Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

I disabled all cipher suites in Firefox; why am I still able to connect to some https:// sites?

more options

I was experimenting with whether I could disable certain cipher suites in Firefox in order to force a remote website to negotiate a different one. However I found that if I went into about:config and searched for settings with "ssl3" in the name, and set ALL of them to false (security.ssl3.dhe_rsa_aes_128_sha, security.ssl3.dhe_rsa_aes_256_sha, etc. -- there were 15 of them), I am still able to connect to https://www.instagram.com/ , https://www.google.com/ , and https://www.paypal.com/ with no error, even after restarting.

However, https://support.mozilla.org/ does give me the "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" error. On the other hand, https://www.mozilla.org/ works with no error. I cannot discern any pattern as to why some sites work and some don't, even after disabling all cipher suites. Why are *any* of them accessible?

I was experimenting with whether I could disable certain cipher suites in Firefox in order to force a remote website to negotiate a different one. However I found that if I went into about:config and searched for settings with "ssl3" in the name, and set ALL of them to false (security.ssl3.dhe_rsa_aes_128_sha, security.ssl3.dhe_rsa_aes_256_sha, etc. -- there were 15 of them), I am still able to connect to https://www.instagram.com/ , https://www.google.com/ , and https://www.paypal.com/ with no error, even after restarting. However, https://support.mozilla.org/ does give me the "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" error. On the other hand, https://www.mozilla.org/ works with no error. I cannot discern any pattern as to why some sites work and some don't, even after disabling all cipher suites. Why are *any* of them accessible?

Solution choisie

Problem solved. I figured if you can't disable cipher suites properly, this might qualify as a security bug, so I submitted it here and got a response: https://bugzilla.mozilla.org/show_bug.cgi?id=1631240 Basically, the cipher suite settings in about:config only apply to TLS 1.0 through 1.2 connections. The configuration options for TLS 1.3 connections are not listed in about:config. So the websites which continued to work for me (after I thought I disabled "all" cipher suites) were TLS 1.3 sites.

Lire cette réponse dans son contexte 👍 0

Toutes les réponses (4)

more options

I was able to enter some pages, but when I asked for new webpages (pages that I've never visited) it prompt me the error. Maybe the certificates have some kind of cache

more options

@Markel that's what I thought too. However, this still looks like buggy behavior, because even if website public key certificate is *cached*, the public key certificate is just used to establish the initial connection, and from that point on, the connection is still encrypted using one of the listed cipher suites. Therefore if you disable all of the cipher suites, the connection should still be impossible.

more options

Did you close and restart Firefox after disabling the cipher suites ?

You can reload web page(s) and bypass the cache to refresh possibly outdated or corrupted files.

  • hold down the Shift key and left-click the Reload button
  • press "Ctrl + F5" or press "Ctrl + Shift + R" (Windows,Linux)
  • press "Command + Shift + R" (Mac)
more options

Solution choisie

Problem solved. I figured if you can't disable cipher suites properly, this might qualify as a security bug, so I submitted it here and got a response: https://bugzilla.mozilla.org/show_bug.cgi?id=1631240 Basically, the cipher suite settings in about:config only apply to TLS 1.0 through 1.2 connections. The configuration options for TLS 1.3 connections are not listed in about:config. So the websites which continued to work for me (after I thought I disabled "all" cipher suites) were TLS 1.3 sites.