Поиск в Поддержке

Избегайте мошенников, выдающих себя за службу поддержки. Мы никогда не попросим вас позвонить, отправить текстовое сообщение или поделиться личной информацией. Сообщайте о подозрительной активности, используя функцию «Пожаловаться».

Подробнее

I disabled all cipher suites in Firefox; why am I still able to connect to some https:// sites?

  • 4 ответа
  • 1 имеет эту проблему
  • 2 просмотра
  • Последний ответ от bennetthaselton

more options

I was experimenting with whether I could disable certain cipher suites in Firefox in order to force a remote website to negotiate a different one. However I found that if I went into about:config and searched for settings with "ssl3" in the name, and set ALL of them to false (security.ssl3.dhe_rsa_aes_128_sha, security.ssl3.dhe_rsa_aes_256_sha, etc. -- there were 15 of them), I am still able to connect to https://www.instagram.com/ , https://www.google.com/ , and https://www.paypal.com/ with no error, even after restarting.

However, https://support.mozilla.org/ does give me the "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" error. On the other hand, https://www.mozilla.org/ works with no error. I cannot discern any pattern as to why some sites work and some don't, even after disabling all cipher suites. Why are *any* of them accessible?

I was experimenting with whether I could disable certain cipher suites in Firefox in order to force a remote website to negotiate a different one. However I found that if I went into about:config and searched for settings with "ssl3" in the name, and set ALL of them to false (security.ssl3.dhe_rsa_aes_128_sha, security.ssl3.dhe_rsa_aes_256_sha, etc. -- there were 15 of them), I am still able to connect to https://www.instagram.com/ , https://www.google.com/ , and https://www.paypal.com/ with no error, even after restarting. However, https://support.mozilla.org/ does give me the "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" error. On the other hand, https://www.mozilla.org/ works with no error. I cannot discern any pattern as to why some sites work and some don't, even after disabling all cipher suites. Why are *any* of them accessible?

Выбранное решение

Problem solved. I figured if you can't disable cipher suites properly, this might qualify as a security bug, so I submitted it here and got a response: https://bugzilla.mozilla.org/show_bug.cgi?id=1631240 Basically, the cipher suite settings in about:config only apply to TLS 1.0 through 1.2 connections. The configuration options for TLS 1.3 connections are not listed in about:config. So the websites which continued to work for me (after I thought I disabled "all" cipher suites) were TLS 1.3 sites.

Прочитайте этот ответ в контексте 👍 0

Все ответы (4)

more options

I was able to enter some pages, but when I asked for new webpages (pages that I've never visited) it prompt me the error. Maybe the certificates have some kind of cache

more options

@Markel that's what I thought too. However, this still looks like buggy behavior, because even if website public key certificate is *cached*, the public key certificate is just used to establish the initial connection, and from that point on, the connection is still encrypted using one of the listed cipher suites. Therefore if you disable all of the cipher suites, the connection should still be impossible.

more options

Did you close and restart Firefox after disabling the cipher suites ?

You can reload web page(s) and bypass the cache to refresh possibly outdated or corrupted files.

  • hold down the Shift key and left-click the Reload button
  • press "Ctrl + F5" or press "Ctrl + Shift + R" (Windows,Linux)
  • press "Command + Shift + R" (Mac)
more options

Выбранное решение

Problem solved. I figured if you can't disable cipher suites properly, this might qualify as a security bug, so I submitted it here and got a response: https://bugzilla.mozilla.org/show_bug.cgi?id=1631240 Basically, the cipher suite settings in about:config only apply to TLS 1.0 through 1.2 connections. The configuration options for TLS 1.3 connections are not listed in about:config. So the websites which continued to work for me (after I thought I disabled "all" cipher suites) were TLS 1.3 sites.