Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 519070 - www-client/firefox-24.7.0 - An error occurred during a connection to XXXXX. SSL peer selected a cipher suite disallowed for the selected protocol version. (Error code: ssl_error_cipher_disallowed_for_version)
Summary: www-client/firefox-24.7.0 - An error occurred during a connection to XXXXX. S...
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Mozilla Gentoo Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-04 18:42 UTC by Alexander Hartner
Modified: 2014-10-18 03:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Screenshot of error message (Untitled.png,28.85 KB, image/png)
2014-08-12 03:18 UTC, Alexander Hartner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Hartner 2014-08-04 18:42:42 UTC
Since upgrading to 24.7.0 I am getting an error when accessing some HTTPS websites.

Quote:	
Secure Connection Failed

An error occurred during a connection to XXXXX. SSL peer selected a cipher suite disallowed for the selected protocol version. (Error code: ssl_error_cipher_disallowed_for_version)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.	

Here are the details of the ciphers configured on the server

Code:	
| Public Key type: rsa
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong
Comment 1 Jory A. Pratt gentoo-dev 2014-08-05 02:56:06 UTC
emerge --info missing, please also provide a site that is failing.
Comment 2 Alexander Hartner 2014-08-05 10:08:50 UTC
Found some more details here:
https://support.mozilla.org/en-US/questions/1011995
Comment 3 Alexander Hartner 2014-08-05 10:11:14 UTC
emerge --info firefox
Portage 2.2.8-r1 (default/linux/amd64/13.0, gcc-4.7.3, glibc-2.19-r1, 3.14.14-gentoo x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-3.14.14-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_E8400_@_3.00GHz-with-gentoo-2.2
KiB Mem:     3940924 total,     53256 free
KiB Swap:    8388436 total,   8384856 free
Timestamp of tree: Mon, 04 Aug 2014 06:45:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
app-shells/bash:          4.2_p45
dev-java/java-config:     2.2.0
dev-lang/python:          2.7.7, 3.3.5-r1
dev-util/cmake:           2.8.12.2-r1
dev-util/pkgconfig:       0.28-r1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.6, 1.13.4
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.7.3-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.13 (virtual/os-headers)
sys-libs/glibc:           2.19-r1
Repositories: gentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://ftp.swin.edu.au/gentoo ftp://ftp.swin.edu.au/gentoo"
LANG="en_AU"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync1.au.gentoo.org/gentoo-portage"
USE="X acl amd64 apache2 berkdb bzip2 cli courier cracklib crypt cups cxx dlz dri fortran gd gdbm geoip gif gpm iconv ipv6 java jpeg jpeg2k maildir mmx modules multilib ncurses nls nptl nsplugin opengl openmp pam pcre png postfix postgres readline sasl session spamassassin sse sse2 ssl tcpd tiff truetype unicode vhosts xml xml2 xpm zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

=================================================================
                        Package Settings
=================================================================

www-client/firefox-24.7.0 was built with the following:
USE="alsa dbus jit minimal -bindist -custom-cflags -custom-optimization -debug -gstreamer -libnotify (-pgo) -pulseaudio (-selinux) -startup-notification -system-cairo -system-icu -system-jpeg -system-sqlite -test -wifi" ABI_X86="64" LINGUAS="-af -ak -ar -as -ast -be -bg -bn_BD -bn_IN -br -bs -ca -cs -csb -cy -da -de -el -en_GB -en_ZA -eo -es_AR -es_CL -es_ES -es_MX -et -eu -fa -fi -fr -fy_NL -ga_IE -gd -gl -gu_IN -he -hi_IN -hr -hu -hy_AM -id -is -it -ja -kk -km -kn -ko -ku -lg -lt -lv -mai -mk -ml -mr -nb_NO -nl -nn_NO -nso -or -pa_IN -pl -pt_BR -pt_PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv_SE -ta -ta_LK -te -th -tr -uk -vi -zh_CN -zh_TW -zu"
CFLAGS="-march=native -pipe -mno-avx"
CXXFLAGS="-march=native -pipe -mno-avx"
Comment 4 James Cline 2014-08-11 01:05:46 UTC
It looks like a site where this is happening is still needed?

https://www.grubhub.com seems to reproduce it reliably for me.
Comment 5 Alexander Hartner 2014-08-12 03:15:11 UTC
https://www.grubhub.com recreates the problem for me.
Comment 6 Alexander Hartner 2014-08-12 03:18:00 UTC
Created attachment 382702 [details]
Screenshot of error message
Comment 7 Alexander Hartner 2014-08-12 03:23:23 UTC
https://www.grubhub.com receates the issue for me even after setting security.ssl3.ecdhe_rsa_aes_256_sha to false in about:config. Maybe it is using a cypher other than ecdhe_rsa_aes_256_sha in this case. However the error message seems identifical.
Comment 8 charles17 2014-08-12 10:06:37 UTC
(In reply to Alexander Hartner from comment #7)
> https://www.grubhub.com receates the issue for me [...]

That site is correctly displayed with =www-client/firefox-31.0 with a clean profile.
Comment 9 Alexander Hartner 2014-08-12 11:44:43 UTC
Could we promote v31 to stable, since v24 is having issues.
Comment 10 Ian Stakenvicius (RETIRED) gentoo-dev 2014-08-12 13:58:38 UTC
v31 is the next stable candidate, and it will be stabilized in a couple of weeks.

However according to upstream's bugzilla ( https://bugzilla.mozilla.org/show_bug.cgi?id=1042520 ) there has been no movement on this issue and so it's likely to still be a problem, just on different sites.  So at this point i'm not ready to consider this bug fixed with a FF31 stabilization.
Comment 11 Ian Stakenvicius (RETIRED) gentoo-dev 2014-08-12 14:00:18 UTC
Has anyone had issues with firefox-bin-24.7 ?  Or is it just the from-source package?

PS - FF31 for me opens https://www.grubhub.com without issue, and i don't have a clean profile.  Are there any other URLs that would be good to test?
Comment 12 charles17 2014-08-12 17:55:37 UTC
(In reply to Ian Stakenvicius from comment #11)
> Has anyone had issues with firefox-bin-24.7 ?  Or is it just the from-source
> package?

Same error here on https://www.grubhub.com with =www-client/firefox-bin-24.7.0
Comment 13 James Cline 2014-08-13 02:20:17 UTC
The same emerge run that upgraded me to firefox-24.7.0 also upgraded to dev-libs/nspr-4.10.6-r1 from 4.10.6 and dev-libs/nss=3.16.3 from 3.16.

Downgrading just firefox to 24.6.0 did not fix the issue. Downgrading nspr and nss to the old versions, however, did.

Perhaps this is actually an issue with nspr/nss? That would explain why FF31 fixes it for grubhub, I think?
Comment 14 Alexander Tsoy 2014-08-19 12:24:28 UTC
(In reply to James Cline from comment #4)
> It looks like a site where this is happening is still needed?
> 
> https://www.grubhub.com seems to reproduce it reliably for me.

Looks like this site allows only TLS 1.2. After changing security.tls.version.max from 1 (default) to 3 I'm able to open this site. For more info see:
http://kb.mozillazine.org/Security.tls.version.*
Comment 15 Alexander Tsoy 2014-08-19 12:26:40 UTC
openssl also fails to connect using TLS 1.0:

$ openssl s_client -tls1 -connect www.grubhub.com:443
CONNECTED(00000003)
2948831504016:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:338:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1408451165
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
Comment 16 Alexander Tsoy 2014-08-19 12:29:45 UTC
(In reply to Alexander Tsoy from comment #14)
> http://kb.mozillazine.org/Security.tls.version.*

Asterisk is a part of URL so you need to copy-paste it
Comment 17 Alexander Tsoy 2014-08-19 12:41:58 UTC
SSL 3.0 also works, but according to [1] ECDHE-RSA is not allowed for SSL 3.0. Probably firefox tries to negotiate SSL 3.0 session and fails because indeed "peer selected a cipher suite disallowed for the selected protocol version". Looks like a server misconfiguration.

$ openssl s_client -ssl3 -connect www.grubhub.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = TmZLN1jnwibD7qHi-gtt9btZLaQim3Nl, OU = GT73095724, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = *.grubhub.com
verify return:1
---
Certificate chain
 0 s:/serialNumber=TmZLN1jnwibD7qHi-gtt9btZLaQim3Nl/OU=GT73095724/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.grubhub.com
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgIDEeo8MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTQwNDA5MDQ0NTE5WhcNMTYwNzA5MTM0ODA2WjCBvDEpMCcGA1UEBRMgVG1a
TE4xam53aWJEN3FIaS1ndHQ5YnRaTGFRaW0zTmwxEzARBgNVBAsTCkdUNzMwOTU3
MjQxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRYwFAYDVQQDDA0qLmdydWJodWIuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAyQLgQcTGLNbtE/MZhi79VjSJu4v7YCRcOZ7NC1o4foPR
oIdTwZ5K/CwWonkD49q48YE8O3E361FD/MiMHd/sibj3Yn5Zl79Ja5Um2eT94Jeq
/Ug4jqZQJwEEVCu7cBfpmpZETIoC8UefLyGadclUXfwNvfIQ/i92b2khiihHoXNY
FiB8K+SDUMiv6fOxfenrxuCz/s0KpeRBQkCo4sbJCHa+IbWTMtYGS1MLJB7YCkqD
8nb1lmdB7YjDF0zTwb+kVDfJ7bGBb6ZmF7HnyNx7aFN/Af2kdFinAO0NzG+G8F+e
nz4ePs0HXKsJr99E6miXby1BpOxZQh4kmE1brzmg4QIDAQABo4IBtTCCAbEwHwYD
VR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAlBgNVHREEHjAcgg0qLmdydWJo
dWIuY29tggtncnViaHViLmNvbTBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vcmFw
aWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNVHQ4E
FgQUyj2JgVlzL9FQN61mN4c6Lx0NUX4wDAYDVR0TAQH/BAIwADB4BggrBgEFBQcB
AQRsMGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3NwLmdlb3RydXN0
LmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5nZW90cnVzdC5j
b20vcmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsG
AQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0G
CSqGSIb3DQEBBQUAA4IBAQBst3pdCIKLHhgZXLniSlh7Dfs19Kke9xraBjtSS621
9LDJWhcU9TtSRlWoUM+qNw+lq56hevXbN+b5BkY8P5U3+oTg8QU0DNXn8yUUELuT
xcOn9WMBV6fT4ZWWtZv+7Sbn04D3qzM75yyuvDfwgV0PVACXiJQ7Jas5Zq9Rbb05
0FpzLKz/MITG+sWgABDnYwY0RH6W98w5D5aoOjvhwTFBBqmC1z0opu7eYYKuOExg
9xTMyUOeUCJaoNm/vpK/8/9j/WogW3C6D0IHCPQFPTgUK71/HS8/C9bntCrllgWK
LWtAv+jZtuUXLK8AA25FcNRqEE1qBfdq6/NJw0+ASk9d
-----END CERTIFICATE-----
subject=/serialNumber=TmZLN1jnwibD7qHi-gtt9btZLaQim3Nl/OU=GT73095724/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.grubhub.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 2838 bytes and written 291 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: BCE0DDD58A393D08F1F2F45B47FB56464B5E5DAA5954DD80A121D2574ACB7AAE
    Session-ID-ctx: 
    Master-Key: 70B78A01B00FA8AB0A875AD941998BCCE61E6B284934DA0C9188BB90B868415AE943954439D5AD6D7BBEF2DC8D4F982B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1408451423
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---


[1] https://en.wikipedia.org/wiki/Transport_Layer_Security
Comment 18 Alexander Tsoy 2014-08-19 12:46:00 UTC
Please ignore comments 14-16 and sorry for the noise.
Comment 19 MisterDood 2014-08-29 04:26:10 UTC
This is not a bug in Firefox. This bug report should be closed as "Invalid".

A lot of web servers (like grubhub and my own, personal web server) disable support for TLS 1.0 because there are numerous security vulnerabilities related to the protocol. Firefox 24.7.0 doesn't support TLS 1.1 or 1.2 by default, thus it tries to connect only on TLS 1.0 and fails.

Firefox has supported TLS 1.1 and 1.2 for a while (before 24.7.0), but has only enabled it by default starting in version 27+ according to wikipedia: http://en.wikipedia.org/wiki/History_of_Firefox#Version_27

While we're stuck with Firefox 24.7.0, support for TLS 1.1 and 1.2 can manually be enabled by going to about:config and changing "security.tls.version.max" to 3.

P.S. This is my first comment here. If I'm supposed to do something other than leave this comment, please let me know.
Comment 20 Alexander Hartner 2014-09-03 08:19:19 UTC
Starting out with your "first" comment and simply dismissing this as "Invalid" is not a good start. The issue I raised was that we were able to access certain websites using older versions of firefox. We alos able to access the same websites using newer versions of firefox (however these have not been marked as stable on gentoo). The problem is that certain websites cannot be accessed using firefox 24.7 runnning on a fully patched gentoo installation. 

I suspect the comments that the cause is not with firefox but with nspr are spot on.
Comment 21 Alexander Tsoy 2014-09-03 11:01:17 UTC
(In reply to Alexander Hartner from comment #20)
> Starting out with your "first" comment and simply dismissing this as
> "Invalid" is not a good start. The issue I raised was that we were able to
> access certain websites using older versions of firefox. We alos able to
> access the same websites using newer versions of firefox (however these have
> not been marked as stable on gentoo). The problem is that certain websites
> cannot be accessed using firefox 24.7 runnning on a fully patched gentoo
> installation.

security.tls.version.max is 1 (TLS 1.0) by default in firefox-24 and 3 (TLS 1.2) by default in firefox-31. So firefox-24 connects to the server mentioned in comment 0 and https://www.grubhub.com/ using SSL 3.0. Firefox-31 connects to the same servers using TLS 1.2.

> I suspect the comments that the cause is not with firefox but with nspr are
> spot on.

Looks like newer versions of nspr is stricter and disallow more ciphers to use with SSL 3.0 (I suspect ECDHE-RSA). I'm not sure, so of course this may be a bug.
Comment 22 Alexander Tsoy 2014-09-03 19:32:36 UTC
Err.. it's nss of course, not nspr. I think I've found related commit, see [1]. It is included in >=nss-3.16.2

[1] http://hg.mozilla.org/projects/nss/rev/aa8e62e782f5
Comment 23 Alexander Hartner 2014-09-07 03:55:48 UTC
The problem persists in 24.8. I know there is a work-around for 24.7 and 24.8 however in 24.6 it was working. I was kind of hoping that the next version would depend on an updated version of nss.
Comment 24 Alexander Hartner 2014-10-15 06:28:33 UTC
Given the recently found Poodle vulnerabilitiy would it be possile to stablise a later version of FF other than 24. With ESRv31 and v33 both supporting TLS1.2 either would be a good candidate. Further SSLv3 will be turned off in FF34 (https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/)

The current stable version still supports SSLv3 which is now considered unsafe (I guess) but has issues with TLS1.2, which is the version a lot of people will be moving to. 

I understand that the cause of this issue is outside of FF in the nss. Could we please include the people wroking on nss on this ticket.
Comment 25 Alexander Hartner 2014-10-15 07:25:08 UTC
The same issue seems to affect Thunderbird.
Comment 26 Ian Stakenvicius (RETIRED) gentoo-dev 2014-10-18 03:53:45 UTC
mozilla 24.x is EOS, and stabilization of 31.x will be performed as part of bug 525474.  Marking as RESO/OBSOLETE even though I'm jumping the gun a little.