1263856 - Cannot add security exception, about our internal server, using firefox 44 and 45

Status: RESOLVED INVALID

(Core :: Security: PSM, defect)

Description

[Monica Bettoli]

Attachment: First image calling our internal server, Second image trying chrome://pippki/content/exceptionDialog.xul

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160303134406

Steps to reproduce:

We try to access to the console page home of our internal server calling the link: https://i5sg07:2005 (reachable only by our internal LAN)


Actual results:

We receive the page error "Secure Connection Failed" and we cannot confirm the exception. We tried to open the "Add Security Exception" window by pasting the chrome URL chrome://pippki/content/exceptionDialog.xul, but when we click on Get Certificate we obtain "No Information Available" and the Confirm Security Exception button is disabled. 


Expected results:

Until Firefox 43 we could select the answer "I understand the risk" and after that add and confirm the exception. We need to obtain the same result on Firefox 44 and later, because using firefox 44 and later, we can no longer access the console of our internal servers

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler]]

What happens if you add a new string preference in about:config with the name "security.tls.insecure_fallback_hosts" and the value "i5sg07" (i.e. the hostname you're trying to connect to)?

Comment 2

[Monica Bettoli]

If I change security.tls.insecure_fallback_hosts adding "i5sg07" into the value, the answer page changes and allows me to add security exception for this server.
But this solution not solve our problem, because we have 4 internal server self-signed, obiousvly with different host name.

Comment 3

[Dana Keeler (she/her) (use needinfo) [:keeler]]

You can specify a list of hostnames in that preference, such as "i5sg07,i5sg08,i5sg09", or whatever you need.
In any case, the behavior you're describing (and the fact that setting that preference helps) indicates the servers you are connecting to do not properly support TLS 1.2 and should be updated/fixed. I'm marking this resolved as "INVALID", which is the closest thing we have to "not a bug in Firefox".

Comment 4

[Monica Bettoli]

Attachment: TestTls.pdf

Result of test TLS 1.2 about our server.

Comment 5

[Monica Bettoli]

Comment on attachment 8741672 [details]
TestTls.pdf

Result of test TLS 1.2 about our server.
This server for external use (named extranet.selcomgroup.com) has Go Daddy certificates, but the same server for internal use (named 15sg07) has self-signed certificates.
As you can see, TLS 1.2 is correctly supported.

Comment 6

[Monica Bettoli]

Attachment: FailureConnectionMultifunctionPrinter

We also cannot connect to our LAN multifunction printer.
We receive the same error "Secure connection failed".
Until FF 39 we could.

Comment 7

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Can you connect to https://extranet.selcomgroup.com ? It works for me using Firefox 45, so if you can connect to that site but not your internal servers, then the internal servers are probably configured differently from the external server.

With regard to your printer, that issue will probably be addressed in bug 1182742.

Comment 8

[Monica Bettoli]

Attachment: System Protocols Enabled

As I explained, the server configuration for the outside has a valid certificate then no exception to security. I used this configuration only to be able to show you the operation of TLS 1.2 and show that it is properly supported. Protocols supported, are defined at OS level, no difference for internal or external configuration.
In attachment you can see the server configuration.
If you want, I can open an account in my server and provide you a password (privately obiusvly) and allow you to connecct and verify the problem.

Comment 9

[Dana Keeler (she/her) (use needinfo) [:keeler]]

What would probably be most useful is if you could capture some packet traces with wireshark. In particular, it would be useful to see the TLS handshake when connecting with Firefox (with and without the pref security.tls.insecure_fallback_hosts set) and with Chrome (which I'm assuming connects without issue). Thanks!

Comment 10

[Monica Bettoli]

I called Console Page of our server and traced the traffic with wireshark, the results are:
- Chrome: no traffic TLS, but I can add security exception without problem.
- Firefox 43.0.1: no traffic TLS, but I can add security exception without problem.
- Firefox 45.0.2: no traffic TLS, but I cannot add security exception.

The server provides TLS traffic for external https pages, but not in calling console page and I have no way to change this.
This is a very big problem.

Comment 11

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Sorry, I guess I wasn't clear - in order for me to be able to help, I'm going to need to see those packet traces. Feel free to either attach them to this bug or email me directly.

Comment 12

[Monica Bettoli]

Attachment: Chrome42.0.2311.90m.pcapng

Packet trace using Chrome 42.0.2311.90m
10.0.98.204 is my pc
10.0.2.3 is our server

Comment 13

[Monica Bettoli]

Attachment: FF43.0.1.pcapng

Packet trace using Firefox 43.0.1
10.0.98.204 is my pc
10.0.2.3 is our server

Comment 14

[Monica Bettoli]

Attachment: FF45.0.2.pcapng

Packet trace using Firefox 45.0.2
10.0.98.204 is my pc
10.0.2.3 is our server

Comment 15

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Thanks! Looks like your server is only negotiating TLS_RSA_WITH_RC4_128_SHA, which is deprecated in both Firefox and Chrome. You should enable some more modern, stronger cipher suites like:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA