Bug#766007: iceweasel: SSL error - cannot connect to certain servers

[Daniel Kahn Gillmor]

On 10/23/2014 10:30 PM, Norbert Preining wrote:
> On Fri, 24 Oct 2014, Mike Hommey wrote:
>> If it is, you can try to go to about:config, and change
>> security.tls.version.min to 0.
> 
> Indeed, that made it work again .... thanks.

> Is it possible to have this only for *some* sites, I would prefer
> *not* to enable that globally.

i know of no way to do that in iceweasel.

> So, that does mean I should kick the web admins of that server?

yes, certainly, though i would suggest "nudge" rather than "kick" --
most people respond better to friendly/collaborative notes ("i want to
make sure i can access this web service securely, i'm sure you want that
too!") than to being attacked :)

The server definitely needs to be upgraded if it wants to interact with
modern clients.  Most of the modern browsers will be turning off SSLv3
support in the next few months:

  http://www.bit-tech.net/news/bits/2014/10/15/google-mozilla-sslv3/1

>> I would have expected a different error, though.
>> (ssl_error_no_cypher_overlap)
> 
> That happened without the -V ssl3:ssl3 command line

It's possible that this is an extension-intolerant SSLv3 server, which
would mean that it only works when no extensions were set at all.

If sslv3 is enabled in your client, then you're likely to see a fallback
dance happen, where a connection is retried without any extensions
whatever.  if sslv3 is not enabled, then the fallback dance will not
make it down to a "pure" extension-free SSLv3 clienthello, which maybe
means that the server will reject the clienthello entirely with some
separate message, distinct from "ssl_error_no_cypher_overlap".

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20141024/d2531ba5/attachment.sig>