Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

"Security Connection Failed" when connecting to IIS web server over HTTPS that only has TLS 1.2 enabled

more options

Using Firefox 62.0.2 in Windows 10. Trying to connect to our IIS webserver that only has TLS 1.2 enabled but encounter the following error:

"Secure Connection Failed. The connection to the sever was reset while the page was loading"

If I enabled TLS 1.1, TLS 1.0 on the server, the connection via TLS 1.2 works fine. Chrome and IE browser don't have this issue and can connect when TLS 1.2 is exclusively enabled.

Our security group frowns on enabling TLS 1.1 / TLS 1.0. Please advise on how to get TLS 1.2 (exclusive) working with latest Firefox for Windows 10.

Using Firefox 62.0.2 in Windows 10. Trying to connect to our IIS webserver that only has TLS 1.2 enabled but encounter the following error: "Secure Connection Failed. The connection to the sever was reset while the page was loading" If I enabled TLS 1.1, TLS 1.0 on the server, the connection via TLS 1.2 works fine. Chrome and IE browser don't have this issue and can connect when TLS 1.2 is exclusively enabled. Our security group frowns on enabling TLS 1.1 / TLS 1.0. Please advise on how to get TLS 1.2 (exclusive) working with latest Firefox for Windows 10.

所有回复 (11)

more options

This is not true Firefox support this TLS_RSA_WITH_AES_256_GCM_SHA384

more options

AnnaSycamore said

This is not true Firefox support this TLS_RSA_WITH_AES_256_GCM_SHA384

Possibly that is not Firefox 62?

Firefox disabled RC4 ciphers by default in Firefox 44, and removed them in Firefox 50. What version did you test with?

The ciphers starting with TLS_DHE do not show up for me in Firefox 62 on Windows 7.

more options

Hello jscher2000 My Firefox is up to date

more options

Attaching enabled cipher suites from client and server (Qualys vs Nartac)


Server and client both appear to have TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 in common yet the handshake fails. May have to open support ticket with M$ft

more options

This is a problem is supported but is weak and not compatible with tls 1.2

On the other side your last reply (jscher2002) pointed me to this https://tecadmin.net/enable-tls-on-windows-server-and-iis/

由AnnaSycamore于修改

more options

skmcfadden said

Server and client both appear to have TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 in common yet the handshake fails. May have to open support ticket with M$ft

This one, too:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

more options

If I use Nartac to enable "best practices" (TLS 1.0/1.1/1.2) all enabled. I get firefox 62 TLS 1.2 handshake to work. Here is the server hello:

HTTP/1.1 200 Connection Established FiddlerGateway: Direct StartTime: 16:49:24.975 Connection: close

This is a CONNECT tunnel, through which encrypted HTTPS traffic flows. To view the encrypted sessions inside this tunnel, enable the Tools > Options > HTTPS > Decrypt HTTPS traffic option.

A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.

Version: 3.3 (TLS/1.2) SessionID: 68 19 00 00 5E 42 D5 99 9D 2C B4 81 2F 09 6C 62 57 CC 97 F8 21 14 E3 85 79 38 F1 7C CE 68 D9 A7 Random: 5B B6 8A E4 A6 43 C0 E7 04 F2 73 74 B1 01 A0 B1 CA 2D 3C 08 AD 38 4C D0 BB 6C A5 7E 9D 89 4A D2 Cipher: TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA [0xC014] CompressionSuite: NO_COMPRESSION [0x00] Extensions: status_request (OCSP-stapling) empty extended_master_secret empty renegotiation_info 00

more options

skmcfadden said

Cipher: TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA [0xC014]

I don't know what that is... ??

more options

Yeah, I don't know what that is either. I don't see it in Nartac.

more options

I have similar issue IIS 10 Going to the site is fine. But going to a page that downloads a PDF inline gives this error. Only TLS 1.2 is enabled SSLLabs = A The only difference I can see F12 on FF Network=>Security Key Exchange Group on the working page is "none" on the failed one x25519

more options

nuronce said

Going to the site is fine. But going to a page that downloads a PDF inline gives this error. ... The only difference I can see F12 on FF Network=>Security Key Exchange Group on the working page is "none" on the failed one x25519

Well, this page has "Key Exchange Group: none", so I don't think that points us to the answer.

Could you start a new thread? At the top of pages there's a link titled "Get Community Support". Keep scrolling down past suggestions on those pages to continue with the question form.

  1. 1
  2. 2