Cannot add security exception, about our internal server, using firefox 44 and 45

RESOLVED INVALID

Status

()

RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: mobbe, Unassigned)

Tracking

45 Branch
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(7 attachments)

(Reporter)

Description

3 years ago
Created attachment 8740325 [details]
First image calling our internal server, Second image trying chrome://pippki/content/exceptionDialog.xul

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160303134406

Steps to reproduce:

We try to access to the console page home of our internal server calling the link: https://i5sg07:2005 (reachable only by our internal LAN)


Actual results:

We receive the page error "Secure Connection Failed" and we cannot confirm the exception. We tried to open the "Add Security Exception" window by pasting the chrome URL chrome://pippki/content/exceptionDialog.xul, but when we click on Get Certificate we obtain "No Information Available" and the Confirm Security Exception button is disabled. 


Expected results:

Until Firefox 43 we could select the answer "I understand the risk" and after that add and confirm the exception. We need to obtain the same result on Firefox 44 and later, because using firefox 44 and later, we can no longer access the console of our internal servers
(Reporter)

Updated

3 years ago
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
Component: Untriaged → Security: PSM
Product: Firefox → Core
What happens if you add a new string preference in about:config with the name "security.tls.insecure_fallback_hosts" and the value "i5sg07" (i.e. the hostname you're trying to connect to)?
Flags: needinfo?(mobbe)
(Reporter)

Comment 2

3 years ago
If I change security.tls.insecure_fallback_hosts adding "i5sg07" into the value, the answer page changes and allows me to add security exception for this server.
But this solution not solve our problem, because we have 4 internal server self-signed, obiousvly with different host name.
Flags: needinfo?(mobbe)
You can specify a list of hostnames in that preference, such as "i5sg07,i5sg08,i5sg09", or whatever you need.
In any case, the behavior you're describing (and the fact that setting that preference helps) indicates the servers you are connecting to do not properly support TLS 1.2 and should be updated/fixed. I'm marking this resolved as "INVALID", which is the closest thing we have to "not a bug in Firefox".
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
(Reporter)

Comment 4

3 years ago
Created attachment 8741672 [details]
TestTls.pdf

Result of test TLS 1.2 about our server.
Attachment #8741672 - Flags: feedback+
(Reporter)

Comment 5

3 years ago
Comment on attachment 8741672 [details]
TestTls.pdf

Result of test TLS 1.2 about our server.
This server for external use (named extranet.selcomgroup.com) has Go Daddy certificates, but the same server for internal use (named 15sg07) has self-signed certificates.
As you can see, TLS 1.2 is correctly supported.
(Reporter)

Comment 6

3 years ago
Created attachment 8741827 [details]
FailureConnectionMultifunctionPrinter

We also cannot connect to our LAN multifunction printer.
We receive the same error "Secure connection failed".
Until FF 39 we could.
Flags: needinfo?(dkeeler)
Can you connect to https://extranet.selcomgroup.com ? It works for me using Firefox 45, so if you can connect to that site but not your internal servers, then the internal servers are probably configured differently from the external server.

With regard to your printer, that issue will probably be addressed in bug 1182742.
Flags: needinfo?(dkeeler)
(Reporter)

Comment 8

3 years ago
Created attachment 8742313 [details]
System Protocols Enabled

As I explained, the server configuration for the outside has a valid certificate then no exception to security. I used this configuration only to be able to show you the operation of TLS 1.2 and show that it is properly supported. Protocols supported, are defined at OS level, no difference for internal or external configuration.
In attachment you can see the server configuration.
If you want, I can open an account in my server and provide you a password (privately obiusvly) and allow you to connecct and verify the problem.
What would probably be most useful is if you could capture some packet traces with wireshark. In particular, it would be useful to see the TLS handshake when connecting with Firefox (with and without the pref security.tls.insecure_fallback_hosts set) and with Chrome (which I'm assuming connects without issue). Thanks!
Flags: needinfo?(mobbe)
(Reporter)

Comment 10

3 years ago
I called Console Page of our server and traced the traffic with wireshark, the results are:
- Chrome: no traffic TLS, but I can add security exception without problem.
- Firefox 43.0.1: no traffic TLS, but I can add security exception without problem.
- Firefox 45.0.2: no traffic TLS, but I cannot add security exception.

The server provides TLS traffic for external https pages, but not in calling console page and I have no way to change this.
This is a very big problem.
Flags: needinfo?(mobbe)
Sorry, I guess I wasn't clear - in order for me to be able to help, I'm going to need to see those packet traces. Feel free to either attach them to this bug or email me directly.
Flags: needinfo?(mobbe)
(Reporter)

Comment 12

3 years ago
Created attachment 8743683 [details]
Chrome42.0.2311.90m.pcapng

Packet trace using Chrome 42.0.2311.90m
10.0.98.204 is my pc
10.0.2.3 is our server
Flags: needinfo?(mobbe)
(Reporter)

Comment 13

3 years ago
Created attachment 8743685 [details]
FF43.0.1.pcapng

Packet trace using Firefox 43.0.1
10.0.98.204 is my pc
10.0.2.3 is our server
(Reporter)

Comment 14

3 years ago
Created attachment 8743686 [details]
FF45.0.2.pcapng

Packet trace using Firefox 45.0.2
10.0.98.204 is my pc
10.0.2.3 is our server
Thanks! Looks like your server is only negotiating TLS_RSA_WITH_RC4_128_SHA, which is deprecated in both Firefox and Chrome. You should enable some more modern, stronger cipher suites like:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
You need to log in before you can comment on or make changes to this bug.