[dave_d]

Hi all,

Firefox is blocking me from my firewall appliance!

When attempting to connect, I receive this error from Firefox:

Unable to Connect Securely

Firefox cannot guarantee the safety of your data on 192.168.1.1 because it uses SSLv3, a broken security protocol.
Advanced info: ssl_error_no_cypher_overlap

How do I disable this SSLv3 protection in order to access and manage critical legacy appliances on my intranet? Is there an exception list, so I needn't disable it outright?

Thank you very much!

Dave

[trolly]

about:config -> type ssl3 in the search bar at the top and enable protocols until it works

[dave_d]

Thank you, trolly, but that didn't work.

I stepped through the ssl3 protocols, turning each "false" value to "true." No change. Then, with all values "true," I restarted Firefox again and still no change. Believing that my understanding of the value was maybe incorrect, I turned all default "true" entries to "false" too, restarted Firefox, and again no change.

Any ideas? I truly appreciate it.

[trolly]

There are rumors about completely deactivating SSLv3. If that's the case you need an equal old firefox. For the next time you can use Firefox 32 ESR.
I did not understood if SSLv3 is simply switched off or completely removed.

[dave_d]

Ah! I figured it out.

Prior to posting here, I found a recommendation to disable SSLv3 by changing security.tls.version.min from "0" (default) to "1." I expected the reverse operation to have the opposite effect (in FF 34, the default is now "1"). But, it turns out, you must also change security.tls.version.fallback-limit to "0" too. This was a lucky guess on my part. And, to be clear, protocols are back to their defaults.

I hope this helps anybody else stuck in my situation.

Thank you, trolly!

[trolly]

Thanks for reporting. I did not know about the fallback pref.

[dbdataplus]

I appreciate knowing how to accommodate this issue --- I didn't realize it but one of my clients had to have their entire staff revert to IE due to this issue. A major supplier of theirs is using the older SSL and IE, at least, allows the option of continuing in spite of the risk.

I really like it when software gives me the OPTION of protecting myself. I like that almost as much as I'm angered when software presumes to know more about how I should use my system than I know.

So thanks for doing what Firefox should have built into their "Learn more" box.

[James]

Why SSL 3.0 is not safe. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

If you really need to access these vulnerable pages on occasion then this extension will make it easier to toggle back and forth as being able to view SSL 3.0 by default is not a good idea.
https://addons.mozilla.org/firefox/addon/ssl-version-control/

[LoudNoise]

Makes me wonder about the supplier. SSL 3 makes them vulnerable to the same sort of attacks and worse.

[rsx11m]

FYI: Mozilla intends to deprecate SSLv3 with 39.0 (meaning, remove the code supporting it entirely rather than just disabling it by default), given that there is an IETF standards draft already requesting it to be retired. Thus, TLS 1.0 would be the minimum version allowed to be in compliance with the standard (hence website providers will finally have to upgrade their servers).

[trolly]

I think I read that Google is doing the same with Chrome.

[rsx11m]

Unless they port that patch to the 38.0 ESR branch, it would be the fallback solution for anybody still needing SSL 3.0 for whatever reason (at least as long as that extended-support branch lasts).

[therube]

A major supplier

URL to the website?

[rsx11m]

I think I read that Google is doing the same with Chrome.

Makes sense, the draft is co-authored by people from both Mozilla and Google.

[JayhawksRock]

I think I read that Google is doing the same with Chrome.

Makes sense, the draft is co-authored by people from both Mozilla and Google.

Also read that Google is going to 'downgrade' sites in search rank that do not upgrade their security..