyNx7aFN/Af2kdFinAO0NzG+G8F+e nz4ePs0HXKsJr99E6miXby1BpOxZQh4kmE1brzmg4QIDAQABo4IBtTCCAbEwHwYD VR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYDVR0PAQH/BAQDAgWgMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAlBgNVHREEHjAcgg0qLmdydWJo dWIuY29tggtncnViaHViLmNvbTBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vcmFw aWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNVHQ4E FgQUyj2JgVlzL9FQN61mN4c6Lx0NUX4wDAYDVR0TAQH/BAIwADB4BggrBgEFBQcB AQRsMGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3NwLmdlb3RydXN0 LmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5nZW90cnVzdC5j b20vcmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsG AQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0G CSqGSIb3DQEBBQUAA4IBAQBst3pdCIKLHhgZXLniSlh7Dfs19Kke9xraBjtSS621 9LDJWhcU9TtSRlWoUM+qNw+lq56hevXbN+b5BkY8P5U3+oTg8QU0DNXn8yUUELuT xcOn9WMBV6fT4ZWWtZv+7Sbn04D3qzM75yyuvDfwgV0PVACXiJQ7Jas5Zq9Rbb05 0FpzLKz/MITG+sWgABDnYwY0RH6W98w5D5aoOjvhwTFBBqmC1z0opu7eYYKuOExg 9xTMyUOeUCJaoNm/vpK/8/9j/WogW3C6D0IHCPQFPTgUK71/HS8/C9bntCrllgWK LWtAv+jZtuUXLK8AA25FcNRqEE1qBfdq6/NJw0+ASk9d -----END CERTIFICATE----- subject=/serialNumber=TmZLN1jnwibD7qHi-gtt9btZLaQim3Nl/OU=GT73095724/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.grubhub.com issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA --- No client certificate CA names sent --- SSL handshake has read 2838 bytes and written 291 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : ECDHE-RSA-AES256-SHA Session-ID: BCE0DDD58A393D08F1F2F45B47FB56464B5E5DAA5954DD80A121D2574ACB7AAE Session-ID-ctx: Master-Key: 70B78A01B00FA8AB0A875AD941998BCCE61E6B284934DA0C9188BB90B868415AE943954439D5AD6D7BBEF2DC8D4F982B Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1408451423 Timeout : 7200 (sec) Verify return code: 0 (ok) --- [1] https://en.wikipedia.org/wiki/Transport_Layer_Security Please ignore comments 14-16 and sorry for the noise. This is not a bug in Firefox. This bug report should be closed as "Invalid". A lot of web servers (like grubhub and my own, personal web server) disable support for TLS 1.0 because there are numerous security vulnerabilities related to the protocol. Firefox 24.7.0 doesn't support TLS 1.1 or 1.2 by default, thus it tries to connect only on TLS 1.0 and fails. Firefox has supported TLS 1.1 and 1.2 for a while (before 24.7.0), but has only enabled it by default starting in version 27+ according to wikipedia: http://en.wikipedia.org/wiki/History_of_Firefox#Version_27 While we're stuck with Firefox 24.7.0, support for TLS 1.1 and 1.2 can manually be enabled by going to about:config and changing "security.tls.version.max" to 3. P.S. This is my first comment here. If I'm supposed to do something other than leave this comment, please let me know. Starting out with your "first" comment and simply dismissing this as "Invalid" is not a good start. The issue I raised was that we were able to access certain websites using older versions of firefox. We alos able to access the same websites using newer versions of firefox (however these have not been marked as stable on gentoo). The problem is that certain websites cannot be accessed using firefox 24.7 runnning on a fully patched gentoo installation. I suspect the comments that the cause is not with firefox but with nspr are spot on. (In reply to Alexander Hartner from comment #20) > Starting out with your "first" comment and simply dismissing this as > "Invalid" is not a good start. The issue I raised was that we were able to > access certain websites using older versions of firefox. We alos able to > access the same websites using newer versions of firefox (however these have > not been marked as stable on gentoo). The problem is that certain websites > cannot be accessed using firefox 24.7 runnning on a fully patched gentoo > installation. security.tls.version.max is 1 (TLS 1.0) by default in firefox-24 and 3 (TLS 1.2) by default in firefox-31. So firefox-24 connects to the server mentioned in comment 0 and https://www.grubhub.com/ using SSL 3.0. Firefox-31 connects to the same servers using TLS 1.2. > I suspect the comments that the cause is not with firefox but with nspr are > spot on. Looks like newer versions of nspr is stricter and disallow more ciphers to use with SSL 3.0 (I suspect ECDHE-RSA). I'm not sure, so of course this may be a bug. Err.. it's nss of course, not nspr. I think I've found related commit, see [1]. It is included in >=nss-3.16.2 [1] http://hg.mozilla.org/projects/nss/rev/aa8e62e782f5 The problem persists in 24.8. I know there is a work-around for 24.7 and 24.8 however in 24.6 it was working. I was kind of hoping that the next version would depend on an updated version of nss. Given the recently found Poodle vulnerabilitiy would it be possile to stablise a later version of FF other than 24. With ESRv31 and v33 both supporting TLS1.2 either would be a good candidate. Further SSLv3 will be turned off in FF34 (https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/) The current stable version still supports SSLv3 which is now considered unsafe (I guess) but has issues with TLS1.2, which is the version a lot of people will be moving to. I understand that the cause of this issue is outside of FF in the nss. Could we please include the people wroking on nss on this ticket. The same issue seems to affect Thunderbird. mozilla 24.x is EOS, and stabilization of 31.x will be performed as part of bug 525474. Marking as RESO/OBSOLETE even though I'm jumping the gun a little. |