Page MenuHomePhabricator

Getting ssl_error_inappropriate_fallback_alert very rarely
Closed, ResolvedPublic

Description

Hello,

every few weeks I get an “ssl_error_inappropriate_fallback_alert” when I try to connect to a Wikipedia. If I reload, the error is gone. So my guess is that one of the servers is not in sync with the others, but it might be something else.
Unfortunately I’m not able to debug it, because I have no further information than the error-page.
Maybe someone else encounters something similar, then he/she can add to this bug.

Event Timeline

DaBPunkt created this task.Aug 10 2015, 1:34 PM
DaBPunkt raised the priority of this task from to Lowest.
DaBPunkt updated the task description. (Show Details)
DaBPunkt added a subscriber: DaBPunkt.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptAug 10 2015, 1:34 PM
Krenair set Security to None.
Krenair added a project: Traffic.
Krenair added a subscriber: Krenair.
BBlack added a subscriber: BBlack.Aug 10 2015, 2:10 PM

@DaBPunkt can you provide details on the client software (browser version, OS version, etc?) and any local software that might be interfering ("antivirus" sorts of things that might intercept browser connections)?

Possibly related is this Firefox bug report, which talks about possible Bitdefender involvement, and seems to indicate the error is related to some kind of SSLv3 fallback (which our servers definitely don't support): https://support.mozilla.org/en-US/questions/1043677

@DaBPunkt can you provide details on the client software (browser version, OS version, etc?) and any local software that might be interfering ("antivirus" sorts of things that might intercept browser connections)?

Sure.
OS: Debian Jessie (some Wheezy- and Sketch-packages)
Browser: Iceweasel 31.8.0
Interesting plugins: Disconnect, Adblock, Noscript, Calomel SSL Validation, HTTPS-Everywhere, DNSSEC/TLSA Validator
No antivirus, no desktop-firewall.
IPv6-Connectivity.

Based on the actual error message, I don't think the issue is coming from our servers in any case. There are various FF bug reports linked to this error that all say in one way or another it's indicative of a TLSv1.2 failure and attempt to fall back to a lower protocol version. I'd try to get a packet capture when the failure happens to debug. That, or try without extensions for a while. Are you confident that your DNS queries aren't being hijacked by an ISP sporadically?

@DaBPunkt are you still getting the same sporadic error?

BBlack closed this task as Resolved.May 31 2016, 9:46 PM
BBlack claimed this task.

Assuming not, re-open if so.