ssl error in FF3 w/no bypass, IE also errors, but allows me to bypass

RESOLVED INCOMPLETE

Status

RESOLVED INCOMPLETE
10 years ago
2 years ago

People

(Reporter: schwit, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

766 bytes, application/octet-stream
Details
(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080901033305 Minefield/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080901033305 Minefield/3.0

Secure Connection Failed      

An error occurred during a connection to 71.168.8.102.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)

The page you are trying to view can not be shown because the authenticity of the received data could not be verified.

    * Please contact the web site owners to inform them of this problem

Reproducible: Always

Steps to Reproduce:
1.Enter URL
2.Press enter

Actual Results:  
An error that prohibits blocks getting into the PIX.

Expected Results:  
I expect an ssl error, but to include a method to add an exception or some other type of bypass. IE allows this bypass.

Include a method to add an exception or some other type of bypass. IE allows this bypass.
Assignee: nobody → kaie
Component: Security → Security: UI
Product: Firefox → Core
QA Contact: firefox → ui
This is an unusual one - the error seems to indicate that the site you are visiting uses an unknown encryption protocol.  There's no way to "work around" that - we can't understand what the server's trying to communicate - but I am curious to know what the protocol involved actually is.  The only way to actually solve the problem would be to implement that protocol, but I can't get the site to load at the moment.
(Reporter)

Comment 2

10 years ago
I can provide the running config if that would help. Here's the show version.

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
pixfirewall up 63 days 0 hours
Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 001b.d405.ef26, irq 10
1: ethernet1: address is 001b.d405.ef27, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Disabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          4
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited
This PIX has a Restricted (R) license.
Thanks for that - what would really help would be if you could attach the certificate.  Is that accessible to you?
(Reporter)

Comment 4

10 years ago
Created attachment 337533 [details]
certificate

Certificate is attached.

Comment 5

8 years ago
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody.
Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody
Maybe the server fixed it on their end (picking a mutually compatible cipher), but since we can't seem to reach/debug that server we can't see the list of advertized ciphers. I'm not 100% sure how to interpret comment 2, but looks like only DES is supported by the server? That's horribly insecure. Mozilla turned off support for all the weak "export" ciphers several years after being allowed to ship the stronger ones world-wide. Although I'm not sure that's the relevant list since Mozilla clients aren't VPNs and a different set of ciphers may be running on the web-server on the same machine.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INCOMPLETE
(Assignee)

Updated

2 years ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.