Applied Firefox 27.0 (20140127194636) Security Update and when I access a secure site with HTTPS I get: Peer was unable to decrypt an SSL record it received. (Error code: ssl_error_decryption_failed_alert)

RESOLVED INCOMPLETE

Status

()

Core
Security: PSM
RESOLVED INCOMPLETE
4 years ago
2 years ago

People

(Reporter: raul.rivera, Unassigned)

Tracking

({regression})

27 Branch
x86_64
Windows 7
regression
Points:
---

Firefox Tracking Flags

(firefox27?)

Details

(Whiteboard: [closeme 2016-04-17])

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; CMDTDF; InfoPath.3; BOIE9;ENUSMSE)

Steps to reproduce:

https://10.2.64.2/login.html


Actual results:

Peer was unable to decrypt an SSL record it received. (Error code: ssl_error_decryption_failed_alert)


Expected results:

Should have access to my equipment management page. This happened yesterday after Firfox updated. I can log on using IE or Chrome without issue.
Component: Untriaged → Security: PSM
Keywords: regression
Product: Firefox → Core
tracking-firefox27: --- → ?
Flags: needinfo?(brian)
I am not going to be able to access your server using any browser because it is inaccessible from where I am. Do you know how to use Wireshark or similar? If so, could you please do a capture of your connection to the server and attach it to this bug? During the attachment process, there is a way to make the attachment private so that only screened security people at Mozilla can see it.

It would be great to get a capture from Chrome that works and one from Firefox that won't. If you can give me the capture I can probably fix this very quickly.
Flags: needinfo?(brian) → needinfo?(raul.rivera)
Might also help if you connect to that server using Chrome, and then tell us what cipher suite it negotiated. You should be able to find this by clicking on the lock icon next to the URL, then switching to the "connection" tab. We want the block of text starting "Your connection to <site> is encrypted with..." all the way down to the faint line after it talks about the key exchange mechanism.

If you know the software running on that server that might help us track down a similar machine (Apache, nginx, IIS, some kind of load balancer or proxy in between?).

Comment 3

4 years ago
This error was report to us for one of our websites.  While troubleshooting the error I noticed that the SSL connection only has 128-bit encryption, not 256-bit encryption.  We have sites with other ISPs and all have 256-bit encryption and they all work fine with FireFox version 27.0.  The failing site is hosted on an older server.

Text displayed when I check our SSL cert:

Your connection to www.ourwebsiteURL.com is
encrypted with 128-bit encryption.

The connection uses TLS 1.0.

The connection is encrypted using RC4_128, with
SHA1 for message authentication and RSA as the
key exchange mechanism.

The connection had to be retried using an older
version of the TLS or SSL protocol.  This typically
means that the server is using very old software
and may have other security issues.

The server does not support the TLS renegotiation
extension.
(In reply to Morris from comment #3)
> This error was report to us for one of our websites.  While troubleshooting
> the error I noticed that the SSL connection only has 128-bit encryption, not
> 256-bit encryption.


> The connection had to be retried using an older
> version of the TLS or SSL protocol.  This typically
> means that the server is using very old software
> and may have other security issues.

Please contact the vendor of your web server software and ask them for a fix.

Like Chrome's error message says, it is highly likely (almost definitely) that your web server software has one or more serious bugs and needs to be patched.

In some cases, there are differences between Chrome's fallback logic for broken servers and Firefox's fallback logic for broken servers. That seems to be the case here. I'm not sure if Chrome is intended to do TLS version fallback for ssl_error_decryption_failed_alert errors. I will ask the Chrome people.

lsblakk: Let's see what Raul has to say before untracking this.

Comment 5

4 years ago
I neglected to tell you that IE and Chrome, and FireFox v25.0 can access the SSL https:// pages on this "failing" site without any problem - it's just FireFox v27.0 that gets the error.  After updating my FireFox v25 to v27, I got the ssl_error_decryption_failed_alert error.

Comment 6

4 years ago
I confirm I have same problem with Firefox 28.0 on Windows 7.
Does not happen with last Chrome on Windows 7(Version 34.0.1847.116 m), Internet Explorer 11 on Windows 7, or with Safari on Ipad.

And yes, the server is obsolete. I have very same information message on Chrome, except that:

112-bit encryption.
The connection is encrypted using 3DES_EDE_CBC

Comment 7

3 years ago
(In reply to Julian from comment #6)

I wanted to write:

I have very same information message that on Morris previous Chrome report, except that:

112-bit encryption.
The connection is encrypted using 3DES_EDE_CBC
Hi Raul,

The provided URL is not available, can you please provide another link so we can test this?

Also, is this still reproducible on your end ? If yes, can you please retest this using latest Firefox release and latest Nightly build (https://nightly.mozilla.org/) and report back the results ? When doing this, please use a new clean Firefox profile, maybe even safe mode, to eliminate custom settings as a possible cause (https://goo.gl/PNe90E). 

Thanks,
Cosmin.
Whiteboard: [closeme 2016-04-17]
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(raul.rivera)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.