This is interesting. I've been getting these same errors for a short while now, but ONLY when I'm on a poor Wi-Fi connection. Here are a few things I've noticed:
1) Sites that work well on a fast connection suddenly start to give me this error when I'm on a poor connection - seems like a time-out of some sort. It gets worse if I try to load several such sites at once. 2) If I toggle "Query OCSP responder servers to confirm validity of certificates" in Preferences -> Advanced -> Certificates off and then back on quickly (meaning, the box starts out checked, I uncheck it and then re-check it before doing anything else), then "Try Again" or a refresh brings up the site without any issues. 3) I am totally unable to reproduce this error in Iceweasel or any other Mozilla-based browsers, even while on a poor connection, so it's an Icecat-specific phenomenon. Essentially, the "unsafe" sites load fine if the query doesn't time-out first. I've found that if I only load one site at a time, the errors are minimized, and if I move to a better Wi-Fi area (or hook up to Ethernet), then the problem goes away entirely. My short-term workaround is to only load one SSL site at a time when I'm on a weak signal, or to toggle that OCSP setting quickly if it ever gives me an issue. I never have to leave the setting off, just a quick toggle seems to be enough to reset the cache (or whatever is happening). thanks, - KRT On 02/27/2017 07:32 AM, [email protected] wrote: > Thank you for the reply - most helpful. > > Regards > Habs > > On 27 February 2017 at 11:24, jc_gargma <[email protected] > <mailto:[email protected]>> wrote: > > > Error code: SSL_ERROR_UNSAFE_NEGOTIATION > This error is due to the site not supporting RFC 5746. > Without it the browser has no way of knowing whether the site is > vulnerable to > a potential MITM attack, and therefore assumes the connection is unsafe. > > Contacting the site owners might help in the long run, though not all > sites > are receptive to unsolicited security advice. > > In the meantime, if you really need to access those sites, you can toggle > security.ssl.require_safe_negotiation > to false in about:config > > > I did notice during one of these scenarios, that Firefox was reporting > > TLS1.0. It led me wonder if it is a settings issue on what level of ssl > > components are acceptable. > IceCat used to require at least TLS 1.2 by default. > It no longer does, but it's possible your settings are inherited from a > previous version. > In such a case, you may also need to set > security.tls.version.min > to 1 > > > In some cases, Icecat reports an unsafe/unencrypted session and no > valid or > > invalid certificate is available, when Firefox states for the same page > it > > is ok (and I can browse the certificate details etc). > > > > Is Icecat setup by default to be less forgiving towards what it receives > > SSL wise, bearing in mind I have not changed any ssl related settings in > > either browser? > Yes, but TLS 1.2 and cipher settings have been relaxed in recent versions > due > to how many sites were broken by default. > > > -jc > > -- > http://gnuzilla.gnu.org > > > > > -- > http://gnuzilla.gnu.org
-- http://gnuzilla.gnu.org
