Funkcionalnosć tutoho sydła so přez wothladowanske dźěła wobmjezuje, kotrež maja waše dožiwjenje polěpšić. Jeli nastawk waš problem njerozrisuje a chceće prašenje stajić, wobroćće so na naše zhromodźenstwo pomocy, kotrež na to čaka, wam na @FirefoxSupport na Twitter a /r/firefox na Reddit pomhać.

Pomoc přepytać

Hladajće so wobšudstwa pomocy. Njenamołwimy was ženje, telefonowe čisło zawołać, SMS pósłać abo wosobinske informacije přeradźić. Prošu zdźělće podhladnu aktiwitu z pomocu nastajenja „Znjewužiwanje zdźělić“.

Dalše informacije

firefox reports broken encryption TLS1.0 while server enforces TLSv1.2 and FF tls.version.min is set to 2

  • 7 wotmołwy
  • 3 maja tutón problem
  • 5 napohladow
  • Poslednja wotmołwa wot marc_vd_meer

more options

both sslscan and testssl report the site to only offer TLSv1.2. Firefox security.tls.version.min config setting is set to 2 which I understand to disallow TLSv1.0 connections. Still when connecting to this site Firefox says "weak encryption, TLSv1.0 and a weak cipher, which is clearly incorrect. This is firefox 71.0 on Fedora 30.

both sslscan and testssl report the site to only offer TLSv1.2. Firefox security.tls.version.min config setting is set to 2 which I understand to disallow TLSv1.0 connections. Still when connecting to this site Firefox says "weak encryption, TLSv1.0 and a weak cipher, which is clearly incorrect. This is firefox 71.0 on Fedora 30.

Wšě wotmołwy (7)

more options

Same issue,

more options

Can you share the URL of the site?

Can you rule out a proxy server or other "man in the middle"? When there is an MITM, there are two connections: Firefox to MITM, MITM to site (this is how the MITM gets unencrypted access to your browsing).

more options

cannot share the link as this is an emulated local z/OS setup. This is why I know the server forces TLSv1.2 only (as I control the server). For sure there is no MITM possibility, as the client is FF on fedora 30, and the server is locally emulated z/OS (not connected to the internet) on the same Linux host.

more options

So if understand correctly:

  • You control the SSL configuration of the server
  • The server refuses to connect using any protocol other than TLS 1.2
  • Firefox is set to a minimum protocol of TLS 1.1 by setting security.tls.version.min = 2
  • Firefox says it retrieved the page using TLS 1.0

In case Firefox is providing information on a cached retrieval, could you flush the cache? See: How to clear the Firefox cache.

Otherwise, "that's impossible."

more options

What cipher suite is used ?

Does "Tools -> Page Info -> Security" or the Network Monitor give more information ?

You shouldn't get such a warning if you use TLS 1.2 with a strong cipher suite.

more options

This is what the server offers:

 Supported Server Cipher(s):

Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA

As you can see the preferred cipher is a strong cipher. I will flush my cache now as suggested in another response, although caching TLS session information would imho be a bad thing

more options

Flushing the cache has changed the message on page-info: now TLSv1.2 is indicated, although the server preferred cipher (see above) is not used. It might be the server (a WAS Liberty application) that caches the TLS session info. Thanks for the suggestions