1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
.. _mozilla_projects_nss_notes_on_tls_-_ssl_3_0_intolerant_servers:
Notes on TLS - SSL 3.0 Intolerant Servers
=========================================
`Problem <#problem>`__
~~~~~~~~~~~~~~~~~~~~~~
.. container::
A number of Netscape 6.x/7.x and Mozilla users have reported that some secure sites -- typically
sites featuring online transactions or online banking over the HTTPS protocol -- do not display
any content at all. The connection seems terminated and a blank page is displayed. This is the
main symptom of the problem when Mozilla based browsers encounter TLS/SSL 3.0 intolerant servers.
`Cause <#cause>`__
~~~~~~~~~~~~~~~~~~
.. container::
There are some number of web servers in production today which incorrectly implement the SSL 3.0
specification. This incorrect implementation causes them to reject connection attempts from
clients that are compliant with the **SSL 3.0** and **TLS (aka SSL 3.1)** specifications.
Netscape 6.x/7.x and Mozilla browsers (0.9.1 and later versions) correctly implement the TLS
specification, and the users cannot utilize sites which have this problem.
.. _technical_information:
`Technical Information <#technical_information>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
The **SSL 3.0** and **TLS (aka SSL 3.1)** specs both contain a provision -- the same provision --
for detecting "version rollback attacks". It is designed to permit a server to detect a
man-in-the-middle that is altering the SSL client hello (connection) requests as they pass from
the client to the server, altering them by changing the protocol version number to a lower
version number. This feature was kind of meaningless until **TLS (SSL 3.1)** came along because
there was no version higher than 3.0 from which to be rolled back. TLS is now available and used,
and products that have implemented the roll-back detection incorrectly are not interoperable with
TLS/SSL spec-compliant clients. Normally the servers which have this problem are not equipped to
deal with the TLS protocol, but instead of rolling back to SSL 3.0 as the rollback provision
provides, they terminate/drop the connection, thus resulting in most cases a blank page display.
For up-to-date information, you can read a Bugzilla bug report which keeps track of this problem
with Mozilla-based browsers. See
`bug 59321 <https://bugzilla.mozilla.org/show_bug.cgi?id=59321>`__.
.. _servers_currently_known_to_exhibit_this_intolerant_behavior:
`Servers currently known to exhibit this intolerant behavior <#servers_currently_known_to_exhibit_this_intolerant_behavior>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
As of this writing, this problem has been reported for the following servers: (Wherever there is
an upgraded version which fixes the problem, it is indicated by an asterisked remark in the
parentheses. )
- Domino-Go-Webserver/4.6.2.6 (and perhaps some later versions)
- IBM_HTTP_Server/1.3.6.3 or earlier (\* Update to 1.3.6.4)
- IBM_HTTP_Server/1.3.12.1 or earlier (\* `Update to
1.3.12.2 <http://www6.software.ibm.com/dl/websphere/http-p>`__)
- Java Web Server 2
- OSU/3.2 - DECthreads HTTP server for OpenVM
- Stronghold/2.2
- Webmail v. 3.6.1 by Infinite Technologies (\* Update available)
N.B. There might be servers other than those listed above which exhibit this problem. If you find
such a server, feel free to add it to this page. For up-to-date information, you can read this
`bug 59321 <https://bugzilla.mozilla.org/show_bug.cgi?id=59321>`__ which keeps a list of TLS/SSL
3.0 intolerant servers.
.. _users:_how_to_avoid_this_problem.3f:
`Users: How to avoid this problem? <#users:_how_to_avoid_this_problem.3f>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
.. rubric:: Netscape 6.1 Preview Release 1, or Mozilla 0.9.1 and earlier
:name: netscape_6.1_preview_release_1.2c_or_mozilla_0.9.1_and_earlier
These versions shipped with the TLS option turned **ON** as the default but with no way to deal
with the problem servers. If you are using these old versions, please update to the latest
Netscape or Mozilla versions. You can also avoid such a problem by editing an existing profile --
check the preference option setting at: Edit \| Preferences \| Privacy and Security \| SSL \|
Enable TLS, and turn it **OFF** if it is **ON** for these earlier browsers.
.. rubric:: Netscape 6.1 or Mozilla 0.9.2 and later
:name: netscape_6.1_or_mozilla_0.9.2_and_later
These browsers shipped with the TLS option **ON** but also included a graceful rollback mechanism
on the client side when they encounter known TLS/SSL 3.0 intolerant servers.
.. rubric:: Firefox 2 and later
:name: firefox_2_and_later
Starting with Firefox 2, support for SSL 2.0 has been disabled by default; unless it is expressly
re-enabled by the user using about:config. See `Security in Firefox
2 <https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/2/Security_changes>`__ for
details.
.. _website_administrators:_how_to_avoid_this_problem.3f:
`Website Administrators: How to avoid this problem? <#website_administrators:_how_to_avoid_this_problem.3f>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
- Upgrade to a newer version if available, which corrects this problem. There will be other
network clients which implement TLS/SSL 3.0 specification correctly and have a problem with
your site. Let's not perpetuate the problem servers.
- Contact the manufacturer and inquire if there is a new version available which fixes this
problem.
- Post a note on your site instructing users of old versions of browsers like Netscape
6.0/6.01/6.1 Preview Release 1 and Mozilla 0.9.1 and earlier to turn **OFF** the TLS option
at: Edit \| Preferences \| Privacy and Security \| SSL \| Enable TLS. However, this is a
temporary workaround at best. We recommend strongly that you urge users to upgrade to the
latest Netscape version (or at least Netscape 6.1) since the newer versions have the graceful
rollback implemented in the code.
- If you have questions concerning Netscape browsers and problem servers, please contact us
using the feedback address at the top of this page.
.. _detecting_intolerant_servers:
`Detecting intolerant servers <#detecting_intolerant_servers>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
Because newer versions of Netscape and Mozilla have built-in workaround for the problem servers,
it is now unlikely that you will experience this problem. But if you're running Netscape
6.0/6.01/6.1 PR 1 or Mozilla build (prior to 6/11/2001), you should look out for the symptom
described below. You may also run this test with versions later than the older versions of
Netscape 6.x or Mozilla -- just in case code changes in Netscape 6.1/Mozilla 0.9.2 or later may
not catch all problem servers.
- When you find a secure site which simply does not display any page content or drops the
connection, check to see if the preference option Edit \| Preferences \| Privacy and Security
\| SSL \| Enable TLS is turned **ON**. If so, turn it **OFF**.
- Now re-visit the problem site. If the content displays this time, you are most likely
witnessing a TLS/SSL 3.0 intolerant server.
- Report such a problem to the server's administrator.
.. _how_to_report_an_intolerant_server:
`How to report an intolerant server <#how_to_report_an_intolerant_server>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
- *Optional:*\ Get the name of the SSL server software used by the website. To do so, add
``http://toolbar.netcraft.com/site_report?url=`` to the beginning of the URL. The server
software will appear next to **Server** under **SSL Certificate Information**.
For instance, to check ``https://bugzilla.mozilla.org/``, then visit
`http://toolbar.netcraft.com/site_rep...a.mozilla.org/ <http://toolbar.netcraft.com/site_report?url=https://bugzilla.mozilla.org/>`__.
- Add the information on such a server (software, URL) to
`bug 59321 <https://bugzilla.mozilla.org/show_bug.cgi?id=59321>`__ at Bugzilla. (Note: You
will be asked to provide your email address before you can file a bug at Bugzilla.)
.. _original_document_information:
`Original Document Information <#original_document_information>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. container::
- Author : Katsuhiko Momoi
- Last Updated Date: January 27th, 2003
- Copyright © 2001-2003 Netscape. All rights reserved.
|
