= phenomenon =
In Firefox with security.ssl.treat_unsafe_negotiation_as_broken set to true, https://koji.fedoraproject.org and https://cvs.fedoraproject.org do not get the blue SSL badge.
= reason =
Those servers do not support safe renegotiation (RFC 5746). They probably are not vulnerable to the renegotiation attack (CVE-2009-3555) because they refuse client-initiated renegotiation and I don't know of any circumstance in which they would perform server-initiated renegotiation. However, there's no way for Firefox to know that, and standardizing an extension for that specific purpose short of full RFC 5746 would be silly.
= recommendation =
Update the web server once a suitable version becomes available (see [https://bugzilla.redhat.com/show_bug.cgi?id=579311 bug 579311]).
https://lists.fedoraproject.org is also lacking RFC 5746 support.
koji and cvs appear to be fixed now, lists still isn't.
lists is fixed. Thanks!
to comment on this ticket.