Re: Problems with FF and internal certificates
Posting to mozilla-dev-tech-crypto instead. firefox-dev to bcc. > On Apr 27, 2015, at 2:03 PM, Michael Peterson > wrote: > > Firefox does not like our internal certificates. I'm trying to figure out > why... > > tl;dr - Our internal IIS servers, signed with our internal CA, present a > "Secure Connection Failed" page, with technical details that say "Connection > Not Encrypted". The certificate is installed in Firefox's internal > certificate store. > > Here are our certificates > https://www.highlands.edu/site/is-certification-authority > Unfortunately, we can't expose said internal servers for you to see the exact > error page. Here are screenshots though. https://imgur.com/a/dmMdG > > The weird part of all this is that our internal certificates work fine on > Apache (suggesting that the problem is IIS). However, our IIS servers work > fine with any other certificates, such as third party (GeoTrust) or self > signed (suggesting that the problem is the cert). > > If I add an exception, such as someinternal.highlands.edu under the > about:config page to the "security.tls.insecure_fallback_hosts" then the site > works. > > If I look at IIS error logs I see the following two errors over and over when > I hit it with FireFox (but not Chrome, IE, Safari, etc) > >> An TLS 1.2 connection request was received from a remote client >> application, but none of the cipher suites supported by the client >> application are supported by the server. The SSL connection request has >> failed. > >> A fatal alert was generated and sent to the remote endpoint. This may >> result in termination of the connection. The TLS protocol defined fatal >> error code is 40. The Windows SChannel error state is 1205. > > Now, in the album I posted above (https://imgur.com/a/dmMdG), the last two > screenshots show a packet capture from Wireshark. It appears that Firefox > does not support SHA512, which is kind of supported by this article > (http://blogs.technet.com/b/silvana/archive/2014/03/14/schannel-errors-on-scom-agent.aspx). > I'm not exactly sure this is true, and it seems like a silly thing for > Firefox to drop support though (this previously worked), especially if every > other browser in the world supports this. > > So there's everything we've found, and some of my assumptions. Does anyone > know what is actually going on with Firefox. Is this a bug? Are we doing > something wrong? How do we fix this? > > ___ > firefox-dev mailing list > firefox-...@mozilla.org > https://mail.mozilla.org/listinfo/firefox-dev -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: [Firefox] Sometimes EV SSL indicators missing, F5 fixes it
Hi Marcel, Thanks for reporting this issue! From your description, it sounds like bug https://bugzilla.mozilla.org/show_bug.cgi?id=947079 where an insecure load that is not associated with your employers page is causing the browser to classify the page as mixed content. We have a fix in the bug and it is under review. ~Tanvi On 10/8/14 2:10 AM, Marcel Meckel wrote: Hi list, in #security it was suggested i would post to this list rather than discussing the issue in IRC. My employer runs a website secured with an EV SSL cert issued by Comodo and tell all our customers on the login page that they should only enter their credentials if the address bar of their browser is indicating an EV SSL cert (green address bar, company name etc. with some screenshots for the average user). For the 2nd time in many months a customer reported to us that his firefox rendered the page but did *not* display a green address bar and no company name was visible. Instead firefox displayed an exclamation mark with the text This website does not supply identity information. when clicking on it. The customer sent screenshots to me confirming that he indeed got the right certificate - fingerprint and serial number matches so i guess there is no MITM taking place. Without restarting the firefox browser but only by pressing F5 firefox happily displayed all the EV SSL indicators while reloading the page. The page is hosted via Cloudflare (reverse proxy) but this shouldn't matter since the customer really is getting the right certificate. At first we suspected that the connection to the OCSP server failed but with the customers settings pasted below this should not be possible: security.OCSP.enabled = 1 security.OCSP.require = true about: version 32.0.3 Build identifier: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 about:buildconfig Build Machine toyol Build platform target x86_64-pc-linux-gnu Build tools Compiler Version Compiler flags gcc 4.8.2 -Wall -Wpointer-arith -Wdeclaration-after-statement -Werror=return-type -Werror=int-to-pointer-cast -Wtype-limits -Wempty-body -Wsign-compare -Wno-unused -Wcast-align -std=gnu99 -fgnu89-inline -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe c++ 4.8.2 -Wall -Wpointer-arith -Woverloaded-virtual -Werror=return-type -Werror=int-to-pointer-cast -Wtype-limits -Wempty-body -Wsign-compare -Wno-invalid-offsetof -Wcast-align -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -pipe -DNDEBUG -DTRIMMED -g -Os -freorder-blocks -fomit-frame-pointer Configure arguments --host=x86_64-linux-gnu --prefix=/usr --libexecdir=/usr/lib/firefox --with-l10n-base=/build/buildd/firefox-32.0.3+build1/./l10n --srcdir=/build/buildd/firefox-32.0.3+build1/. --enable-release --disable-install-strip --disable-updater --enable-application=browser --enable-startup-notification --with-distribution-id=com.ubuntu --enable-optimize --enable-tests --enable-crashreporter --with-branding=browser/branding/official --disable-gnomevfs --enable-gio --enable-update-channel=release --disable-debug --disable-elf-hack --enable-gstreamer=1.0 --with-google-api-keyfile=/build/buildd/firefox-32.0.3+build1/debian/g ii firefox 32.0.3+build1-0ubuntu0.14.04.1 ii firefox-locale-en 32.0.3+build1-0ubuntu0.14.04.1 ii libcurl3:amd64 7.35.0-1ubuntu2.1 ii libgnutls-openssl27:amd642.12.23-12ubuntu2.1 ii libnss-mdns:amd640.10-6 ii libnss3:amd642:3.17.1-0ubuntu0.14.04.1 ii libnss3-1d:amd64 2:3.17.1-0ubuntu0.14.04.1 ii libnss3-nssdb2:3.17.1-0ubuntu0.14.04.1 ii rhythmbox-mozilla3.0.2-0ubuntu2 ii totem-mozilla3.10.1-1ubuntu4 ii unity-scope-firefoxbookmarks 0.1+13.10.20130809.1-0ubuntu1 ii xul-ext-ubufox 2.9-0ubuntu0.14.04.1 ii xul-ext-unity3.0.0+14.04.20140416-0ubuntu1 ii xul-ext-webaccounts 0.5-0ubuntu2 ii xul-ext-websites-integration 2.3.6+13.10.20130920.1-0ubuntu1 Any ideas what might cause this no-EV-indicators-press-F5-then-all-is-fine behaviour? Since the customers initial report to us he was able to reproduce the issue two more times. Regards Marcel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Trouble with dev-tech-crypto
On 2/8/13 11:38 AM, Kai Engert wrote: I'm having trouble posting to this list. I'm trying to get an announcement posted, but the messages simply disappear without errors. If you end up seeing my messages multiple times, please apologize. This issue is being tracked in bugzilla at mozilla dot org number 839245. (Not including a link, just in case links are the reason why mails are being filtered.) Kai I got a message from you that said test 2. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto