Re: Weirdest thing this afternoon: Firefox liked a server, but Chrome didn't

Fri, 27 Dec 2024 08:36:29 -0800 

On 12/27/24 8:14 AM, Christopher Schultz wrote:
When you got Chrome working again, which cipher suite did it successfully negotiate? If you try in this configuration with Firefox, which cipher suite is successfully negotiated? 

Dear Christopher:


At this time, switching them back to the "no keyAlias clause" 
configuration is a non-starter (maybe sometime Sunday).



But with the working configuration, Firefox reports 
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys, TLS 1.2" and 
Chrome reports "TLS 1.2, ECDHE_RSA with P-256 and AES_128_GCM." (which 
*sounds* like a dumbed-down restatement of the same thing).


Again, with the working configuration, SSLLabs reports:


TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS   WEAK      128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS   WEAK   128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits   FS   WEAK   128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits   FS  128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS   WEAK        128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS       128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS   WEAK      256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS   WEAK   256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits   FS   WEAK   256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS  256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS   WEAK        256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp521r1 (eq. 15360 bits 
RSA)   FS       256


and


Android 4.4.2   RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp521r1  FS
Android 5.0.0   RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
Android 6.0     RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 7.0     RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 8.0     RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 8.1     RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 9.0     RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
BingPreview Jan 2015    RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp521r1  FS
Chrome 49 / XP SP3      RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 69 / Win 7  R    RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 70 / Win 10      RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 80 / Win 10  R   RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 31.3.0 ESR / Win 7      RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 47 / Win 7  R   RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 49 / XP SP3     RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 62 / Win 7  R   RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 73 / Win 10  R  RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Googlebot Feb 2018      RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
IE 11 / Win 7  R        RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
IE 11 / Win 8.1  R      RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
IE 11 / Win Phone 8.1  R        RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   ECDH secp256r1  FS
IE 11 / Win Phone 8.1 Update  R RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
IE 11 / Win 10  R       RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Edge 15 / Win 10  R     RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Edge 16 / Win 10  R     RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Edge 18 / Win 10  R     RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Edge 13 / Win Phone 10  R       RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Java 8u161      RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Java 11.0.3     RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Java 12.0.1     RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
OpenSSL 1.0.1l  R       RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp521r1  FS
OpenSSL 1.0.2s  R       RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
OpenSSL 1.1.0k  R       RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
OpenSSL 1.1.1c  R       RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 6 / iOS 6.0.1    RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 7 / iOS 7.1  R   RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 7 / OS X 10.9  R RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 8 / iOS 8.4  R   RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 8 / OS X 10.10  R        RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp256r1  FS
Safari 9 / iOS 9  R     RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 9 / OS X 10.11  R        RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 10 / iOS 10  R   RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 10 / OS X 10.12  R       RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 12.1.2 / MacOS 10.14.6 Beta  R   RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Safari 12.1.1 / iOS 12.3.1  R   RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Apple ATS 9 / iOS 9  R  RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Yahoo Slurp Jan 2015    RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp384r1  FS
YandexBot Jan 2015      RSA 2048 (SHA256)       TLS 1.2 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp521r1  FS



I've saved a PDF of the relevant part of the SSLLabs report, so that I 
can compare it if I'm able to try the other configuration on Sunday.


--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to