On Monday, 25 July 2016 21:08:49 CEST Martin Rex wrote: > I've just run into a weird interoperability problem with an (alleged) > cloudflare/nginx TLS server and my personal Firefox settings. > > https://regmedia.co.uk/2015/07/14/giant_weta_mike_locke_flicker_cc_20.jpg > > > Traditionally I have all TLS ciphersuites with ECDSA disabled through > about:config, but it seems that recently two new TLS ciphersuites were > added to FF, which caused complete loss of interop with regmedia.co.uk > for me with my existing configuration. (Loss of pictures&media on the > www.theregister.co.uk news site). > > specifically, after the FF update, this new TLS ciphersuite: > > security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256 (0xcc, 0xa9) > > was the only ECDSA cipher suite enabled in my Firefox 47.0.1, and this > kills connectivity (TLS handshake_failure alert) with regmedia.co.uk. > > It looks like a bug in the cloudflare/nginx cipher suites selection > algorithm, which appears to blindly go for ECDSA, even though there is > no actual ECDSA cipher suite available which the server supports.
could you post packet capture (pcap format, if possible) that shows that problem? -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
