Join the Mozilla’s Test Days event from 9–15 Jan to test the new Firefox address bar on Firefox Beta 135 and get a chance to win Mozilla swag vouchers! 🎁

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

firefox reports broken encryption TLS1.0 while server enforces TLSv1.2 and FF tls.version.min is set to 2

  • 7 réponses
  • 3 ont ce problème
  • 5 vues
  • Dernière réponse par marc_vd_meer

more options

both sslscan and testssl report the site to only offer TLSv1.2. Firefox security.tls.version.min config setting is set to 2 which I understand to disallow TLSv1.0 connections. Still when connecting to this site Firefox says "weak encryption, TLSv1.0 and a weak cipher, which is clearly incorrect. This is firefox 71.0 on Fedora 30.

both sslscan and testssl report the site to only offer TLSv1.2. Firefox security.tls.version.min config setting is set to 2 which I understand to disallow TLSv1.0 connections. Still when connecting to this site Firefox says "weak encryption, TLSv1.0 and a weak cipher, which is clearly incorrect. This is firefox 71.0 on Fedora 30.

Toutes les réponses (7)

more options

Same issue,

more options

Can you share the URL of the site?

Can you rule out a proxy server or other "man in the middle"? When there is an MITM, there are two connections: Firefox to MITM, MITM to site (this is how the MITM gets unencrypted access to your browsing).

more options

cannot share the link as this is an emulated local z/OS setup. This is why I know the server forces TLSv1.2 only (as I control the server). For sure there is no MITM possibility, as the client is FF on fedora 30, and the server is locally emulated z/OS (not connected to the internet) on the same Linux host.

more options

So if understand correctly:

  • You control the SSL configuration of the server
  • The server refuses to connect using any protocol other than TLS 1.2
  • Firefox is set to a minimum protocol of TLS 1.1 by setting security.tls.version.min = 2
  • Firefox says it retrieved the page using TLS 1.0

In case Firefox is providing information on a cached retrieval, could you flush the cache? See: How to clear the Firefox cache.

Otherwise, "that's impossible."

more options

What cipher suite is used ?

Does "Tools -> Page Info -> Security" or the Network Monitor give more information ?

You shouldn't get such a warning if you use TLS 1.2 with a strong cipher suite.

more options

This is what the server offers:

 Supported Server Cipher(s):

Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA

As you can see the preferred cipher is a strong cipher. I will flush my cache now as suggested in another response, although caching TLS session information would imho be a bad thing

more options

Flushing the cache has changed the message on page-info: now TLSv1.2 is indicated, although the server preferred cipher (see above) is not used. It might be the server (a WAS Liberty application) that caches the TLS session info. Thanks for the suggestions