"Security Connection Failed" when connecting to IIS web server over HTTPS that only has TLS 1.2 enabled
Using Firefox 62.0.2 in Windows 10. Trying to connect to our IIS webserver that only has TLS 1.2 enabled but encounter the following error:
"Secure Connection Failed. The connection to the sever was reset while the page was loading"
If I enabled TLS 1.1, TLS 1.0 on the server, the connection via TLS 1.2 works fine. Chrome and IE browser don't have this issue and can connect when TLS 1.2 is exclusively enabled.
Our security group frowns on enabling TLS 1.1 / TLS 1.0. Please advise on how to get TLS 1.2 (exclusive) working with latest Firefox for Windows 10.
All Replies (11)
This is not true Firefox support this TLS_RSA_WITH_AES_256_GCM_SHA384
AnnaSycamore said
This is not true Firefox support this TLS_RSA_WITH_AES_256_GCM_SHA384
Possibly that is not Firefox 62?
Firefox disabled RC4 ciphers by default in Firefox 44, and removed them in Firefox 50. What version did you test with?
The ciphers starting with TLS_DHE do not show up for me in Firefox 62 on Windows 7.
Hello jscher2000 My Firefox is up to date
Attaching enabled cipher suites from client and server (Qualys vs Nartac)
Server and client both appear to have TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 in common yet the handshake fails. May have to open support ticket with M$ft
This is a problem is supported but is weak and not compatible with tls 1.2
On the other side your last reply (jscher2002) pointed me to this https://tecadmin.net/enable-tls-on-windows-server-and-iis/
Modified
skmcfadden said
Server and client both appear to have TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 in common yet the handshake fails. May have to open support ticket with M$ft
This one, too:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
If I use Nartac to enable "best practices" (TLS 1.0/1.1/1.2) all enabled. I get firefox 62 TLS 1.2 handshake to work. Here is the server hello:
HTTP/1.1 200 Connection Established FiddlerGateway: Direct StartTime: 16:49:24.975 Connection: close
This is a CONNECT tunnel, through which encrypted HTTPS traffic flows. To view the encrypted sessions inside this tunnel, enable the Tools > Options > HTTPS > Decrypt HTTPS traffic option.
A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2) SessionID: 68 19 00 00 5E 42 D5 99 9D 2C B4 81 2F 09 6C 62 57 CC 97 F8 21 14 E3 85 79 38 F1 7C CE 68 D9 A7 Random: 5B B6 8A E4 A6 43 C0 E7 04 F2 73 74 B1 01 A0 B1 CA 2D 3C 08 AD 38 4C D0 BB 6C A5 7E 9D 89 4A D2 Cipher: TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA [0xC014] CompressionSuite: NO_COMPRESSION [0x00] Extensions: status_request (OCSP-stapling) empty extended_master_secret empty renegotiation_info 00
skmcfadden said
Cipher: TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA [0xC014]
I don't know what that is... ??
Yeah, I don't know what that is either. I don't see it in Nartac.
I have similar issue IIS 10 Going to the site is fine. But going to a page that downloads a PDF inline gives this error. Only TLS 1.2 is enabled SSLLabs = A The only difference I can see F12 on FF Network=>Security Key Exchange Group on the working page is "none" on the failed one x25519
nuronce said
Going to the site is fine. But going to a page that downloads a PDF inline gives this error. ... The only difference I can see F12 on FF Network=>Security Key Exchange Group on the working page is "none" on the failed one x25519
Well, this page has "Key Exchange Group: none", so I don't think that points us to the answer.
Could you start a new thread? At the top of pages there's a link titled "Get Community Support". Keep scrolling down past suggestions on those pages to continue with the question form.