[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue accessing https://git.libssh.org


On Thursday, 29 June 2017 10:54:12 CEST Tilo Eckert wrote:
> Am 28.06.2017 um 18:05 schrieb Andreas Schneider:
> > On Wednesday, 28 June 2017 15:40:00 CEST Tilo Eckert wrote:
> >> Am 28.06.2017 um 13:42 schrieb Andreas Schneider:
> >>> On Wednesday, 28 June 2017 12:43:14 CEST Tilo Eckert wrote:
> >>>> Hi,
> >>> 
> >>> Hi Tilo,
> >>> 
> >>>> I am experiencing a re-occuring issue when accessing
> >>>> https://git.libssh.org with Firefox. When requesting a page for the
> >>>> first time after browser startup or after not accessing the site for a
> >>>> while, I get an SSL error page with the error code
> >>>> NS_ERROR_NET_INADEQUATE_SECURITY.
> >>>> 
> >>>> Refreshing the page causes it to load successfully and I can navigate
> >>>> the site. When idling on one page for a couple of minutes, the issue
> >>>> reappears on the next page request.
> >>>> 
> >>>> If the server is configured for HTTPS2, this post might be relevant:
> >>>> https://support.mozilla.org/en-US/questions/1139019
> >>> 
> >>> Thanks!
> >>> 
> >>> Please retry.
> >> 
> >> The issue still persists. I think the reason is that the cipher suite
> >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA is negotiated which is blacklisted in
> >> HTTP/2. Firefox probably falls back to HTTP/1.1 when negotiation failed
> >> for a recent previous request.
> > 
> > Strange, I used the SSLCipherSuite line from
> > https://icing.github.io/mod_h2/ howto.html
> > 
> > I don't see the issue with Firefox 52.0.2
> 
> This SSLCipherSuite?
> 
> > SSLCipherSuite
> > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES25
> > 6-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-D
> > SS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES12
> > 8-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA3
> > 84:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:D
> > HE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES2
> > 56-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES
> > :!RC4:!3DES:!MD5:!PSK

Yes, that's the one.

> It looks like you either did not specify "SSLHonorCipherOrder on" or
> your SSLCipherSuite declaration is not used for some reason.

That's set too.


However I think I found it.



	Andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
www.cryptomilk.org                asn@xxxxxxxxxxxxxx

Follow-Ups:
Re: Issue accessing https://git.libssh.orgTilo Eckert <tilo.eckert@xxxxxxx>
References:
Issue accessing https://git.libssh.orgTilo Eckert <tilo.eckert@xxxxxxx>
Re: Issue accessing https://git.libssh.orgAndreas Schneider <asn@xxxxxxxxxxxxxx>
Re: Issue accessing https://git.libssh.orgTilo Eckert <tilo.eckert@xxxxxxx>
Archive administrator: postmaster@lists.cynapses.org