Websocket TLS Negotiation Error as a result of Upgrade Firefox 130 to use NSS 3.103
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
People
(Reporter: marty_s, Unassigned)
Details
Hello,
My Websocket server recently started failing in Firefox. After some investigation it looks like the issues began in v130. More specifically I was able to use mozregression to find that the error happened here:
Bug 1906193 - land NSS 525c5044cc9e UPGRADE_NSS_RELEASE, r=keeler
Changeset: c058dd79bdd42732baf373b31c9a7376b53cccf8
The Websocker server works in all other browsers. After much troubleshooting it seems like a change was made to the TLS negotiation when making a Websocket connection. I was able to temporarily solve the problem by forcing TLSv1.2 instead of negotiating the strongest TLS available.
|
||
Updated•9 months ago
|
|
||
Comment 1•9 months ago
|
||
Can you describe the error that you're seeing in more detail?
You might try toggling security.tls.enable_kyber in about:config.
We made a recent discovery that flow-based deep inspection on our firewalls seems to be related to the error starting to happen with this Firefox update. For reasons relating to a Chromium issue, we temporarily switched to proxy-based deep inspection, which coincidentally also fixes the FF websocket issue. Our intent is to go back to flow-based deep inspection when fortigate updates their firmware to fix the chromium-triggered bug. It might make sense to wait and see if the fortigate fix also fixes the firefox issue.
|
|
||
Comment 3•9 months ago
|
||
OK, sounds like there's nothing for us to do here at this time. Please file another bug if the issue persists after the firmware upgrade.
Description
•