Re: Sites which fail with tls 1.0
Brian Smith br...@briansmith.org writes: Thanks for replying. I am not sure about how SM works but I would expect it to work like Firefox in this aspect. So did I; but even with 2.24pre1 (same gecko as ff27) it does not. I'll grep thru the src for differences, and open a bugz. Understood. Next week Firefox 27 will be released and I think SM will be released around the same time. I would appreciate hearing whether or not you are having the same issues in Firefox 27 or SM 27. sm 2.24pre1 is the same. Except of course that the default max vers is now 3, so that site now requires an explicit prefs setting. Is the retry logic in nss or in mozilla-central? And if the latter, can anyone help narrow the search? I didn't find anything relevant in comm-central. Thanks, -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 1024D/ED7DAEA6 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Sites which fail with tls 1.0
On Wed, Feb 5, 2014 at 5:39 PM, cl...@jhcloos.com wrote: Is the retry logic in nss or in mozilla-central? And if the latter, can anyone help narrow the search? I didn't find anything relevant in comm-central. It is in mozilla-central, in security/manager/ssl/src/nsNSSIOLayer.cpp. See these bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=839310 https://bugzilla.mozilla.org/show_bug.cgi?id=945195 Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Sites which fail with tls 1.0
On 2014-01-27 17:22, cl...@jhcloos.com wrote: In case anyone is keeping a list, while helping a relative I determined that timewarnercable.com's login server (wayfarer.timewarnercable.com) will not work with tls 1.1 or 1.2. The connection fails after the client right after the client hello. A small number of sites have bad security settings. Here's some stats. Supported Protocols Count Percent -+-+--- SSL2 85447 18.9264 SSL2 Only 380.0084 SSL3 44986499.6443 SSL3 Only 4443 0.9841 TLS1 44657598.9158 TLS1 Only 736 0.163 TLS1.114526632.1762 TLS1.1 Only 1 0.0002 TLS1.214992133.2073 TLS1.2 Only 5 0.0011 TLS1.2 but not 1.111888 2.6332 I had to set security.tls.version.max to 1 to get ff (26) or sm (2.23) to get her (relevant) profile to log in to their site. Are you saying that the default settings were failing entirely, and you had to force tls1 for this site? [Side note: +\inf on the concecpt of profiles; one of Gecko's most important features!] -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 1024D/ED7DAEA6 - Julien -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Sites which fail with tls 1.0
Julien Vehent jul...@linuxwall.info writes: I had to set security.tls.version.max to 1 to get ff (26) or sm (2.23) to get her (relevant) profile to log in to their site. Are you saying that the default settings were failing entirely, and you had to force tls1 for this site? I thought that profile had the default settings for security, since it is used only for interacting with that one vendor. But it seems not, since 1 is the default value for tls.version.max. I must have enabled 1.1 for all of her profiles by adding the line to the prefs.js files. Chromium must have re-tried with 1.0, since it defaults to 1.2 when connecting to my servers. -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 1024D/ED7DAEA6 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Sites which fail with tls 1.0
On Mon, Jan 27, 2014 at 2:22 PM, cl...@jhcloos.com wrote: In case anyone is keeping a list, while helping a relative I determined that timewarnercable.com's login server (wayfarer.timewarnercable.com) will not work with tls 1.1 or 1.2. The connection fails after the client right after the client hello. I had to set security.tls.version.max to 1 to get ff (26) or sm (2.23) to get her (relevant) profile to log in to their site. Hi, What is the value of security.tls.version.min? It should have the default value of 0. If not, could you please try again with security.tls.version.min=0 and security.tls.version.max=3? Also, could you try with Firefox 27 beta? Firefox 27 is supposed to be released next week. The link to the beta version is here: http://www.mozilla.org/en-US/firefox/beta/ When I try with Firefox Nightly, I find that we do fail to negotiate TLS 1.2 and then we try TLS 1.1 and fail at that. But then we retry with TLS 1.0 and that succeeds. I am curious why that is not happening for you with Firefox 26, since Firefox 26 should have the retry logic in it already. Thank you very much for your help with this! Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Sites which fail with tls 1.0
In case anyone is keeping a list, while helping a relative I determined that timewarnercable.com's login server (wayfarer.timewarnercable.com) will not work with tls 1.1 or 1.2. The connection fails after the client right after the client hello. I had to set security.tls.version.max to 1 to get ff (26) or sm (2.23) to get her (relevant) profile to log in to their site. [Side note: +\inf on the concecpt of profiles; one of Gecko's most important features!] -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 1024D/ED7DAEA6 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
