Unable to connect to internal SSL sites with unknown CA's after 36.0 update.
Last week my browser auto-updated to version 36.0 and I am now no longer able to connect to certain internal corporate websites. These sites either have self-signed certs, or certs signed by an internal CA. They do not use certs signed by publicly known "trusted" CA's.
For example, one of the errors that I receive is below:
Secure Connection Failed An error occurred during a connection to [HOST]:[PORT]. SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert)
Although a warning message is received in IE or Chrome we are given the option to proceed and the site opens correctly, despite those browsers also indicating that the servers cert is not trusted.
I have added the internal CA's cert to the Authorities tab in the Firefox Certificate Manager, but am still not able to connect to the internal site.
Firefox allows me to accept some incorrect certs (or at least it did in the past), why is this not the default behavior with *all* certificate related problems? I realize that there are malicious sites out there, but there are also internal ones that are being blocked as well. Is there a config option that can be set so a user is prompted for all cert errors and they can decide to proceed if desired instead of just being blocked from the site? I understand blocking by default, but there also needs to be a way to proceed for advanced users.
Are there any configuration options to loosen the cert standards for sites? All other sites seem to load properly and otherwise there are no problems with the browser.
Sorry if this is the wrong place to post, I wasn't sure where to.
Thanks for any assistance!
-Beaty
All Replies (20)
This should go into detail of what configurations were added in this version:
guigs2 said
This should go into detail of what configurations were added in this version:
Thanks, but this doesn't really help.
The certificate in use on this server is 2048 bits. I think that the problem stems from the cert being signed by an internal CA rather than a public one.
What I really want to be able to do is proceed to the site even though Firefox doesn't like the CA or perceived problems with the cert. The browser should give me an option to continue even if it doesn't like the security used. I realize that it is trying to protect users from malicious sites, but this is not the case. Is there a config option that can be enabled to relax the SSL requirements?
I did have server exceptions for the certificates in question.
Unless there is a config option that I can set, then it looks like my only option would be to downgrade to 35, which I don't really want to do.
Install your CA certificate in Firefox. preferences --> advanced --> Certificates --> View Certificates --> Authorities --> Import
Tried that before posting, sorry for not mentioning it. Still the same error:
Secure Connection Failed
An error occurred during a connection to [HOST]. SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
The only thing that's changed between the two is the recent browser update.
What AV software are you using?
McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.8 with the 05-Mar DAT's. SiteAdvisor Enterprise is also installed but it isn't enabled though.
I receive a cert error and can still connect to the site in IE & Chrome, but would prefer to use FF since that is what I use for the majority of my browsing.
BeatyMcCloud trɔe
Have you tried with everything disabled in McAfee?
If it doesn't work use this instructions: https://stackoverflow.com/questions/21024526/ssl-error-illegal-parameter-alert
Hmm, I hadn't tried disabling McAfee, but after doing so the result is the same.
I had previously lowered the TLS Security config options to 0 as outlined in the Stack Overflow link and that didn't help either.
I am connected to the corporate network through a VPN, but we do not use a proxy.
The SO link got me to thinking though, could this be a problem with the cipher used? Looking at the cert details in IE it indicates that the version is V3 and the algorithm and hash are sha1RSA and sha1, respectively.
Is there a way to get debugging information for the HTTPS request?
You could test your website/server here: https://www.ssllabs.com/ssltest/
Unfortunately it's an internal server that is not accessible from the outside. Do you happen to know if there is a F/OSS app that will do the same thing which I can run from an internal system? I wasn't able to find one.
How much servers do you have?
What web server software are they running (Apache, Nginx...)?
I'm not sure what web server is actually being used; the machine is an RSA Two-Factor Authentication Manager. I suspect that it is Apache based.
I was able to run an SSL/TLS Capabilities test of the browser from the SSL Labs site and even though I had set the TLS Security config options to 0 it doesn't look like the protocols are enabled for use.
TLS 1.2 Yes TLS 1.1 No TLS 1.0 No SSL 3 No SSL 2 No
What about Cipher Suites?
See also:
I think that SSLeuth would give me exactly what I need but unfortunately the page never loads because of the SSL Error. I am looking to see if there is a similar add-on for Chrome.
Using the SSL Labs browser test [1] though, it looks like the only version supported is TLS 1.2 Could firefox not be falling back to SSL3? I've set the security.tls.version. min & fallback to 0 so would expect it to.fall back to these but now I'm not sure if it is.
@mimi89999, I don't have open SSL installed but will do so and give connecting with that a try and report back.
Thanks to everyone for their suggestions, they are greatly appreciated!
Slowly getting there!
-Beaty
You could try to set security.tls.version.max to a lower value to see what happens.
0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, 3 means TLS 1.2 etc.
Check to make sure the cypher is allowed as well: https://wiki.mozilla.org/Security/Server_Side_TLS
First, sorry for the delay in responding, things have been crazy here lately.
Secondly, here is the output from openSSL for connecting to the server:
OpenSSL> s_client -connect qrsa01.qnao.net:443 Loading 'screen' into random state - done CONNECTED(00000180) depth=1 CN = RSA root CA for qrsa01.qnao.net, serialNumber = 15702a01a563d5b8f2b a65250ad81947eef537554eae2320efed2159a8193bd5 verify error:num=19:self signed certificate in certificate chain --- Certificate chain
0 s:/CN=qrsa01.qnao.net/serialNumber=3b444eeb8355fb2b5b686d03ce1c0a61cd3552a184
001b9564700f7cebcbe9f0
i:/CN=RSA root CA for qrsa01.qnao.net/serialNumber=15702a01a563d5b8f2ba65250a
d81947eef537554eae2320efed2159a8193bd5
1 s:/CN=RSA root CA for qrsa01.qnao.net/serialNumber=15702a01a563d5b8f2ba65250a
d81947eef537554eae2320efed2159a8193bd5
i:/CN=RSA root CA for qrsa01.qnao.net/serialNumber=15702a01a563d5b8f2ba65250a
d81947eef537554eae2320efed2159a8193bd5 --- Server certificate
BEGIN CERTIFICATE-----
MIIDdDCCAlygAwIBAgIQYNRTnyH83tfcpTKMxP2kbTANBgkqhkiG9w0BAQUFADB1 MSgwJgYDVQQDDB9SU0Egcm9vdCBDQSBmb3IgcXJzYTAxLnFuYW8ubmV0MUkwRwYD VQQFE0AxNTcwMmEwMWE1NjNkNWI4ZjJiYTY1MjUwYWQ4MTk0N2VlZjUzNzU1NGVh ZTIzMjBlZmVkMjE1OWE4MTkzYmQ1MB4XDTEzMTExMTIxMTcwMloXDTMzMTExMjIx MTcwMlowZTEYMBYGA1UEAwwPcXJzYTAxLnFuYW8ubmV0MUkwRwYDVQQFE0AzYjQ0 NGVlYjgzNTVmYjJiNWI2ODZkMDNjZTFjMGE2MWNkMzU1MmExODQwMDFiOTU2NDcw MGY3Y2ViY2JlOWYwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwgkK Lx1fAgNJsejbev9HP/j6I1quZH3oH4mQ5sy/Hx/F2yWXnf0vUFjclP8swte3OFA+ +okNqESCUDTZYHA4b3GCJDbzLKTWXOZ9GuZ8f2xAGbTYNEVdzTD2io0HBVwvd0O/ XGYn1vF1J+PghKJq40fQgdvVSJ2ZKeFc8U1yBRrEbL7/9XG7cgQxMkyzwdaWUg8k 9aGWn7ajSduJqYAb0NFbycZyY9JqKLRaI+L4bUyZZSUiDNV08dzPca7zDlA/G26K mVfxdnQDp5sX6x7LMUDfo25gJVHOB7bp25/XCSASWBKG0BQx+Snl/mPmiY+00B6l PTjyV4h3j2e4o255rQIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEB BQUAA4IBAQCdUBdHPPmMzArZ8w5+FLoOo6VFA1gNDtOa+YDpt1H5K/ki0lO49W2v vKDPC6J60gTnvwtNe7zT2l6QIEf/k1Ene+ZvWFmOW1Eco2cWnXaxEmbb3L1uxvid 6vMCWscKvbo0LRLrskAWhzionoziGazkt8XqM7prmlroH7n9keLyIFRFhbzSYKhp q3Zd2Ys/7AFzwIGymTe8MncU1bYw5vYl5hvy8KR8t+qqz/DNBXDCQ2FPpEK9SWrT 7LF7iPrrCi0Zd8gSFkcCWWojCcOpk+FKU3Lo3geURvNypNZMihenuWPoTSn+PCE/ vJZCWnp7n2DDeDOBmNvaV2K2R5w81+xN
END CERTIFICATE-----
subject=/CN=qrsa01.qnao.net/serialNumber=3b444eeb8355fb2b5b686d03ce1c0a61cd3552a 184001b9564700f7cebcbe9f0 issuer=/CN=RSA root CA for qrsa01.qnao.net/serialNumber=15702a01a563d5b8f2ba6525 0ad81947eef537554eae2320efed2159a8193bd5 --- No client certificate CA names sent --- SSL handshake has read 1948 bytes and written 675 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:
Protocol : TLSv1.2 Cipher : RC4-SHA Session-ID: 550194FCFA9BE4A1060430A13EBA67B9EBD793485253412053534C4A20202020
Session-ID-ctx: Master-Key: F1FD3AB4846FBC14D35EB7BBAFF8704821940DDE5A0549519A0AFF2EC8CAF245
08DCAA6D4F9FB1D125664FC7BFE87E95
Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1426167036 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)
--- read:errno=0 OpenSSL>
I had already set the tls.security.version.min to 0, so would have expected to be able to connect.
At this point it seems like the problem is that we are using an internal CA to sign the cert for this server, but Firefox won't allow me to proceed despite this. Is there an option that I can set to have firefox prompt on all certificate issues and give me the option to proceed anyways?
Any other thoughts/suggestions?