User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Build ID: 20150402191859 Steps to reproduce: I updated from FF 36 to FF 37 on Windows 8.1. I entered the URL https://apps.oaa.uci.edu/diversityopportunities/ but can't connect to the page. I updated to 37.0.1, and the problem persists. Actual results: The page shows Secure Connection Failed The connection to the server was reset while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Expected results: I expected the secure site to load successfully as it did with FF 36. Qualys gives the site an A- SSL report. https://www.ssllabs.com/ssltest/analyze.html?d=apps.oaa.uci.edu&hideResults=on&latest Chrome 42 and IE 11 both connect to the site without problems. FF 37.0.1 can connect to the site when I add apps.oaa.uci.edu to the security.tls.insecure_fallback_hosts. But I feel like FF 37 should connect without having to add the site to the exception list. Thanks in advance for looking into this.
Severity: normal → major
Regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=47c8e9b16918&tochange=b4143e04bea1 Meadhbh Hamrick — Bug 861266: Enable TLS 1.2 by default, r=briansmith It's probably a server issue about TLS.
Component: Untriaged → Security: PSM
Product: Firefox → Core
It looks like the root cause might be Bug 1155922: There's an intermediate SHA-512 cert being sent: > InCommon RSA Server CA > Fingerprint: f4f26a16d4b913cf3208e664e3dd384e56ce77af > RSA 2048 bits (e 65537) / SHA512withRSA IIS is being used: > HTTP server signature Microsoft-IIS/8.0 Applying the Bug 1155922 attachment 8594312 [details] [diff] [review] patch and building locally, I can connect fine with TLS 1.2. Feel free to correct me if this is incorrect.
Status: UNCONFIRMED → NEW
Depends on: 1155922
Ever confirmed: true
OS: Windows 8.1 → All
Hardware: x86_64 → All
Summary: Secure Connection Failed with 37.0.1 → Secure Connection Failed on apps.oaa.uci.edu (SHA-512 cert, IIS 8.0) due to lack of SHA-512 in signature_algorithm
To whoever operates the server, note: - https://code.google.com/p/chromium/issues/detail?id=461391 has already been WontFixed - Bug 1129083, which seeks to remove support for SHA-512 certs
Summary: Secure Connection Failed on apps.oaa.uci.edu (SHA-512 cert, IIS 8.0) due to lack of SHA-512 in signature_algorithm → Secure Connection Failed on apps.oaa.uci.edu (SHA-512 cert, IIS 8.0) due to lack of SHA-512 in signature_algorithms extension
NSS 3.19 now has the fix from the Bug 1155922 patch, and Bug 1144055 has upgraded Firefox 39 and 40 to use NSS 3.19. I tried connecting to https://apps.oaa.uci.edu/diversityopportunities, and it works fine now. => Marking this as fixed, at least for now.
Assignee: nobody → kaie
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Summary: Secure Connection Failed on apps.oaa.uci.edu (SHA-512 cert, IIS 8.0) due to lack of SHA-512 in signature_algorithms extension → Secure Connection Failed on IIS server serving any SHA-512 cert due to not offering SHA-512 in signature_algorithms extension
Target Milestone: --- → mozilla39
You need to log in before you can comment on or make changes to this bug.