Firefox 57 blocks a number of https sites

Discussion about official Mozilla Firefox builds
Post Reply
User avatar
Pim
Posts: 2215
Joined: May 17th, 2004, 2:04 pm
Location: Netherlands

Firefox 57 blocks a number of https sites

Post by Pim »

Some of the sites I'm maintaining no longer show up in Firefox 57.
I get the error
Secure Connection Failed

The connection to (site name) was interrupted while the page was loading.

• The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
• Please contact the website owners to inform them of this problem.

Learn more…

☐ Report errors like this to help Mozilla identify and block malicious sites
And since I'm one of the website owners, I'd like to know what I can do to solve it!

Some testing shows that
- The security certificates are not expired.
- Other sites with similar certificates (both from the same issuer, using sha256, 2048 bit keys etc) still function OK.
- The website shows up fine in Firefox 56 (the current Developer Edition), as well as all other browsers I tried (Chrome, IE, Edge).
- The problem occurs both in the Windows and Linux versions, with the 32 bit and 64 bit nightlies, and in SeaMonkey 2.54, so it's not a bug in one particular nightly.

Then what can I do now? How can I ascertain what exactly FF57 is choking on?
If, as this page hints, the websites are using "out-dated (no longer secure) TLS mechanisms in an attempt to secure your connection", how can I find out which TLS mechanism is used, so that I can tell my CA to give me more up-to-date certificates?
I know that older SSL methods are being phased out, so that could be it.
Or is it a bug after all? I tried searching Bugzilla, but nothing recent came up, nothing that explained the differences between Gecko 56 and 57. This page is still empty too.
So what to do?
Groetjes, Pim
TheVisitor
Posts: 5469
Joined: May 13th, 2012, 10:43 am

Re: Firefox 57 blocks a number of https sites

Post by TheVisitor »

A link to one of the sites your seeing the error page on would help.
User avatar
Alice0775
Posts: 2817
Joined: October 26th, 2007, 11:25 pm
Location: OSAKA

Re: Firefox 57 blocks a number of https sites

Post by Alice0775 »

Mozilla disables 3DES encryption for Nightly.

Ref: [*]#1386754 [Core:Security: PSM]-Disable 3DES in TLS Handshake for Nightly builds [All]
User avatar
Pim
Posts: 2215
Joined: May 17th, 2004, 2:04 pm
Location: Netherlands

Re: Firefox 57 blocks a number of https sites

Post by Pim »

Thanks for letting me know what to look for.

Of course now I know the correct search phrase, I can see that it's been discussed before on this site. I missed that, because the text of the error message was different. Oh well.

So the solution, at least for now, is to set the security.ssl3.rsa_des_ede3_sha setting to true. Naturally the long term solution is to not use certificates with 3DES ciphers any more!
But now I'm not sure when 3DES support will be dropped altogether. The Bugzilla comment thread doesn't make that very clear. Anyone can provide me with a definitive version number?
Groetjes, Pim
User avatar
Virtual_ManPL
Posts: 2052
Joined: July 24th, 2008, 5:52 am
Contact:

Re: Firefox 57 blocks a number of https sites

Post by Virtual_ManPL »

@ Pim - The date for deprecation 3DES cipher is still not established yet, see Bug 1227524 - Establish deprecation date for 3DES.
Virtualfox persona
Tired of constant Firefox UI changes? XUL extensions are not working anymore? Try SeaMonkey, Waterfox Classic, Pale Moon.
johnp_
Posts: 154
Joined: March 7th, 2011, 11:22 am

Re: Firefox 57 blocks a number of https sites

Post by johnp_ »

Pim wrote:Naturally the long term solution is to not use certificates with 3DES ciphers any more!
I just want to clear this up: Certificates are not using 3DES (a cipher), but usually SHA-2 (a hash; SHA-1 is being phased out and may cause a certificate to not be accepted).
This change causes the connection to fail due to a cipher mismatch and should only cause issues in two situations:

1. The server only supports the 3DES cipher(s) (which usually is a configuration issue; any half-modern crypto-library supports AES)
2. The server would have chosen 3DES, but due to Firefox not accepting 3DES now, a buggy fallback path is taken (e.g. another cipher that is implemented incorrectly by the server)
Post Reply