Pomoc pśepytaś

Glědajśo se wobšudy pomocy. Njenapominajomy was nigda, telefonowy numer zawołaś, SMS pósłaś abo wósobinske informacije pśeraźiś. Pšosym dajśo suspektnu aktiwitu z pomocu nastajenja „Znjewužywanje k wěsći daś“ k wěsći.

Dalšne informacije

"An error occurred during a connection to www.youtube.com" because "client downgraded to a lower TLS version than the server supports". What?

  • 8 wótegrona
  • 125 ma toś ten problem
  • 172 naglědow
  • Slědne wótegrono wót Doobleshaft

more options

On Fedora 20 with firefox-35.0-2.fc20.x86_64 (Build date: Tue 13 Jan 2015 13:47:48 CET)

Since very recently (like, yesterday - firefox was updated yesterday).

Connection to https://www.youtube.com fails because:

"An error occurred during a connection to www.youtube.com.

The server rejected the handshake because the client downgraded to a 
lower TLS version than the server supports. (Error code: ssl_error_inappropriate_fallback_alert) mozilla"

This is shown on redirection via youtu.be for example. Connection to the youtube front page fails after a minute of work.

Can I see the TLS protocol exchange somewhere?

From a Fedora 20 VM using firefox-34.0-1.fc20.x86_64, things work. Connection Encrypted: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 128 bit keys"

I also noticed on that connection to Microsoft OWA fails from time to time with no error warnings but with timeouts, which happens on no other machine. Suspicious.

On Fedora 20 with firefox-35.0-2.fc20.x86_64 (Build date: Tue 13 Jan 2015 13:47:48 CET) Since very recently (like, yesterday - firefox was updated yesterday). Connection to https://www.youtube.com fails because: "An error occurred during a connection to www.youtube.com. The server rejected the handshake because the client downgraded to a lower TLS version than the server supports. (Error code: ssl_error_inappropriate_fallback_alert) mozilla" This is shown on redirection via youtu.be for example. Connection to the youtube front page fails after a minute of work. Can I see the TLS protocol exchange somewhere? From a Fedora 20 VM using firefox-34.0-1.fc20.x86_64, things work. Connection Encrypted: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 128 bit keys" I also noticed on that connection to Microsoft OWA fails from time to time with no error warnings but with timeouts, which happens on no other machine. Suspicious.

Wubrane rozwězanje

Well, that's not going to work because this is a Fedora 20.

Also tried with add-ons disabled to no avail.

But you know what fixed it? Rebooting the whole system.

There seems to be something that gums up a long-running system, even with browser restarts in between. Note that running firefox from a VM on the gummed-up primary system does not exhibit the problem. Really weird.

Toś to wótegrono w konteksće cytaś 👍 5

Wšykne wótegrona (8)

more options

Followup: it works intermittently though, but may take a LONG time to load. Tried with empty history and cached cleared with the "emptycache" addon, which does not help. If it works, then the TLS suite is "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 128 bit keys" (come on Mozilla, this string should be copyable, not a bitmap...)

more options

Also tried with NoScript disabled. Doesn't work any better. You can actually see the youtube front page sometimes getting stuck in a half-formatted mode. Maybe it really is Google and it's just the error message that is wrong.

more options

can you check in about:config that all the settings starting with security.ssl/tls are on their default value (=not shown in bold)?

more options

Looks like all is at the default except the [keyupdatetime]

The YouTube situation is unchanged. Also tried to connect to "https://www.google.de" -- The initial connection is superslow but after that zoom around works nicely.

more options

Tried to gradually downgrade the TLS protocol to SSLv3 (which is vulnerable to Poodle of course) according to

Security.tls.version.(min|max)

Originally at

security.tls.version.max = 3 ("TLS 1.2 is the maximum supported") security.tls.version.min = 1 ("TLS 1.0 is the minimum required")

Then set

security.tls.version.min = 0 ("SSLv3 is the minimum required")

And reduced

security.tls.version.max

from 3 to 0.

Basically to no avail, forcing to SSLv3 using (0,0) didn't help (except that LastPass complains that it cannot connect to the server, which is as it should be)

With (3,1) got the downgrade error again.

Set to (3,3) instead. Loading the YouTube front page takes practically exactly 100s with ~0 traffic on the interface, but it loads.

Forcing TLS 1.2 is interesting in its own right. Amazon Web Services doesn't work with that. MUAH!!

Could it be that a slow/unresponsive YouTube causes the browser to complain about the TLS negotiation?

Wót DasBughunter změnjony

more options

Boot the computer in Windows Safe Mode with network support (press F8 on the boot screen) as a test.

more options

Wubrane rozwězanje

Well, that's not going to work because this is a Fedora 20.

Also tried with add-ons disabled to no avail.

But you know what fixed it? Rebooting the whole system.

There seems to be something that gums up a long-running system, even with browser restarts in between. Note that running firefox from a VM on the gummed-up primary system does not exhibit the problem. Really weird.

more options

DasBughunter said

Tried to gradually downgrade the TLS protocol to SSLv3 (which is vulnerable to Poodle of course) according to Security.tls.version.(min|max) Originally at security.tls.version.max = 3 ("TLS 1.2 is the maximum supported") security.tls.version.min = 1 ("TLS 1.0 is the minimum required") Then set security.tls.version.min = 0 ("SSLv3 is the minimum required") And reduced security.tls.version.max from 3 to 0. Basically to no avail, forcing to SSLv3 using (0,0) didn't help (except that LastPass complains that it cannot connect to the server, which is as it should be) With (3,1) got the downgrade error again. Set to (3,3) instead. Loading the YouTube front page takes practically exactly 100s with ~0 traffic on the interface, but it loads. Forcing TLS 1.2 is interesting in its own right. Amazon Web Services doesn't work with that. MUAH!! Could it be that a slow/unresponsive YouTube causes the browser to complain about the TLS negotiation?

I've been having problems with secure sites for a few weeks and I've tried on all affected computers removing all traces of Firefox and installing with no addons and still this problem happened.

This information though was the trigger to find the fix. I found that the default values had been changed so I have set the following which appeared to be default:

security.tls.version.max;3 security.tls.version.min;1

Not sure why they were changed apart from just one possible cause. I use BitDefender Internet Security and maybe this changed the security settings here? It does prompt for Firefox to be closed for a setting to be changed. All other browsers worked perfectly though so it is Firefox specific.

Now I'm wondering if I test on Ubuntu or Fedora will the same issue occur with the latest Firefox as it hasn't happened before 35.0.1