AnsweredAssumed Answered

SSL Server Test showing wrong results due to out of date reference browser settings

Question asked by Dave Garrett on Dec 3, 2014
Latest reply on Dec 9, 2014 by Ivan Ristić

To start off, I reiterate that SSL3-only servers should autofail the whole test. At this point, I consider your the tester to be basically broken until this is fixed.

SSL3 only servers should autofail server test

 

Mozilla now disables SSL3 by default in the stable Firefox 34.0.5 release as well as Firefox 31.3.0 ESR. Google will be disabling SSL3 by default in Chrome in the near future as well. Please fix the reference browser settings used for the "Handshake Simulation" portion of the test to show the correct results. Currently, it uses Firefox 32 & Firefox 24.2.0 ESR, both out-of-date. These need fixing to use current versions which fail to connect to SSL3-only servers.

 

A generic "Protocol or cipher suite mismatch" would be sufficient. Something to the effect of "Firefox has SSL3 disabled by default" would be more precise, if desired. (not NSS; the change was in PSM)

 

Specific test-case I hit to discover this:

Qualys SSL Labs - Projects / SSL Server Test / tmobile.ecustomersupport.com

Qualys SSL Labs - Projects / SSL Server Test / tmobile.ecustomersupport.com (dev version)

1042380 – T-Mobile's customer website login is broken without SSL3: ssl_error_no_cypher_overlap on https://tmobile.ecust…

Outcomes