RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 808136 - Print more informative error message when site uses old SSL/TLS version
Summary: Print more informative error message when site uses old SSL/TLS version
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: firefox
Version: 6.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 6.3
Assignee: Martin Stransky
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-29 16:53 UTC by David Jaša
Modified: 2013-03-20 20:09 UTC (History)
4 users (show)

Fixed In Version: RHSA-2012:1088
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-03 12:37:03 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 762301 0 None None None 2012-06-06 23:32:25 UTC

Description David Jaša 2012-03-29 16:53:44 UTC 
Description of problem:
Print more informative error message when site uses old SSL/TLS version

Version-Release number of selected component (if applicable):
firefox-10.0.3-1.el6_2.x86_64

How reproducible:
always

Steps to Reproduce:
1. in Preferences -> Advanced, disable SSL 3.0
2. connect to https site using SSL <= 3.0
3.
  
Actual results:
error page says only that the connection has been reset

Expected results:
error page should state that web site only supports SSL (TLS) version <= %s while browser settings require SSL (TLS) version >= %s.

Additional info:
Comment 1 Martin Stransky 2012-06-06 10:30:58 UTC 
We have to solve this bug upstream, and I believe it's more for nss/psm folks. David, do you have any reproducer?
Comment 3 Martin Stransky 2012-06-06 11:14:39 UTC 
Kai, what do you think about this bug?
Comment 5 Kai Engert (:kaie) (inactive account) 2012-06-06 22:21:59 UTC 
My initial reaction is that better user feedback is a "feature". The stable ESR branch of Firefox is not meant to get new features. In particular, introducing new wording is also not an option for the stable branch.
Comment 6 Kai Engert (:kaie) (inactive account) 2012-06-06 22:56:51 UTC 
Because of the stable branch limitations, anything requiring new strings would have to wait until Firefox 17 (most likely the next major ESR release).

However, we used to have an error message "no common encryption algorithm(s)". We need to investigate why it's not shown in this scenario.

After a quick test, I see that Firefox attempts to connect to the site multiple times, always fails, and eventually gives up. This indicates a misinterpretation of an NSS error code at the Mozilla applicaiton level.
Comment 7 Kai Engert (:kaie) (inactive account) 2012-06-06 23:32:25 UTC 
I filed upstream https://bugzilla.mozilla.org/show_bug.cgi?id=762301
Comment 8 Kai Engert (:kaie) (inactive account) 2012-06-06 23:35:41 UTC 
I attached a potential patch to the upstream bug which applies to the Mozilla-ESR10 branch used by current RHEL.
https://bugzilla.mozilla.org/show_bug.cgi?id=762301#c1

With the patch applied, the error message shown is:

An error occurred during a connection to .....
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
Comment 9 Kai Engert (:kaie) (inactive account) 2012-06-13 11:43:26 UTC 
Do you want to pick up this patch in Red Hat's packaged ESR?


The trunk version of the patch was added upstream to the main development branch.

I believe this isn't a regression, and therefore it doesn't qualify for upstream's rules for the ESR branch.
Comment 10 RHEL Program Management 2012-06-25 11:42:54 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.
Comment 13 Martin Stransky 2012-08-03 12:37:03 UTC 
Fixed in RHSA-2012:1088
Note You need to log in before you can comment on or make changes to this bug.