Closed Bug 1244183 Opened 9 years ago Closed 9 years ago

Firefox claims SSL connection was interrupted - but seems to have done so itself

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
44 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: nrath, Unassigned)

Details

Attachments

(3 files)

Packet capture of failed connection attempt with Firefox.
1.27 KB, application/x-pcapng
Details
Packet capture from successful connection with Chromium
17.41 KB, application/gzip
Details
Traffic dump from successful connection with Firefox
10.05 KB, application/x-pcapng
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0 Iceweasel/41.0.2 Build ID: 20151016000147 Steps to reproduce: I am behind a firewall that uses SSL interception. I have installed the CA certificate of the proxy in Firefox, and most SSL connections are established correctly. However, in same cases the connection fails right after entering the https URL in the address bar. Actual results: For problematic URLs, Firefox shows the following error message: Secure Connection Failed The connection to jupyter.readthedocs.org was interrupted while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. There is no button to add an exception, nor to get further details on what is wrong. If I attempt to open the same URL in Chromium (also with the proxy CA certificate installed), everything works fine and Chromium considers the connection secure. When capturing the session with Wireshark, I see no indication that the connection was interrupted (the TCP stream is still alive), so I think that Firefox found something wrong with the certificate and interrupted the connection itself. I have attached an example TCP dump. Expected results: I would have expect any of: * Everything works, because it works in other browsers * Firefox gives me a chance to ignore the problem and continue anyway * Firefox gives me a way to obtain more debugging information so that I can find out why exactly it isn't working
I have submitted this book with Debian jessie's Iceweasel, but I confirmed that the most recent Firefox 44 from the getfirefox.com tarball is also affected.
Component: Untriaged → Networking
Product: Firefox → Core
Component: Networking → Security: PSM
What kind of firewall are you using? Do you have access to logs on it? That packet trace indicates the server or firewall is sending a FIN to the client (see packet 7), so it's not Firefox that's initiating closing the connection. Can you post a packet trace of a successful connection from Chrome?
Flags: needinfo?(nrath)
I know it's a checkpoint firewall, and I can probably get access to the logs. However, it's going to be slow and painful, so I'd rather avoid that if possible. I have attached a traffic dump from a successful connection with Chromium.
Flags: needinfo?(nrath)
Attachment #8713696 - Attachment description: dump.pcapng → Packet capture of failed connection attempt with Firefox.
(Debugging this is low priority for our IT department because "it works with Chrome").
What I'm seeing there is Chrome sending a number of Client Hellos before it gets a successful response. The failing ones appear to be TLS 1.2 while the successful one appears to be TLS 1.1. So, I'm thinking the intercepting proxy is TLS 1.2-intolerant in some way (since it doesn't look like jupyter.readthedocs.org is). You could try setting the pref "security.tls.version.fallback-limit" to 2, which I believe will allow fallback to TLS 1.1.
Yes, that fixes the problem! Nice! I don't quite understand what's happening though, because the problem does not appear for all SSL sites. For example, I can connect just fine to https://bugzilla.mozilla.org/ using Firefox and going through the intercepting proxy (and without modifying the fallback limit).
Here's an example of a successful connection made by Firefox through the proxy.
I had this problem with Firefox 45 Beta 5 and Comodo Firewall aswell, but got fixed after reinstalling Firefox Setup 45.0b5.exe atleast for now, will post if it gets back wierd stuff
Sounds like this is WFM for now.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: