Firefox 35.0 is reporting SSLV3 security errors on site not using SSLV3 when will you fix this
I was right in the middle of a transaction on chaseonline when firefox kicked me out and showed a page regarding SSLV3 security issues. When I booted this morning the firefox version was 34.0.5 after this happened the firefox version was 35.0. I did SSL site testing and that site is not using the SSLv3 protocol. See link below:
https://www.ssllabs.com/ssltest/analyze.html?d=chaseonline.chase.com
I have been using version 34 and higher for quite a while and have not had any problems accessing the chaseonline website until version 35 was installed.
I have not restarted the browser since this happened but my guess is the problem will continue. When will this be addressed?
Réiteach roghnaithe
Thanks for the quick reply.
The website was not trying to redirect, I was typing in a secure mail message at the time.
I tried several times to relogin to my account and only got the generic message page about firefox not being able to securely access the site because of SSLv3 issues. During this time I never got past this point trying to login to the site.
During this time I now realize the browser was stuck between versions (34.0.5 and 35). Although I still don't know why 34.0.5 thru up this error when I had been using it for quite a while I was able to resolve the problem by closing and restarting my browser.
In other words I am now able to access the chase website without errors.
This is reason I rarely, if ever, allow software to auto-magically update itself in the background. I will be turning this off and installing updates manually.
Thanks for you comments and feedback!
Sa
Read this answer in context 👍 0All Replies (6)
hi safoxusr, it is rather unlikely that firefox will show this alert in error. maybe chaseonline.chase.com was redirecting you to another domain during the transaction - can you note the exact domain the next time this happens? also, which security program are you using?
Réiteach Roghnaithe
Thanks for the quick reply.
The website was not trying to redirect, I was typing in a secure mail message at the time.
I tried several times to relogin to my account and only got the generic message page about firefox not being able to securely access the site because of SSLv3 issues. During this time I never got past this point trying to login to the site.
During this time I now realize the browser was stuck between versions (34.0.5 and 35). Although I still don't know why 34.0.5 thru up this error when I had been using it for quite a while I was able to resolve the problem by closing and restarting my browser.
In other words I am now able to access the chase website without errors.
This is reason I rarely, if ever, allow software to auto-magically update itself in the background. I will be turning this off and installing updates manually.
Thanks for you comments and feedback!
Sa
Starting Firefox 34.0 the vulnerable SSL 3.0 has been disable and TLS 1.0 is the minimum used by default. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
Do you have Avast? as the https-scanning in Avast can actually make your connection less secure in some case and cause problems like this. So if you have Avast disable the https-scanning in Avast.
Athraithe ag James ar
I have also been seeing this issue on several sites as well. One was Facebook. After getting the message screen , a refresh took me to the site without further issues. I am using Firefox 35.0.1 and the security software is McAfee. This only started after upgrading to the latest Flash Player release , if that helps.
Deleted - accidental dupe.
Athraithe ag rivulus ar
Confirmed this is a bug - kind of. Firefox is displaying a misleading error message.
If SSLv3 Protocol support is disabled on the server commonly the SSLv3 cipher suite is removed as well. The SSLv3 cipher suite also happens to be the TLSv1 cipher suite.
I encountered this bug on a web server that was configured to only use TLSv1.2, with no SSLv3 ciphers supported.
The cipherlist on the server at the time of the error:
openssl ciphers -v 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-SHA:RC4-MD5:RC4+RSA:RC4:+HIGH:!MD5:!aNULL:!EDH:!MEDIUM:!EXP:!LOW:!eNULL:!ADH:!SSLv2'
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
The protocol list at the time of the error:
SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 +TLSv1.2
ssllabs also confirmed the only offered protocol was TLSv1.2 - and this stopped Firefox in its tracks.
This is fine, Firefox couldn't fall back to a TLSv1/1.1 cipher, but the error message claiming that it was the servers fault and that the server was configured to provide SSLv3 was extremely... annoying.
The fix for this was to alter the cipher suite in use on the server to include the SSLv3 ciphers. SSLv3 the protocol is still disabled, but at least now Firefox 35 can successfully fall back to a TLSv1/1.1 cipher.
Cipher suite for those google wanderers looking for a fix for this:
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-SHA:RC4-MD5:RC4+RSA:RC4:SSLv3:+HIGH:!MD5:!aNULL:!EDH:!MEDIUM:!EXP:!LOW:!eNULL:!ADH:!SSLv2
So it was an error, but the bug is the fact that Firefox is displaying the wrong error message.
Athraithe ag nukemjoe ar