3.0b5 error when accessing SSL site using altname

Discussion about official Mozilla Firefox builds
Post Reply
jondaley
Posts: 1
Joined: April 22nd, 2008, 11:33 am
Location: Pittsburgh, PA
Contact:

3.0b5 error when accessing SSL site using altname

Post by jondaley »

If I view the below page and hit reload using firefox 3.0b5 I get intermittent errors.

Sometimes it works fine.

Sometimes the CSS stylesheet isn't loaded without any reported errors on the client or server.

Sometimes I get "page load error"
An error occurred during a connection to limedaley.com.
SSL received an unexpected Change Cipher Spec record.
(Error code: ssl_error_rx_unexpected_change_cipher)


https://limedaley.com/webmail/

I originally experienced this with a site that uses completely different altnames and common names, and read about the http://test.eonis.net/ exploit, so I thought perhaps those certificates weren't supported any more. However, after replicating it on limedaley.com, which uses a *.limedaley.com as the common name, and limedaley.com in the altname, it seems like that should be supported, yes?
Ted Mielczarek
Posts: 1269
Joined: November 5th, 2002, 7:32 am
Location: PA
Contact:

Post by Ted Mielczarek »

I asked Kai Engert about this, and he filed bug 430703 on this issue. Thanks for the info!
joshland
Posts: 1
Joined: April 24th, 2008, 3:36 pm
Contact:

Disable TLS to fix this

Post by joshland »

Chip Parker - a really nice guy, recommended disabling TLS support for the Webserver SSL, or turn it off in firefox:

I use nginx - hence his nginx-specific hint. This can be done in apache too.

"
in nginx conf:
ssl_protocols SSLv3;

OR, in ff3b5, disable TLSv1 (tools -> options -> advanced -> encryption)
"
kaie
Posts: 5
Joined: April 24th, 2008, 4:36 pm

Post by kaie »

Latest info in the bug suggests it's related to a new feature in FF 3, named TLS Session Ticket Extension, and happens with server who do support that extension.

Can you please try to disable the feature and give feedback whether it helps?
- go to about:config
- filter display by typing: tls
- change the value for "security.enable_tls_session_tickets" to false
kaie
Posts: 5
Joined: April 24th, 2008, 4:36 pm

Post by kaie »

Nagendra tracked this down, it's an OpenSSL bug.
Please read comments 9 and 10 in bug 430703 for details and possible workarounds.
Post Reply