[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue accessing https://git.libssh.org

Subject: Re: Issue accessing https://git.libssh.org
From: Tilo Eckert <tilo.eckert@xxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Thu, 29 Jun 2017 10:54:12 +0200
To: libssh@xxxxxxxxxx

Am 28.06.2017 um 18:05 schrieb Andreas Schneider:
> On Wednesday, 28 June 2017 15:40:00 CEST Tilo Eckert wrote:
>> Am 28.06.2017 um 13:42 schrieb Andreas Schneider:
>>> On Wednesday, 28 June 2017 12:43:14 CEST Tilo Eckert wrote:
>>>> Hi,
>>>
>>> Hi Tilo,
>>>
>>>> I am experiencing a re-occuring issue when accessing
>>>> https://git.libssh.org with Firefox. When requesting a page for the
>>>> first time after browser startup or after not accessing the site for a
>>>> while, I get an SSL error page with the error code
>>>> NS_ERROR_NET_INADEQUATE_SECURITY.
>>>>
>>>> Refreshing the page causes it to load successfully and I can navigate
>>>> the site. When idling on one page for a couple of minutes, the issue
>>>> reappears on the next page request.
>>>>
>>>> If the server is configured for HTTPS2, this post might be relevant:
>>>> https://support.mozilla.org/en-US/questions/1139019
>>>
>>> Thanks!
>>>
>>> Please retry.
>>
>> The issue still persists. I think the reason is that the cipher suite
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA is negotiated which is blacklisted in
>> HTTP/2. Firefox probably falls back to HTTP/1.1 when negotiation failed
>> for a recent previous request.
> 
> Strange, I used the SSLCipherSuite line from https://icing.github.io/mod_h2/
> howto.html
> 
> I don't see the issue with Firefox 52.0.2
> 

This SSLCipherSuite?
> SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

It looks like you either did not specify "SSLHonorCipherOrder on" or
your SSLCipherSuite declaration is not used for some reason.

The cipher order presented by the server looks like the OpenSSL default
configuration:
https://www.ssllabs.com/ssltest/analyze.html?d=git.libssh.org

The first cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 was added with
Firefox 49 (I am on 48). The next ciphers are CBC ciphers which are all
blacklisted for HTTP2, which explains the
NS_ERROR_NET_INADEQUATE_SECURITY error.

What you should see is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as the most
preferred cipher as defined in SSLCipherSuite. This is what it looks
like with the above SSLCipherSuite on our server:
https://www.ssllabs.com/ssltest/analyze.html?d=flam.de&s=144.76.236.9
Basically, the GCM ciphers should be at the top.

Hope this helps.

Follow-Ups:
Re: Issue accessing https://git.libssh.org	Andreas Schneider <asn@xxxxxxxxxxxxxx>

References:
Issue accessing https://git.libssh.org	Tilo Eckert <tilo.eckert@xxxxxxx>
Re: Issue accessing https://git.libssh.org	Andreas Schneider <asn@xxxxxxxxxxxxxx>
Re: Issue accessing https://git.libssh.org	Tilo Eckert <tilo.eckert@xxxxxxx>
Re: Issue accessing https://git.libssh.org	Andreas Schneider <asn@xxxxxxxxxxxxxx>

Archive administrator: postmaster@lists.cynapses.org