[Bug 1661400] [NEW] Site ID gives false broken connections for TLS 1.3

B. C. Schmerker bcschmerker at yahoo.com
Thu Feb 2 21:53:24 UTC 2017 

Public bug reported:

User Agent: Mozilla 5.0 (X11; LinUX x86_64; rv:51.0) Gecko/20100101 Firefox/51.0.1
Build ID: 20170125172221

Steps to reproduce:

Opened HTML page https://www.cloudflare.com/; Opened Site Identity
Button

Reproducible:  Always

Actual Results:
www.cloudflare.com
Connection is Not Secure
! This page uses weak encryption.
->
  Your connection to this website uses weak encryption and is not private.
  ! Other people can view your information or modify the website's behavior.

Expected Results:
www.cloudflare.com
  Secure Connection
->
  Verified by: DigiCert, Inc.

---

The Gavin Lloyd Extension CipherFox (https://addons.mozilla.org/en-US/firefox/addon/cipherfox) reports the use of TLS 1.3 with AES 128 bits (TLS_AES_128_GCM_SHA256).  Reported certificates are:
Cloudflare, Inc.  ECC 256-bit SHA256.
DigiCert Inc:  ECC 384-bit SHA384.
DigiCert Inc:  RSA 2048-bit SHA1.

The Sibi Anthony Extension SSleuth (https://addons.mozilla.org/en-US-firefox/addon/ssleuth) reports the following for www.cloudflare.com:
Cipher Suite
TLS_AES_128_GCM_SHA256
Key exchange:  Unknown.  TLS 1.3
uthentication:  Unknown.  TLS 1.3
Bulk Cipher:  AES GCM 128 bits.  AEAD
HMAC: SHA-256.
Perfect Forward Secrecy:  Yes
SSL/TLS Version:  TLSv1.3
Connection Status:  Broken
  This page has either insecure content or a bad certificate.
Certificate
Extended validation:  No
Signature  SHA-256/ECDSA  bits.
Common name:  cloudflare.com
Issued to:  Cloudflare, Inc.
Issued by: DigiCert Inc
           www.digicert.com
Validity: [Redacted]
Fingerprint:  [Redacted]

In TLS 1.2 terms, expected data include a cipher suite
TLS_ECDHE_ECC_WITH_AES_128_GCM_SHA256 (reported as
TLS_AES_128_GCM_SHA256 pursuant to the IETF draft specification for TLS
1.3); and a certificate suite ECC_256_SHA256.  Recommend forward the
above information upstream to BugZilla.Mozilla.org, as this Bug
doubtless affects multiple users across platforms and operating systems.

---

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: firefox 51.0.1+build2-0ubuntu0.16.04.1
ProcVersionSignature: Ubuntu 4.8.0-34.36~16.04.1-generic 4.8.11
Uname: Linux 4.8.0-34-generic x86_64
AddonCompatCheckDisabled: False
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
AudioDevicesInUse:
 USER        PID ACCESS COMMAND
 /dev/snd/controlC0:  bcschmerker   2422 F.... pulseaudio
 /dev/snd/controlC1:  bcschmerker   2422 F.... pulseaudio
BuildID: 20170125172221
Channel: Unavailable
CurrentDesktop: Unity
Date: Thu Feb  2 13:49:04 2017
EcryptfsInUse: Yes
Extensions: extensions.sqlite corrupt or missing
ForcedLayersAccel: False
IfupdownConfig:
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
InstallationDate: Installed on 2016-03-27 (312 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Beta amd64 (20160323)
IpRoute:
 default via 192.168.1.1 dev enp4s0  proto static  metric 100 
 169.254.0.0/16 dev enp4s0  scope link  metric 1000 
 192.168.1.0/24 dev enp4s0  proto kernel  scope link  src 192.168.1.4  metric 100
IwConfig:
 enp4s0    no wireless extensions.
 
 lo        no wireless extensions.
Locales: extensions.sqlite corrupt or missing
MostRecentCrashID: bp-34f53182-12e5-4712-ba46-226df2170128
Plugins:
 VLC Web Plugin - /usr/lib/mozilla/plugins/libvlcplugin.so (browser-plugin-vlc)
 iTunes Application Detector - /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so (rhythmbox-mozilla)
 Shockwave Flash - /usr/lib/adobe-flashplugin/libflashplayer.so (adobe-flashplugin)
PrefSources: prefs.js
Profiles: Profile0 (Default) - LastVersion=51.0.1/20170125172221
RelatedPackageVersions:
 browser-plugin-vlc 2.0.6-4
 rhythmbox-mozilla  3.3-1ubuntu7
 adobe-flashplugin  1:20170110.1-0ubuntu0.16.04.1
RfKill:
 0: hci0: Bluetooth
 	Soft blocked: no
 	Hard blocked: no
RunningIncompatibleAddons: False
SourcePackage: firefox
Themes: extensions.sqlite corrupt or missing
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/14/2010
dmi.bios.vendor: Award Software International, Inc.
dmi.bios.version: F6d
dmi.board.name: GA-MA78GM-S2HP
dmi.board.vendor: Gigabyte Technology Co., Ltd.
dmi.chassis.type: 3
dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
dmi.modalias: dmi:bvnAwardSoftwareInternational,Inc.:bvrF6d:bd07/14/2010:svnGigabyteTechnologyCo.,Ltd.:pnGA-MA78GM-S2HP:pvr:rvnGigabyteTechnologyCo.,Ltd.:rnGA-MA78GM-S2HP:rvr:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvr:
dmi.product.name: GA-MA78GM-S2HP
dmi.sys.vendor: Gigabyte Technology Co., Ltd.

** Affects: firefox (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug third-party-packages xenial

-- 
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1661400

Title:
  Site ID gives false broken connections for TLS 1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1661400/+subscriptions

More information about the Ubuntu-mozillateam-bugs mailing list