MozillaZine

Fx 52.8 ESR Secure connection fails at cbs.com?

User Help for Mozilla Firefox
Scarlettrunner20

User avatar
 
Posts: 1010
Joined: February 13th, 2003, 5:06 pm

Post Posted June 3rd, 2018, 10:39 pm

I get "secure connection failed" when I try to access https://www.cbs.com/. I've been to the website many times in the past with no problems but it has been awhile since I went there on Fx. I can reach the site on other browsers (including Basilisk forked off of Fx 52).

I don't have some weird setting for tls preferences in about:config. I can't imagine why Fx thinks cbs.com is trying to use outdated tls or ssl.

Benjamin Markson

User avatar
 
Posts: 358
Joined: November 19th, 2011, 3:57 am
Location: en-GB

Post Posted June 4th, 2018, 1:18 am

Scarlettrunner20 wrote:I get "secure connection failed" when I try to access https://www.cbs.com

Works for me but clutching at straws...

The only intermittent failures I get on otherwise good secure sites are down to using the Query OCSP responder servers option: security.OCSP.enabled;1 (default). I also have security.OCSP.require;true which is not the default.

The OCSP servers sometimes go AWOL - indeed, that seems to be their Achilles Heel. In which event you can try toggling off the option. It appears in Options under the Advanced Certificates section.

Ben,
XUL is dead. Long live the Google Chrome Clones.

Scarlettrunner20

User avatar
 
Posts: 1010
Joined: February 13th, 2003, 5:06 pm

Post Posted June 4th, 2018, 4:23 am

I tried all that. I still cannot get to cbs.com. I wonder if it could be an extension?
Ok, tried safe mode and still cannot get to cbs.com. UGH.

therube

User avatar
 
Posts: 18912
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted June 4th, 2018, 5:22 am

(Even though I wouldn't think it should matter...) are you using FF 52 or 52 ESR (& the current ESR at that)?

As a test, create a new, clean Profile, open www.cbs.com & ... ?

Might you have an antivirus interfering?


Troubleshoot the "Secure Connection Failed" error message
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

Scarlettrunner20

User avatar
 
Posts: 1010
Joined: February 13th, 2003, 5:06 pm

Post Posted June 4th, 2018, 7:30 pm

The title of my thread states "Fx52.8 ESR". As for antivirus, I use Windows Defender.

I hate getting old as just today is this whole issue finally coming back to me.

The problem is that CBS.com does NOT use "secure renegotiation" during the handshake (and Qualys reduces their score to an A- because of this).
https://blog.qualys.com/ssllabs/2010/10 ... ot-a-fix-2

Firefox has a bugzilla report regarding this and I remember now that I couldn't even access bugzilla using Fx several years ago because of this issue. https://bugzilla.mozilla.org/show_bug.cgi?id=555952

According to that bug it was fixed years ago but I remember now it is NOT fixed. The ONLY way I can access CBS.com on Fx 52 ESR on two different profiles on Windows 8 and one profile on Windows 10 is to change my setting in about:config "security.ssl.require_safe_negotiation;true" to FALSE. That allows what Fx considers to be BROKEN SSL at CBS.com to be acceptable.

There is NOTHING wrong (as seen by Qualys SSL check) with CBS.com security but because CBS chose to not fix their server to use secure renegotiation but instead LAZILY just turned off renegotiation that triggers this problem on Fx. It triggers it on SeaMonkey also and on the old Opera 12.18.

Basilisk doesn't have this problematic preference so it has no problems getting to CBS and doesn't think the security is broken at the site like Fx does if I change that preference to False.

Logically, I should be able to allow the insecure preference setting ONLY for CBS.com but I don't know how to do it.

I wonder if this preference is in Fx 60?

therube

User avatar
 
Posts: 18912
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted June 5th, 2018, 4:17 am

I wonder if this preference is in Fx 60?


Sure does, with the same result, "Secure Connection Failed".


security.ssl.require_safe_negotiation
Current default value: false

This pref controls the behaviour during the initial negotiation between client and server.

If set to true, a Mozilla client will reject all connection attempts to servers that are still using the old SSL/TLS protocol and which might be vulnerable to the attack.

Setting this preference to “true” is the only way to guarantee full protection against the attack. Unfortunately, as of time of (initial) writing, this would break nearly all secure sites on the web. (Update: As of December 2010, this still applies for a majority of web sites.)

Eventually, if enough sites have been upgraded to the new protocol versions, this preference will be set to “true” by default.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

Grumpus

User avatar
 
Posts: 11944
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Post Posted June 5th, 2018, 5:04 am

Maybe someone edited the site recently.
The W3C Validator shows 112 errors and 35 warnings W3C Validation specs
Page loads really slow and I had nothing blocked in NoScript or otherwise.
Might not have anything to do with Firefox.

MarkRH

User avatar
 
Posts: 1239
Joined: September 12th, 2007, 2:30 am
Location: Oklahoma City, OK

Post Posted June 5th, 2018, 2:04 pm

I guess security.ssl.require_safe_negotiation has a default value of false. Why I never had an issue there. Not sure there is a UI option that changes the setting. Nothing I do in the Privacy and Security settings changes it.

Well, I guess it's nice to know my websites still work when I set that to true.

4td8s
 
Posts: 602
Joined: June 24th, 2009, 1:07 pm

Post Posted June 7th, 2018, 9:58 am

CBS.com site working fine for me using FF 60 ESR. also security.ssl.require_safe_negotiation value is "false" by default using a clean user profile
local CBS TV station in SoCal where I live is KCBS2

Return to Firefox Support


Who is online

Users browsing this forum: No registered users and 7 guests