X
Tap here to go to the mobile version of the site.

Support Forum

firefox reports broken encryption TLS1.0 while server enforces TLSv1.2 and FF tls.version.min is set to 2

Posted

both sslscan and testssl report the site to only offer TLSv1.2. Firefox security.tls.version.min config setting is set to 2 which I understand to disallow TLSv1.0 connections. Still when connecting to this site Firefox says "weak encryption, TLSv1.0 and a weak cipher, which is clearly incorrect. This is firefox 71.0 on Fedora 30.

both sslscan and testssl report the site to only offer TLSv1.2. Firefox security.tls.version.min config setting is set to 2 which I understand to disallow TLSv1.0 connections. Still when connecting to this site Firefox says "weak encryption, TLSv1.0 and a weak cipher, which is clearly incorrect. This is firefox 71.0 on Fedora 30.
Quote

Additional System Details

Installed Plug-ins

  • Shockwave Flash 32.0 r0

Application

  • User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

More Information

yebikiy802 0 solutions 1 answers

Same issue,

Same issue[https://instaplusapk.com/ ,]
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8878 solutions 72633 answers

Can you share the URL of the site?

Can you rule out a proxy server or other "man in the middle"? When there is an MITM, there are two connections: Firefox to MITM, MITM to site (this is how the MITM gets unencrypted access to your browsing).

Can you share the URL of the site? Can you rule out a proxy server or other "man in the middle"? When there is an MITM, there are two connections: Firefox to MITM, MITM to site (this is how the MITM gets unencrypted access to your browsing).
Was this helpful to you?
Quote

Question owner

cannot share the link as this is an emulated local z/OS setup. This is why I know the server forces TLSv1.2 only (as I control the server). For sure there is no MITM possibility, as the client is FF on fedora 30, and the server is locally emulated z/OS (not connected to the internet) on the same Linux host.

cannot share the link as this is an emulated local z/OS setup. This is why I know the server forces TLSv1.2 only (as I control the server). For sure there is no MITM possibility, as the client is FF on fedora 30, and the server is locally emulated z/OS (not connected to the internet) on the same Linux host.
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8878 solutions 72633 answers

Helpful Reply

So if understand correctly:

  • You control the SSL configuration of the server
  • The server refuses to connect using any protocol other than TLS 1.2
  • Firefox is set to a minimum protocol of TLS 1.1 by setting security.tls.version.min = 2
  • Firefox says it retrieved the page using TLS 1.0

In case Firefox is providing information on a cached retrieval, could you flush the cache? See: How to clear the Firefox cache.

Otherwise, "that's impossible."

So if understand correctly: * You control the SSL configuration of the server * The server refuses to connect using any protocol other than TLS 1.2 * Firefox is set to a minimum protocol of TLS 1.1 by setting '''security.tls.version.min''' = 2 * Firefox says it retrieved the page using TLS 1.0 In case Firefox is providing information on a cached retrieval, could you flush the cache? See: [[How to clear the Firefox cache]]. Otherwise, "that's impossible."
Was this helpful to you? 1
Quote
cor-el
  • Top 10 Contributor
  • Moderator
17764 solutions 160655 answers

What cipher suite is used ?

Does "Tools -> Page Info -> Security" or the Network Monitor give more information ?

You shouldn't get such a warning if you use TLS 1.2 with a strong cipher suite.

What cipher suite is used ? Does "Tools -> Page Info -> Security" or the Network Monitor give more information ? You shouldn't get such a warning if you use TLS 1.2 with a strong cipher suite.
Was this helpful to you?
Quote

Question owner

This is what the server offers:

 Supported Server Cipher(s):

Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA

As you can see the preferred cipher is a strong cipher. I will flush my cache now as suggested in another response, although caching TLS session information would imho be a bad thing

This is what the server offers: Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA As you can see the preferred cipher is a strong cipher. I will flush my cache now as suggested in another response, although caching TLS session information would imho be a bad thing
Was this helpful to you?
Quote

Question owner

Flushing the cache has changed the message on page-info: now TLSv1.2 is indicated, although the server preferred cipher (see above) is not used. It might be the server (a WAS Liberty application) that caches the TLS session info. Thanks for the suggestions

Flushing the cache has changed the message on page-info: now TLSv1.2 is indicated, although the server preferred cipher (see above) is not used. It might be the server (a WAS Liberty application) that caches the TLS session info. Thanks for the suggestions
Was this helpful to you?
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.