Closed
Bug 1166348
Opened 9 years ago
Closed 7 years ago
sede.educacion.gob.es PKI personal digital certificate authentication (login) requires unsafe renegotiation
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: ivanagui2, Unassigned)
References
()
Details
(Whiteboard: [contactready])
Attachments
(4 files)
SSL Report: sede.educacion.gob.es
User Agent: Mozilla/5.0 (Windows NT 6.3; rv:38.0) Gecko/20100101 Firefox/38.0 Build ID: 20150513174244
When trying to login to my account at https://sede.educacion.gob.es/ with SSL certificate I get error: Secure Connection Failed An error occurred during a connection to www.myopenid.com. Renegotiation is not allowed on this SSL socket. (Error code: ssl_error_renegotiation_not_allowed) Using mozilla binary Mozilla/5.0 (Windows NT 6.3; rv:38.0) Gecko/20100101 Firefox/38.0
|
||
Comment 2•9 years ago
|
||
Connecting web sites using old TLS/SSL versions, I get the next error message: "ssl_error_renegotiation_not_allowed" It seems, that the Firefox 38.0.1 does not support the workarounds (any more?) described the web site below: https://wiki.mozilla.org/Security:Renegotiation
Component: Desktop → Security
Product: Tech Evangelism → Core
Version: Firefox 38 → 38 Branch
Summary: cannot login to https://sede.educacion.gob.es a site requiring unsafe renegotiation with a SSL certificate in Firefox 38 → cannot login to https://sede.educacion.gob.es, a site requiring unsafe renegotiation, with a SSL certificate in Firefox 38
|
||
Comment 3•9 years ago
|
||
Hello! I'm getting the same thing that I believe started at Firefox 38.0.-something [38.0.5 currently]. I can use older versions (V24 was handy, so I tried that and it still works with the site). I have spoken to the admins, and hopefully they'll be updating firmware and turning off SSL renegotiation, but I wanted to say I've been trying the old workarounds and they do not work any more. Specifically: I have the host name specified in security.ssl.renego_unrestricted_hosts (same settings that worked prior to upgrade). I am also using a client certificate. Seems odd the setting would still appear but not be effective...makes you wonder if it's a bug, or just that FF finally removed this old workaround and hasn't updated the docs. My build is: https://hg.mozilla.org/releases/mozilla-release/rev/f6680de4071d Regards, Chris
|
||
Comment 4•9 years ago
|
||
(In reply to csaba.klinger from comment #2) > Connecting web sites using old TLS/SSL versions, I get the next error > message: > > "ssl_error_renegotiation_not_allowed" > > It seems, that the Firefox 38.0.1 does not support the workarounds (any > more?) described the web site below: > > https://wiki.mozilla.org/Security:Renegotiation After Bug 1123020, no. If you run into a broken site, your best option is probably to try and persuade whoever runs the site to fix the server. I'll update the wiki page later if nobody else beats me to it.
|
|
||
Comment 5•9 years ago
|
||
(In reply to Chris Thompson from comment #3) > I have spoken to the admins, and hopefully they'll be updating firmware and > turning off SSL renegotiation, but I wanted to say I've been trying the old > workarounds and they do not work any more. Thanks for taking the time to do that.
|
|
||
Comment 6•9 years ago
|
||
At the moment, I'm not aware of any plans to revert the change in Bug 1123020, so I'm going to morph this into a Tech Evangelism bug.
Status: UNCONFIRMED → NEW
Component: Security: PSM → Desktop
Ever confirmed: true
Product: Core → Tech Evangelism
Summary: cannot login to https://sede.educacion.gob.es, a site requiring unsafe renegotiation, with a SSL certificate in Firefox 38 → www.myopenid.com (via sede.educacion.gob.es) requires unsafe renegotiation
Version: 38 Branch → unspecified
(In reply to ivanagui2 from comment #1) > When trying to login to my account at https://sede.educacion.gob.es/ with > SSL certificate I get error: > > Secure Connection Failed > An error occurred during a connection to www.myopenid.com. > Renegotiation is not allowed on this SSL socket. > (Error code: ssl_error_renegotiation_not_allowed) > > Using mozilla binary > Mozilla/5.0 (Windows NT 6.3; rv:38.0) Gecko/20100101 Firefox/38.0 Sorry, the error message is not that. The correct one is: Conexión segura fallida Ha ocurrido un error durante una conexión a sede.educacion.gob.es. No se permite la renegociación en este socket SSL. (Código de error: ssl_error_renegotiation_not_allowed)
Summary: www.myopenid.com (via sede.educacion.gob.es) requires unsafe renegotiation → sede.educacion.gob.es requires unsafe renegotiation
Same problem with https://papas.educa.jccm.es/ Message "Conexión segura fallida Ha ocurrido un error durante una conexión a papas.educa.jccm.es. No se permite la renegociación en este socket SSL. (Código de error: ssl_error_renegotiation_not_allowed)" In january 2015 solved this way https://www.mozilla-hispano.org/foro/viewtopic.php?f=2&t=13788 But now security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref does not appear in firefox v38.0 ubuntu
|
||
Comment 9•9 years ago
|
||
https://sede.educacion.gob.es/ and https://papas.educa.jccm.es/ no longer require unsafe renegotiation. A certificate error will be displayed, but it is overridable.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 10•9 years ago
|
||
https://sede.educacion.gob.es/ and https://papas.educa.jccm.es/ require unsafe renegotiation to identify themselves with a digital certificate (login).
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Summary: sede.educacion.gob.es requires unsafe renegotiation → sede.educacion.gob.es PKI personal digital certificate authentication (login) requires unsafe renegotiation
|
|
Reporter | |
Comment 11•9 years ago
|
||
https://sede.educacion.gob.es/ and https://papas.educa.jccm.es/ require unsafe renegotiation to identify themselves with a digital certificate ("Iniciar sesión con certificado" and "Acceso con Certificado Digital", respectively).
|
|
Reporter | |
Comment 12•9 years ago
|
||
https://www.ssllabs.com/ssltest/analyze.html?d=sede.educacion.gob.es
|
|
Reporter | |
Comment 13•9 years ago
|
||
https://www.ssllabs.com/ssltest/analyze.html?d=papas.educa.jccm.es
|
|
Reporter | |
Comment 14•9 years ago
|
||
sede.educacion.gob.es Código de error: ssl_error_renegotiation_not_allowed
|
|
Reporter | |
Comment 15•9 years ago
|
||
|
|
||
Comment 16•8 years ago
|
||
http://sede.educacion.gob.es/ is redirecting to https://sede.educacion.gob.es/ which is still not secure. Maybe a way to contact them is through http://www.mecd.gob.es/portada-mecd/ Their twitter account is active https://twitter.com/educaciongob I'll put this as contactready, if you decide to contact them, please switch to sitewait
Whiteboard: [contactready]
|
|
Reporter | |
Comment 17•7 years ago
|
||
https://sede.educacion.gob.es/ now supports Secure Renegotiation. Resolved.
Status: REOPENED → RESOLVED
Closed: 9 years ago → 7 years ago
Resolution: --- → INVALID
|
Assignee | |
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•