How to reproduce: 1. Go to http://www.skandiabanken.no 2. Click "Logg inn" (left side) 3. Click the big lock icon to indicate that you want to log in 4. Get Firefox error page: Secure Connection Failed An error occurred during a connection to cert.skandiabanken.no. Renegotiation is not allowed on this SSL socket. (Error code: ssl_error_renegotiation_not_allowed) For the record, it works fine with Firefox 3.6. There are some errors in the console: secure.skandiabanken.no : potentially vulnerable to CVE-2009-3555 …but that's supposed to be unrelated, and not block access to the site, just warn.
Ah - yes, it took me a minute, but this, too, is deliberate. See Kai's wiki page for details: https://wiki.mozilla.org/Security:Renegotiation Basically, with NSS 3.12.6, we: - Warn in the error console for every vulnerable server (hence the latter part of your report) - Refuse actual renegotiation requests from vulnerable servers (hence your proximate complaint). The wiki page also talks about the temporary and permanent prefs at your disposal for changing this behaviour, but if your bank actually does need TLS renegotiation, they're gonna want to fix their servers -- we won't be the only browser doing this in the medium term.
I'll contact the bank and let them know. Thanks!
Microsoft is also struggling with the issue ... http://arstechnica.com/microsoft/news/2010/02/microsoft-warns-of-tslssl-flaw-in-windows.ars
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.3a2pre) Gecko/20100216 Minefield/3.7a2pre Same issue with skandiabanken.se.
Same with startssl.com
Works for me. Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20100101 Firefox/4.0 Same with skandiabanken.se.
reassign bug owner. mass-update-kaie-20120918
Assignee: kaie → nobody
No longer a problem, right?
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.