Bug#727528: iceweasel: connection reset when connecting to CapitalOne login page using https
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Oct 24 20:21:16 UTC 2013
On 10/23/2013 09:27 PM, Bin Guo wrote:
> https://login.capitalone.com/
>
> would render a frame saying "The connection was reset", same if you
> directly connect to https://login.capitalone.com/
>
> CapitalOne site used to work fine with iceweasel, but failed later.
> For a while opera also failed, but now it's working again. Firefox
> in Windows also works fine.
I can confirm this failure to connect via TLS with iceweasel 24.
I can also successfully connect to this host with openssl and gnutls and
with chromium.
openssl s_client -connect login.captialone.com:443
gnutls-cli login.capitalone.com
chromium --temp-profile https://login.capitalone.com
Looking at the network traffic with wireshark, it looks like the TLS
server in question behaves differently when talking to each of these
clients.
In particular, the server's first response TCP packet diverges.
With the successful connections, the first response packet contains a
single TLS handshake record, of type "Server Hello" and the rest of the
TLS handshake proceeds normally.
When the connection is initiated from iceweasel, though, the server's
first response packet contains three TLS records in sequence:
Server Hello, Change Cipher Spec, Encrypted Handshake Message
subsequently, iceweasel sends two more TCP packets:
Change Cipher Spec, Encrypted Handshake Message
Application Data, Application Data
This gets a TCP ACK from the server followed by a TCP RST from the server.
It looks like it is doing this in response to the presence of the
next_protocol_negotiation (NPN) extension being sent from the client:
https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04
which modifies the TLS handshake in exactly this way. I haven't plumbed
deeper into the connection to figure out why capitalone's web server is
resetting the connection in this case, though.
However, NPN appears to have been superceded by ALPN by rough consensus
within the IETF's TLS working group:
https://www.imperialviolet.org/2013/03/20/alpn.html
Should NPN remain enabled within iceweasel?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20131024/a4ed2cd2/attachment.sig>
More information about the pkg-mozilla-maintainers
mailing list