Closed Bug 1184104 Opened 10 years ago Closed 9 years ago

Secure Connection Failed - (Error code: ssl_error_weak_server_ephemeral_dh_key)

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Version:
39 Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: nlandas, Unassigned)

Details

(Keywords: csectype-other, wsec-authentication, Whiteboard: SSL certificate handling system)

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Build ID: 20150630154324 Steps to reproduce: Access an internal management virtual machine's web interface using Firefox 39.0. The previous version worked correctly. Actual results: Received and error message that is completely blocking me from accessing the website with no option to add a security exception for this known good internal site. Chrome, IE, and Opera all work to access this internal web interface. Expected results: The web page should have been displayed or if Firefox wants to warn me about the weak SSL certificate, it should do so with an EASY way to add an override for this known safe connection. I can tell you that this is an ongoing issue and it is driving my IT colleagues away from Firefox and to Chrome.
It's probably due to this change in NSS: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2_release_notes Could you provide the details of your SSL certif? Or the details of the webUI manager of the VM? Is it possible to upgrade the certificate of the VM manager?
Component: Untriaged → Desktop
Flags: needinfo?(nlandas)
Product: Firefox → Tech Evangelism
Version: 39 Branch → Firefox 39
Thanks you two. The bottom line is, it is good that Firefox is warning me that there is an issue with the certificate but Firefox should not stop me from being able to override this block of a known good site. The excuse that we should just replace the certificate, every time Firefox decides to warn/block another website due to a questionable SSL certificate is not reasonable. Firstly, this system is a canned virtual appliance and not exposed to the Internet. It's for internal management only. This isn't the first internal system that gets blocked by Firefox and I have to revert to using another browser to access. In some cases the certificate is in embedded firmware and can't be upgraded as the system is no longer receiving updates. In this day and age, I understand blocking questionable certificates but for Firefox to not have a clear and easy to use means of putting overrides in place for any blocked site really puts Mozilla at a disadvantage to competitors. With Microsoft's new browser due out July 29th and Chrome constantly advancing, arbitrarily blocking SSL certificates without giving a simply way to put in exceptions is really going to affect Firefox's market share. I can certainly give details on the certificate. I know it's not a good certificate. The bug is Firefox arbitratily blocking it.
Flags: needinfo?(nlandas)
(In reply to Nyle Landas from comment #3) > Thanks you two. The bottom line is, it is good that Firefox is warning me > that there is an issue with the certificate but Firefox should not stop me > from being able to override this block of a known good site. This is more of a technical issue at the moment. See Bug 1180526 comment 4. In any case, ssl_error_weak_server_ephemeral_dh_key suggests that the immediate issue is not the cert, but the DH primes used. As a workaround, try flipping the "security.ssl3.dhe_rsa_aes_128_sha" and "security.ssl3.dhe_rsa_aes_256_sha" prefs to false. Alternatively, try and disable DHE on your system.
(In reply to Cykesiopka from comment #4) > (In reply to Nyle Landas from comment #3) > > Thanks you two. The bottom line is, it is good that Firefox is warning me > > that there is an issue with the certificate but Firefox should not stop me > > from being able to override this block of a known good site. > > This is more of a technical issue at the moment. See Bug 1180526 comment 4. > > In any case, ssl_error_weak_server_ephemeral_dh_key suggests that the > immediate issue is not the cert, but the DH primes used. > > As a workaround, try flipping the "security.ssl3.dhe_rsa_aes_128_sha" and > "security.ssl3.dhe_rsa_aes_256_sha" prefs to false. > > Alternatively, try and disable DHE on your system. Thank you Cykesiopka. That is a helpful work around. I had just found that Novell recommends it on their knowledgebase. I do appreciate the information. https://www.novell.com/support/kb/doc.php?id=7016679 ------------------------------------------------------- This is an ongoing issue with how Mozilla handles certificates. So I understand not calling it a "bug" but it is certainly a lack in the handling of certificates that Mozilla reasonably considers insecure. Turning off the security feature is at best a sub-optimal solution. Is there a site to recommend features to the Mozilla Foundation rather than this bug site? I apologize for my weak google-fu if there is. Ideally, if a non-secure certificate is received, Firefox should certainly draw additional attention to it besides just the normal self-signed warning that can then be accepted temporarily or permanently. However, Firefox should offer some means to "whitelist" weak certificates that a power user knows are good. Even if this means going into Options and manually adding the URL for the site. I certainly appreciate what Mozilla Foundation does in developing the Open Source Firefox and Thunderbird. I'm just trying to pass back that less savvy end users that get hit by this certificate handling "technical issue" are very likely to just switch browsers. Which I for one do not want to see happen.
Component: Desktop → Security
Keywords: csectype-other, wsec-authentication
OS: Unspecified → All
Product: Tech Evangelism → Firefox
Hardware: Unspecified → All
Whiteboard: SSL certificate handling system
Version: Firefox 39 → 39 Branch
Severity: normal → enhancement
I doubt it will change because the work about the "Logjam" exploit has been done in bug 1138554. CC'ing Brian for more detailed advices.
Flags: needinfo?(brian)
Flags: needinfo?(brian) → needinfo?(dkeeler)
This is to protect against Logjam. In particular, the underlying TLS library (NSS) implements the restriction. Firefox currently has no way to allow exceptions for this kind of error.
Flags: needinfo?(dkeeler)
Looks like Novell has released an update that addresses this: https://www.novell.com/support/kb/doc.php?id=7016679 https://www.novell.com/support/kb/doc.php?id=7016614
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Thanks this wasn't solely related to a Novell product. We received the error when using other internal management interfaces. I understand certainly protecting against major security risks like logjam but if I have a known good site that is internal access only, I should be able to put in a manual override, even if it means specifying an IP address in a hidden file. Something to keep the average user from doing it.
You need to log in before you can comment on or make changes to this bug.