Firefox 27 breaks access to certain HTTPS devices
Hi all,
We control many devices through in their built web secure servers using HTTPS, but since upgrading to Firefox 27 we are unable to connect to certain devices - in our case these are namely AMX NetLinx 3100 control devices. These devices have self signed built in certificates but when we downgrade to Firefox 26, everything starts working normally.
I can Reset Firefox but this makes no difference apart form the back that any stored certificate are wiped. We can then navigate to a given device and we can accept the security warning a store the certificate, but Firefox then hangs or times out when trying to load a page. As mentioned Firefox 26, as well as IE and Chrome are unaffected.
I have seen other post indicating that other are having issue with Firefox 27 and certain HTTPS site but so far no resolution. Has anybody got any idea as to what has changed between Firefox 26 and 27 that would cause such behavior?
Many thanks
Chris
Alla svar (7)
Hello swinster70,
Welcome to the Mozilla Support Forum.
You indicated in your question that Firefox hangs/crashes when viewing certain sites. It would be therefore useful if you could provide a crash report. Please follow the steps below to provide us crash IDs to help us learn more about your crash.
- Enter about:crashes in the Firefox address bar and press Enter. A Submitted Crash Reports list will appear, similar to the one shown below.
- Copy the 5 most recent Report IDs that start with bp- and paste them into your response here.
More information and further troubleshooting steps can be found in the Troubleshoot Firefox crashes (closing or quitting unexpectedly) article.
Mattlem
There have been issues reported caused by using some SSL cipher suites that aren't working properly with some servers.
A possibility to test this is to disable all SSL cipher suites on the about:config page (i.e. toggle security.ssl3.* prefs that are true to false) and enable one at the time to see if you can find the culprit and keep this suite disabled and reset the other cipher suites or possibly continue testing to see which ciphers work with this server.
Do a hard refresh of the tab with this not working page via "Ctrl+F5" or "Ctrl+Shift+R" after each change.
Hey mattlem. Unfortunately, there are no bp crash files to show as Firefox doesn't crash exactly, it more a case that the page simple hangs on loading - Firefox itself is still functional. It more as cor-el states that it more like the SSL suite have been broken in Firefox 27
cor-el, I have tried switching All suites off in Firefox 27, and then one on in turn, but of course as something is broken, it didn't help much. However, I went through the lot again on a machine running Firefox 26. The suite that worked with this particular site were:
- security.ssl3.rsa_aes_128_sha
- security.ssl3.rsa_aes_256_sha
- security.ssl3.rsa_des_ede3_sha
- security.ssl3.rsa_rc4_128_md5
- security.ssl3.rsa_rc4_128_sha
- security.ssl3.rsa_seed_sha
Maybe this narrow things down slightly, but none of these work in Firefox 27.
Cheers
Does it has effect if you disable or limit TLS support by setting the security.tls.version.max to a lower value?
0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, 3 means TLS 1.2 etc.
Ah ha, now we're getting somewhere. FF27 defaults this value to 3, FF26 looks like it default to 1. Setting the value to 1 resolves the issue (2 doesn't work either).
Would it be possible to use the higher TLS versions if available and workable on the site that can cope with it, but reduce to this lower level when they can't, or are we stuck forcing to TLS 1.0 all the time?
Many thanks for you input
core-el, the Link you provide does provide some interesting comment, namely in the cavets:
Caveats
- There is currently no fallback from TLS 1.1/1.2 to earlier protocols. Thus, selecting security.tls.version.max = 2 (or 3) for TLS 1.1 (or 1.2) support results in the connection failing when the server connected to doesn't support that version. Once the fallback is implemented, the default for security.tls.version.max will be changed to 3 to utilize the most recent TLS 1.2 version by default.
I'm not sure how up-to-date this actual is, but it is obviously still broken so maybe the value "3" shouldn't be applied by default in the the new Firefox upgrades.
Many thanks for your help
Chris
Bug 839310 - Add insecure fallback from TLS 1.1 -> TLS 1.0