Closed Bug 951156 Opened 8 years ago Closed 3 years ago

ssl_error_illegal_parameter_alert occuring intermittently with Firefox 26 due to Kaspersky Internet Security

Categories

(Firefox :: Extension Compatibility, defect)

26 Branch
x86_64
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: nigelh747, Unassigned)

References

()

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release)
Build ID: 20131205075310

Steps to reproduce:

Opened new tab to HTTPS://www.google.co.uk 

Am using an add on NewTabURL thats set to the above address - and this has been working without the issue for the last 18 months.  The issue has only just started to happen with 


Actual results:

ssl_error_illegal_parameter_alert intermittently - doing a page refresh most times works


Expected results:

Just opened the page
Also occurs when going directly to this web page and other SSL pages intermittently on several PCs all started with Firefox 26
Here it happens on some internal web pages. Sometimes there is no error but ctrl+f5 few times and it will show up (or firefox restart and few ctrl+f5).

Googling shows that some people blame antivirus (kaspersky for example). Unfortunately here I have no antivirus (other than default m$ one). It's windows 2008 server with firefox 26.

apache reports "SSL routines:SSL3_GET_CLIENT_HELLO:required cipher missing":


[Wed Dec 18 15:18:53.121134 2013] [ssl:info] [pid 25678] [client x.y.z.q:62657] AH01964: Connection to child 16 established (server some-sever.pl:443)                                                                                                                                                 
[Wed Dec 18 15:18:53.121200 2013] [ssl:trace2] [pid 25678] ssl_engine_rand.c(124): Seeding PRNG with 0 bytes of entropy                                      
[Wed Dec 18 15:18:53.121349 2013] [ssl:trace3] [pid 25678] ssl_engine_kernel.c(1838): [client x.y.z.q:62657] OpenSSL: Handshake: start                
[Wed Dec 18 15:18:53.121386 2013] [ssl:trace3] [pid 25678] ssl_engine_kernel.c(1847): [client x.y.z.q:62657] OpenSSL: Loop: before/accept initialization                                                                                                                                                           
[Wed Dec 18 15:18:53.121405 2013] [core:trace6] [pid 25678] core_filters.c(525): [client x.y.z.q:62657] core_output_filter: flushing because of FLUSH bucket
[Wed Dec 18 15:18:53.121443 2013] [ssl:trace4] [pid 25678] ssl_engine_io.c(2031): [client x.y.z.q:62657] OpenSSL: read 11/11 bytes from BIO#2050240 [mem: 20228a0] (BIO dump follows)
[Wed Dec 18 15:18:53.121466 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(1959): +-------------------------------------------------------------------------+
[Wed Dec 18 15:18:53.121501 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(1998): | 0000: 16 03 00 00 73 01 00 00-6f 03                    ....s...o.       |
[Wed Dec 18 15:18:53.121509 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(2002): | 0011 - <SPACES/NULS>
[Wed Dec 18 15:18:53.121516 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(2004): +-------------------------------------------------------------------------+
[Wed Dec 18 15:18:53.121543 2013] [core:trace6] [pid 25678] core_filters.c(525): [client x.y.z.q:62657] core_output_filter: flushing because of FLUSH bucket
[Wed Dec 18 15:18:53.121562 2013] [ssl:trace4] [pid 25678] ssl_engine_io.c(2031): [client x.y.z.q:62657] OpenSSL: read 109/109 bytes from BIO#2050240 [mem: 20228ae] (BIO dump follows)
[Wed Dec 18 15:18:53.121631 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(1959): +-------------------------------------------------------------------------+
[Wed Dec 18 15:18:53.121735 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(1998): | 0000: 52 b1 ae 86 ef 3c a7 ad-09 af 81 34 d1 d3 3c 66  R....<.....4..<f |
[Wed Dec 18 15:18:53.121764 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(1998): | 0010: e6 99 fb 68 73 78 a9 ab-36 fa 22 cf 20 21 bf ef  ...hsx..6.". !.. |
[Wed Dec 18 15:18:53.121779 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(1998): | 0020: 20 39 c3 1b 07 28 03 81-3c 5c c3 ba 38 7c bf 01   9...(..<\\..8|.. |
[Wed Dec 18 15:18:53.121809 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(1998): | 0030: 89 27 46 49 af a8 d5 51-3d 4e c0 3e 89 7d d7 90  .'FI...Q=N.>.}.. |
[Wed Dec 18 15:18:53.121823 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(1998): | 0040: 4a 00 28 00 ff 00 88 00-87 00 39 00 38 00 84 00  J.(.......9.8... |
[Wed Dec 18 15:18:53.121848 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(1998): | 0050: 35 00 45 00 44 00 33 00-32 00 96 00 41 00 2f 00  5.E.D.3.2...A./. |
[Wed Dec 18 15:18:53.121918 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(1998): | 0060: 05 00 04 00 16 00 13 fe-ff 00 0a 01              ............     |
[Wed Dec 18 15:18:53.121926 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(2002): | 0109 - <SPACES/NULS>
[Wed Dec 18 15:18:53.121933 2013] [ssl:trace7] [pid 25678] ssl_engine_io.c(2004): +-------------------------------------------------------------------------+
[Wed Dec 18 15:18:53.121991 2013] [socache_shmcb:debug] [pid 25678] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x39 -> subcache 25)
[Wed Dec 18 15:18:53.122010 2013] [socache_shmcb:debug] [pid 25678] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
[Wed Dec 18 15:18:53.122019 2013] [socache_shmcb:debug] [pid 25678] mod_socache_shmcb.c(532): AH00836: leaving socache_shmcb_retrieve successfully
[Wed Dec 18 15:18:53.122059 2013] [ssl:trace2] [pid 25678] ssl_engine_kernel.c(1698): Inter-Process Session Cache: request=GET status=FOUND id=39c31b072803813c5cc3ba387cbf0189274649afa8d5513d4ec03e897dd7904a (session reuse)
[Wed Dec 18 15:18:53.122132 2013] [core:trace6] [pid 25678] core_filters.c(525): [client x.y.z.q:62657] core_output_filter: flushing because of FLUSH bucket
[Wed Dec 18 15:18:53.122182 2013] [ssl:trace3] [pid 25678] ssl_engine_kernel.c(1857): [client x.y.z.q:62657] OpenSSL: Write: SSLv3 read client hello C
[Wed Dec 18 15:18:53.122200 2013] [ssl:trace3] [pid 25678] ssl_engine_kernel.c(1876): [client x.y.z.q:62657] OpenSSL: Exit: error in SSLv3 read client hello C
[Wed Dec 18 15:18:53.122217 2013] [ssl:trace3] [pid 25678] ssl_engine_kernel.c(1876): [client x.y.z.q:62657] OpenSSL: Exit: error in SSLv3 read client hello C
[Wed Dec 18 15:18:53.122233 2013] [ssl:info] [pid 25678] [client x.y.z.q:62657] AH02008: SSL library error 1 in handshake (server some-sever.pl:443)
[Wed Dec 18 15:18:53.122286 2013] [ssl:info] [pid 25678] SSL Library Error: error:1408A0D7:SSL routines:SSL3_GET_CLIENT_HELLO:required cipher missing
[Wed Dec 18 15:18:53.122302 2013] [ssl:info] [pid 25678] [client x.y.z.q:62657] AH01998: Connection closed to child 16 with abortive shutdown (server some-sever.pl:443)
This bug also occurrs on my computer after having upgraded to Firefox 26. If it comes, you press the retry button two or three times, then in works. It did not occurr under IE; so I think, this must be a specific property of Firefox 26.
Firefox updated to 26 automatically a few days ago, and since then this problem has arisen - apparently on opening https pages. I have Kaspersky Internet Security 12, and for me it is certainly this that Firefox 26 is having a problem with - or the other way round - as, when I pause Kaspersky temporarily, the problem goes away, and immediaely returns on restart Kaspersky. Ironically it happened when trying to log in here! 3 or 4 'try agains' get pages open, but it is a real annoyance. I think I will have to resort to Chrome until these two sort themselves out.

There is a Kaspersky forum thread open on this issue at http://forum.kaspersky.com/index.php?showtopic=281607&hl=firefox+26+ssl+peer+reject but it goes nowhere helpful so far, as I write.
(In reply to rjhf from comment #4)
> Firefox updated to 26 automatically a few days ago
[...]

Could you test this way:
- disable kaspersky
- shut down firefox 26
- start fresh firefox 26
- go to https://crm-tryout.domainmaker.pl/
- see if error occurs, if not try ctrl+f5 several times

Did the problem occur with such scenario?
(In reply to Arkadiusz Miskiewicz from comment #5)
> (In reply to rjhf from comment #4)
> > Firefox updated to 26 automatically a few days ago
> [...]
> 
> Could you test this way:
> - disable kaspersky
> - shut down firefox 26
> - start fresh firefox 26
> - go to https://crm-tryout.domainmaker.pl/
> - see if error occurs, if not try ctrl+f5 several times
> 
> Did the problem occur with such scenario?

Just wrote you a long reply detailing what I tried in different ways - and lost it by inadvertently closing pages. Anyway the result was that the error still occurred, although I did find on one occasion that it happened both with and without Kaspersky enabled - so there must be more too it than just Kaspersky. But turning Kaspersky off does always seem to have the immediate effect of allowing pages to open. I would have to run for a longer period with Kaspersky disabled to see if the problem persists without Kaspersky, which I am reluctant to do.
I'm having the same issue with this intermittent SSL error. Using version 26, but I do not have Kaspersky - using MS Security Essentials.

Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0
I've have the same issue with google.com, facebook.com, twitter.com and other.
I think it has something to do with HTTPS and Kaspersky (I use Kaspersky Endpoint 8)
Occurs with and without Avast.  Only started to occur with Firefox 26. Appears to occur on multiple HTTPS sites, not linked to just to Google
Kaspersky released a patch for Endpoint 8.1.0.1042
I assume yes, but can you confirm Roey.  Did that Kaspersky update solve the problem for you?
Flags: needinfo?(roey_nissim)
As for me, the Kaspersky update resolved the problem. On the other hand, collegues with IE did not need the Kaspersky update. Neither did the previous version of Firefox. So, there is something wrong with Firefox 26, but a work-around exists (at least in connection with Kaspersky)
The patch Kaspersky released works but ff26 sucks
Flags: needinfo?(roey_nissim)
Intermittent issue still exists with Firefox 26 with Kaspersky or Avast AntiVirus.  Appears to be more noticeable when you have a slow internet connection
Because the bug is not in kaspersky. Kaspersky can only make it easier to appear (or harder if they did some firefox bug workadounds).

This bug happens without kaspersky being installed, so clearly not kaspersky fault.
I agree Arkadiusz, but I'd rather keep things up to date than roll back to FF25.  So if the Kaspersky update will mitigate/correct the issue even though it's not their fault, then that's the better solution in my book.
With the patch I don't get the error anymore but sometimes https sites don't show the lock next to the address but an  exclamation mark is this related?
Strangely, I have only just received notification of the last 6 contributions to this thread - all received within the past few minutes!

Anyway, I gave up on a Firfox-related solution so concentrated on Kaspersky instead.  Following Kaspersky advice, I upgraded to KIS 2014 and as far as Kaspersky/Firefox 26 is concerned, the problem has been 100% resolved by this upgrade, and F/F 26 now works without issue. I cannot comment on other AV/browser set-ups, but I might guess that similar upgrading action might help?

I hope this helps some, at least.

Good luck
Just adding another data point, but this time from the point of view of a web server administrator.

Client: Firefox 26, Windows 7 x64, Microsoft Security Essentials
Server: Linux, Apache 2.4.6, OpenSSL 1.0.1e, three SSL websites on the same IP using SNI

After upgrading to Firefox 26, almost every SSL request to my own server would generate the error that other people have mentioned in this thread. Changed every setting I could imagine on the server side, but no luck. Played with the add-ons on the client side, still no luck. No Kaspersky involved, either.

What fixed the problem for me was removing SNI from the server. After I put each website on a different IP, or at least a different port on the same IP, the problem disappeared.

So the problem might have been related to the SNI implementation, either in Firefox 26, or in recent versions of certain web servers and/or the OpenSSL library. Or maybe I just had my server configured wrong. Anyway, it's one more data point, and if others can reproduce the problem, all the better.
Disabling SNI didn't work for me. Changed the config, so only non-https vhosts were being "NameVirtualHost". https services had one ip per service (verified by httpd -S). Still I was able to easily replicate the problem using firefox 26.
firefox 27 seems to fix the problem here. Could anyone else verify, too?
(In reply to Arkadiusz Miskiewicz from comment #21)
> firefox 27 seems to fix the problem here. Could anyone else verify, too?

Just a quick observation re the earlier Kaspersky issue raised, which I found resolved by upgrading to KIS 2014 (and still no problem here), please note that F/F 27 disables all the Kaspersky add-ons for the time being, so is no longer compatible again. I have therefore not upgraded to 27!
Component: Untriaged → Extension Compatibility
Summary: ssl_error_illegal_parameter_alert occuring intermittently with Firefox 26 → ssl_error_illegal_parameter_alert occuring intermittently with Firefox 26 due to Kaspersky Internet Security
@Brian: this is not "26 due to Kaspersky", so please don't set false bug properties. It happens without kaspersky, too (which is more important than failure with kaspersky).
(In reply to Arkadiusz Miskiewicz from comment #23)
> @Brian: this is not "26 due to Kaspersky", so please don't set false bug
> properties. It happens without kaspersky, too (which is more important than
> failure with kaspersky).

Thanks. Since internally we used this bug to track the issue thinking it was an issue only with Kaspersky, I have filed another bug to track the more-general problem; see bug 968449.
This should be marked status confirmed.

Something changed in 25.x => 26 (it is still in 27.x).

I have one computer at 25.x that has been staying current, the other (that I'm posting from) is still at 3.28 (it 
doesn't have the problem -- neither does explorer).

Both are configured to go through a proxy.

Trying to monitor protocol on wireshark, it looked like a problem to do with a TLS problem on the proxy.

3.26 works and traffic is encrypted using TLSv1 -- I see the CONNECT message through the proxy,
then throughout the conversation various Server Hello, Change Cypher Spec, Encrypted Handshake Messages
on 3.26, which I don't recall seeing before during an encrypted session, but that may be normal.

On V26 or above, it won't connect to any site -- HTTP or HTTPS.

Was encryption changed in V26, especially when going through http proxies?


I think this has something to do with encryption when going through proxies.

my proxy is a recent version of squid.  I'm thinking something changed when I recompiled squid to
be able to monitor SSL, but _not_ having enabled the ability (i.e. haven't changed config file yet), nor have I installed any encryption keys on it yet (because I hadn't configured it to do anything with it.

Maybe enabling the ability and not configuring it is causing a problem in my case?

But that does not explain why NO sites work. (i.e. no HTTP sites).

On my end, I think I will likely try tinkering with the squid options and/or turning back off the SSL
monitoring ability. 

So what HTTPS related changes went into V26?
UPDATE -- This problem seems to have happened when going from v24->V25 , not =>26 as I first thought.

I think that machine missed getting the 26 notification, so was thinking it was only back 1 version.

This shouldn't be related, but under the Mobile section, I saw changes for:

Mixed content blocking enabled to protect users from man-in-the-middle attacks and eavesdroppers on HTTPS pages

Do the mobile and desktop releases share any code base?
(In reply to L A Walsh from comment #26)
> UPDATE -- This problem seems to have happened when going from v24->V25 , not
> =>26 as I first thought.

Matt, I'd like to help L A Walsh to bisect the betas of Firefox 24. Have you done this before? Can you help with the instructions for doing the bisection? He/she is behind a proxy, and it will be difficult for us to debug anything from our end. But, if we can narrow it down to a narrower regression range, that will help a lot.
Flags: needinfo?(mwobensmith)
Happy to help L A Walsh use the mozregression tool, which is located here:

https://github.com/mozilla/mozregression

Follow the instructions to download and run. The argument we'd want to pass is the dates that Firefox 25 was on nightly, so that might be:

mozregression --good=2013-06-25 --bad=2013-08-06

If you run that - and rerun your steps to reproduce - it can help us determine which build of Firefox 25 introduced the problem.

Give it a try and let us know what you find. Thank you very much for helping us investigate this problem.
Flags: needinfo?(mwobensmith)
I have this issue on FF v27.0.1 and KIS 2013
I'm getting this on my personal site:

https://www.zigg.com/

Both with Squid and without.  Firefox 28.0, OS X 10.9.2.

The Squid log for a failure is interesting:

xxxxxxxxxx.xxx    116 127.0.0.1 TCP_MISS/200 7 CONNECT www.zigg.com:443 - HIER_DIRECT/69.73.131.21 -

Only 7 bytes?
I can confirm this bug. We are in the process of upgrading Firefox from 24.x ESR to 31.1.0 ESR and this issues popped up. Disabling Web Control in Kaspersky Enterprise Security 8 stops the problem from occurring. Strangely enough the Web Anti-Virus part of KES 8 does not affect this issue (I can leave it enabled).
Status: UNCONFIRMED → NEW
Ever confirmed: true
With the help of the folks at the Kaspersky forum I found the thread there: http://forum.kaspersky.com/index.php?showtopic=282684 it seem pf133 solves this issue for KES 8.
Connessione sicura non riuscita

Si è verificato un errore durante la connessione a servizididattica.unical.it. Il peer SSL ha rifiutato il messaggio di tipo handshake per contenuto non accettabile. (Codice di errore: ssl_error_illegal_parameter_alert)

    La pagina che si sta cercando di visualizzare non può essere mostrata in quanto non è possibile verificare l’autenticità dei dati ricevuti.
    Contattare il responsabile del sito web per informarlo del problema.

https://servizididattica.unical.it/ssweb/gissweb.home
Do you still encounter this issue when using a current version?
Flags: needinfo?(richard)
Flags: needinfo?(piepsster)
Flags: needinfo?(firefox)
Flags: needinfo?(arekm)
Whiteboard: [closeme 2018-01-15]
Given the length of time that Firefox development have left this bug open, I have changed AV suppliers and am no longer on the main branch.  Firefox have moved me to the ESR stream as they haven't provided the needed APIs with Quantam for the addons that I regard as essential.

With Firefox 52.5.2 and Avira together with Malwarebytes - this issue is not appearing.  Note I have SSL everywhere enabled by default
Flags: needinfo?(firefox)
(In reply to Wayne Mery (:wsmwk) from comment #34)
> Do you still encounter this issue when using a current version?

Haven seen this for a long time.
Flags: needinfo?(arekm)
(In reply to Wayne Mery (:wsmwk) from comment #34)
> Do you still encounter this issue when using a current version?

I haven’t used Kaspersky in about 4 years. IIRC from comment #32 this was fixed in KES 8 and was never an issue with KES 10.
Flags: needinfo?(richard)
Resolved per whiteboard and comment 36
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(piepsster)
Resolution: --- → WORKSFORME
Whiteboard: [closeme 2018-01-15]
You need to log in before you can comment on or make changes to this bug.