MozillaZine

Firefox 57 blocks a number of https sites

Discussion about official Mozilla Firefox builds
Pim

User avatar
 
Posts: 2200
Joined: May 17th, 2004, 2:04 pm
Location: Netherlands

Post Posted August 17th, 2017, 12:03 am

Some of the sites I'm maintaining no longer show up in Firefox 57.
I get the error

Secure Connection Failed

The connection to (site name) was interrupted while the page was loading.

• The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
• Please contact the website owners to inform them of this problem.

Learn more…

☐ Report errors like this to help Mozilla identify and block malicious sites

And since I'm one of the website owners, I'd like to know what I can do to solve it!

Some testing shows that
- The security certificates are not expired.
- Other sites with similar certificates (both from the same issuer, using sha256, 2048 bit keys etc) still function OK.
- The website shows up fine in Firefox 56 (the current Developer Edition), as well as all other browsers I tried (Chrome, IE, Edge).
- The problem occurs both in the Windows and Linux versions, with the 32 bit and 64 bit nightlies, and in SeaMonkey 2.54, so it's not a bug in one particular nightly.

Then what can I do now? How can I ascertain what exactly FF57 is choking on?
If, as this page hints, the websites are using "out-dated (no longer secure) TLS mechanisms in an attempt to secure your connection", how can I find out which TLS mechanism is used, so that I can tell my CA to give me more up-to-date certificates?
I know that older SSL methods are being phased out, so that could be it.
Or is it a bug after all? I tried searching Bugzilla, but nothing recent came up, nothing that explained the differences between Gecko 56 and 57. This page is still empty too.
So what to do?
Groetjes, Pim

TheVisitor
 
Posts: 4454
Joined: May 13th, 2012, 10:43 am

Post Posted August 17th, 2017, 1:57 am

A link to one of the sites your seeing the error page on would help.

Alice0775

User avatar
 
Posts: 2577
Joined: October 26th, 2007, 11:25 pm
Location: OSAKA JPN

Post Posted August 17th, 2017, 2:56 am

Mozilla disables 3DES encryption for Nightly.

Ref: [*]#1386754 [Core:Security: PSM]-Disable 3DES in TLS Handshake for Nightly builds [All]

Pim

User avatar
 
Posts: 2200
Joined: May 17th, 2004, 2:04 pm
Location: Netherlands

Post Posted August 18th, 2017, 3:53 am

Thanks for letting me know what to look for.

Of course now I know the correct search phrase, I can see that it's been discussed before on this site. I missed that, because the text of the error message was different. Oh well.

So the solution, at least for now, is to set the security.ssl3.rsa_des_ede3_sha setting to true. Naturally the long term solution is to not use certificates with 3DES ciphers any more!
But now I'm not sure when 3DES support will be dropped altogether. The Bugzilla comment thread doesn't make that very clear. Anyone can provide me with a definitive version number?
Groetjes, Pim

Virtual_ManPL

User avatar
 
Posts: 1913
Joined: July 24th, 2008, 5:52 am

Post Posted August 18th, 2017, 5:29 am

@ Pim - The date for deprecation 3DES cipher is still not established yet, see Bug 1227524 - Establish deprecation date for 3DES.
Virtualfox persona

Are you ready for deprecation of XUL & XBL & XPCOM extensions? Not?! Try Firefox ESR

johnp_
 
Posts: 123
Joined: March 7th, 2011, 11:22 am

Post Posted August 18th, 2017, 7:14 am

Pim wrote:Naturally the long term solution is to not use certificates with 3DES ciphers any more!

I just want to clear this up: Certificates are not using 3DES (a cipher), but usually SHA-2 (a hash; SHA-1 is being phased out and may cause a certificate to not be accepted).
This change causes the connection to fail due to a cipher mismatch and should only cause issues in two situations:

1. The server only supports the 3DES cipher(s) (which usually is a configuration issue; any half-modern crypto-library supports AES)
2. The server would have chosen 3DES, but due to Firefox not accepting 3DES now, a buggy fallback path is taken (e.g. another cipher that is implemented incorrectly by the server)

Return to Firefox Builds


Who is online

Users browsing this forum: Sukigu and 2 guests