MozillaZine

3.0b5 error when accessing SSL site using altname

Discussion about official Mozilla Firefox builds
jondaley
 
Posts: 1
Joined: April 22nd, 2008, 11:33 am
Location: Pittsburgh, PA

Post Posted April 22nd, 2008, 11:39 am

If I view the below page and hit reload using firefox 3.0b5 I get intermittent errors.

Sometimes it works fine.

Sometimes the CSS stylesheet isn't loaded without any reported errors on the client or server.

Sometimes I get "page load error"
An error occurred during a connection to limedaley.com.
SSL received an unexpected Change Cipher Spec record.
(Error code: ssl_error_rx_unexpected_change_cipher)


https://limedaley.com/webmail/

I originally experienced this with a site that uses completely different altnames and common names, and read about the http://test.eonis.net/ exploit, so I thought perhaps those certificates weren't supported any more. However, after replicating it on limedaley.com, which uses a *.limedaley.com as the common name, and limedaley.com in the altname, it seems like that should be supported, yes?

Ted Mielczarek
 
Posts: 1269
Joined: November 5th, 2002, 7:32 am
Location: PA

Post Posted April 24th, 2008, 11:41 am

I asked Kai Engert about this, and he filed bug 430703 on this issue. Thanks for the info!

joshland
 
Posts: 1
Joined: April 24th, 2008, 3:36 pm

Post Posted April 24th, 2008, 3:37 pm

Chip Parker - a really nice guy, recommended disabling TLS support for the Webserver SSL, or turn it off in firefox:

I use nginx - hence his nginx-specific hint. This can be done in apache too.

"
in nginx conf:
ssl_protocols SSLv3;

OR, in ff3b5, disable TLSv1 (tools -> options -> advanced -> encryption)
"

kaie
 
Posts: 5
Joined: April 24th, 2008, 4:36 pm

Post Posted April 24th, 2008, 4:38 pm

Latest info in the bug suggests it's related to a new feature in FF 3, named TLS Session Ticket Extension, and happens with server who do support that extension.

Can you please try to disable the feature and give feedback whether it helps?
- go to about:config
- filter display by typing: tls
- change the value for "security.enable_tls_session_tickets" to false

kaie
 
Posts: 5
Joined: April 24th, 2008, 4:36 pm

Post Posted May 2nd, 2008, 10:35 am

Nagendra tracked this down, it's an OpenSSL bug.
Please read comments 9 and 10 in bug 430703 for details and possible workarounds.

Return to Firefox Builds


Who is online

Users browsing this forum: Awesome Donkey, Google Adsense [Bot], LewS, robotjatek and 4 guests