Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL_ERROR_NO_CYPHER_OVERLAP on www.amtrak.com [enable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256] #489

Closed
classilla opened this issue Mar 20, 2018 · 2 comments
Closed

SSL_ERROR_NO_CYPHER_OVERLAP on www.amtrak.com [enable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256] #489

classilla opened this issue Mar 20, 2018 · 2 comments

Comments

@classilla
Copy link
Owner

Server ciphers from ssllabs.com:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) 
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK

We report

Spec
Cipher Suite Name
Key Size
Description
(c0,2b)
ECDHE-ECDSA-AES128-GCM-SHA256
128 Bit
Key exchange: ECDH, encryption: AES, MAC: SHA256.
(c0,2f)
ECDHE-RSA-AES128-GCM-SHA256
128 Bit
Key exchange: ECDH, encryption: AES, MAC: SHA256.
(c0,0a)
ECDHE-ECDSA-AES256-SHA
256 Bit
Key exchange: ECDH, encryption: AES, MAC: SHA1.
(c0,09)
ECDHE-ECDSA-AES128-SHA
128 Bit
Key exchange: ECDH, encryption: AES, MAC: SHA1.
(c0,13)
ECDHE-RSA-AES128-SHA
128 Bit
Key exchange: ECDH, encryption: AES, MAC: SHA1.
(c0,14)
ECDHE-RSA-AES256-SHA
256 Bit
Key exchange: ECDH, encryption: AES, MAC: SHA1.
(00,33)
DHE-RSA-AES128-SHA
128 Bit
Key exchange: DH, encryption: AES, MAC: SHA1.
(00,39)
DHE-RSA-AES256-SHA
256 Bit
Key exchange: DH, encryption: AES, MAC: SHA1.
(00,2f)
RSA-AES128-SHA
128 Bit
Key exchange: RSA, encryption: AES, MAC: SHA1.
(00,35)
RSA-AES256-SHA
256 Bit
Key exchange: RSA, encryption: AES, MAC: SHA1.
(00,0a)
RSA-3DES-EDE-SHA
168 Bit
Key exchange: RSA, encryption: 3DES, MAC: SHA1.
@classilla
Copy link
Owner Author

classilla commented Mar 20, 2018
edited
Loading

The easiest stopgap appears to be just to enable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for the time being, and then turn it off (or pref it off) when we get around to ChaCha20/Poly1305. It's already in NSS, it's just not enabled for the browser.

@classilla
Copy link
Owner Author

That appears to work. It's not superfast but site access functions normally.

@classilla classilla changed the title SSL_ERROR_NO_CYPHER_OVERLAP on www.amtrak.com SSL_ERROR_NO_CYPHER_OVERLAP on www.amtrak.com [enable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256] Mar 20, 2018
@classilla classilla mentioned this issue Oct 29, 2019
Closed
classilla added a commit that referenced this issue Jan 28, 2020
@classilla
revert #489 (#576): enable CHACHA20/POLY1305, remove TLS_ECDHE_RSA_WI…
581cb94 
…TH_AES_128_CBC_SHA256 as it is no longer needed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@classilla