crbug.com won't connect
Reported by
c...@tenable.com,
Mar 9 2016
|
|||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Steps to reproduce the problem: 1. go to crbug.com/137247 2. 3. What is the expected behavior? Redirected to the bug page What went wrong? This site can’t provide a secure connection crbug.com uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH Hide details Did this work before? N/A Chrome version: 49.0.2623.75 Channel: stable OS Version: Fedora 22 Flash Version: Shockwave Flash 20.0 r0 Ciphers enabled in the browser: Ciphers: cca9,cca8,cc14,cc13,c02b,c02f,c009,c013,9c,2f,0a Ciphers SSL Labs reports for crbug.com: Ciphers: 33,35,39 I'm not sure why the redirect can't just be served over HTTP, but when I tried that it just redirected me to HTTPS again. I eventually used longurl site to find the redirect URL so I could go there myself.
,
Mar 9 2016
,
Mar 9 2016
I have no plans to do that. The set of ciphers provided by crbug.com is outside the set of ciphers allowed by the browser and only 0x0035 is shared between crbug.com and bugs.chromium.org. This means that any browser that doesn't support 0x0035 can't use both sites. https://www.ssllabs.com/ssltest/analyze.html?d=bugs.chromium.org&s=173.194.202.121 I'd suggest adding at least 0x009c to crbug.com if not all the ciphers supported by bugs.chromium.org.
,
Mar 9 2016
I believe you meant to link to https://www.ssllabs.com/ssltest/analyze.html?d=crbug.com bugs.chromium.org has a perfectly reasonable set of ciphers. crbug.com's set is indeed rather silly. Adding the Infra label. Infra folks, do you know who maintains that service?
,
Mar 9 2016
I linked to the site I meant. The list of ciphers to be added is listed on that page. Anyway, good luck finding whoever is in charge of that server. I hope this gets fixed soon.
,
Mar 10 2016
,
Mar 20 2016
Routing to infra-labs.
,
Mar 21 2016
,
Mar 21 2016
,
Mar 21 2016
I added TLS_RSA_WITH_AES_128_CBC_SHA (0x2f). I don't have access to TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) with our current firmware version.
,
Mar 21 2016
Thank you. You might also consider adding 0xa as a good fall back for older IE versions.
,
Mar 21 2016
friedman: What is that server running on that it can't even do AES-GCM? Is it not running on our usual serving infrastructure? On the TLS end, we consider anything that's not ECDHE with one of the AES-GCMs or CHACHA20_POLY1305 obsolete. Basically everything else is a legacy cipher with known weaknesses of some form or another.
,
Mar 22 2016
We'll be updating it soon. Most likely in April.
,
Apr 27 2016
,
Jun 24 2016
,
Jun 24 2016
,
Jul 1 2016
This is out of our hands now, but will be fixed in the next quarter I am told.
,
Jul 1 2016
Who will fix it? We should properly serve HSTS: https://crbug.com/624163
,
Jul 1 2016
Our netops team when they swap the hardware out. We do serve HSTS but I can update it to include all the features you want as well sooner. I'll take the linked bug since this one's main purpose is now fixed. |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by mmenke@chromium.org
, Mar 9 2016Labels: Needs-Feedback