How can I solve "secure connection failed"?
Secure sites do not work on Firefox, yet work on other browsers. I tried all the fixes listed on mozilla support, none worked. What other fixes are possible?
All Replies (14)
Hello pnaughten, any luck if you set (double-click on it) the next two preferences to false in about:config ?
- security.ssl3.dhe_rsa_aes_128_sha
- security.ssl3.dhe_rsa_aes_256_sha
thank you
That did not work either. Regardless, thank you for the help.
We probably need to gather a little information from you, but let me give you my standard spiel first in case it covers something you haven't tried yet:
When you get connection errors for nearly all secure sites, the problem usually is one of the following:
(1) Error in your system's date, time, or time zone, which throws off certificate validity checks. Sometimes allowing computers to use an internet-based time source can introduce this problem.
(2) Firefox not being set up to work with your security software that intercepts and filters secure connections. Products with this feature include Avast, BitDefender, Bullguard, ESET / nod32, and Kaspersky; AVG LinkScanner / SurfShield can cause this error on search sites.
If you have any of these products: This support article will walk you through checking for this problem: How to troubleshoot security error codes on secure websites.
(3) On Windows 10, Firefox not being set up to work with the parental control software Microsoft Family Safety.
To test by turning it off, see: http://windows.microsoft.com/en-us/wi.../turn-off-microsoft-family-settings)
(4) Malware on your system intercepting secure connections.
If #1-#3 don't seem relevant, you could inspect a sample certificate to see whether that points to the culprit. Here's how:
Load my test page at: https://jeffersonscher.com/res/jstest.php
If you do not get a connection error, stop. The rest of this isn't applicable.
Expand the "Advanced" button on the error page and:
(A) Look for an error code. If it's not SEC_ERROR_UNKNOWN_ISSUER then please paste the code you got into a reply along with any other explanation there.
(B) If you do get SEC_ERROR_UNKNOWN_ISSUER then look for an Add Exception button.
Note: You don't need to complete the process of adding an exception -- I suggest not adding one until we know this isn't a malware issue -- but you can use the dialog to view the information that makes Firefox suspicious.
Click Add Exception, and the certificate exception dialog should open.
Click the View button. If View is not enabled, try the Get Certificate button first.
This should pop up the Certificate Viewer. Look at the "Issued by" section, and on the Details tab, the Certificate Hierarchy. What do you see there? I have attached a screen shot for comparison.
I saw your "standard spiel" before and tried all your suggestions, but none resolved the problem. #1 - I tried it with time synchronization on and off but neither helped. #2 - My security software is McAfee LiveSafe. This problem started well after I had the latest update. #3 - I am running Windows 7 not Windows 10. Lastly, your test page loaded fine.
Could you give examples of sites that do not work and the error message(s) you get in the page (please check for an Advanced section).
Any secured site. All that start "https". I get the same error message: "Secured Connection Failed".
So all HTTPS sites give you an error except my site?
https://jeffersonscher.com/res/jstest.php
That's really strange. Could you check your Firefox settings to make sure you are allowing enough types of connections.
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste TLS and pause while the list is filtered
(3) If you have any non-default settings (typically bolded and having a status of "user set"), you can make a note of the values in case they turn out to be important for some other reason, then right-click > Reset each prefer to its default value.
If you have any locked preferences (typically italicized), you may have an external lock file modifying your Firefox configuration.
(4) In the search box above the list, type or paste security.ss and pause while the list is filtered
(5) If you have any non-default settings (typically bolded and having a status of "user set"), you can make a note of the values in case they turn out to be important for some other reason, then right-click > Reset each prefer to its default value.
It's okay to set these to false (this works around any servers that have not yet been fixed for the Logjam vulnerability):
- security.ssl3.dhe_rsa_aes_128_sha => false
- security.ssl3.dhe_rsa_aes_256_sha => false
Again, if you have any locked preferences (typically italicized), you may have an external lock file modifying your Firefox configuration.
(6) In the search box above the list, type or paste pki and pause while the list is filtered
(7) If you have any non-default settings (typically bolded and having a status of "user set"), you can make a note of the values in case they turn out to be important for some other reason, then right-click > Reset each prefer to its default value.
(8) In the search box above the list, type or paste ocsp and pause while the list is filtered
(9) If you have any non-default settings (typically bolded and having a status of "user set"), you can make a note of the values in case they turn out to be important for some other reason, then right-click > Reset each prefer to its default value.
Did you change anything and did that make any difference?
All tls settings were default All pki settings were default All ocsp settings were default One security.ss was not default it was security.ssl.errorReporting.automatic. I changed it to default. It did not make any difference.
Sounds as though the problem is external to Firefox.
If you visit https://www.google.com/ in Chrome and view the certificate, does your match the attached screenshot?
To do that: click the padlock in the address bar, then there's a link called Details, and that opens a panel at the bottom of the tab with the View Certificate button.
The my certificate matches the attached screenshot.
Can you check for more detailed error information in Firefox's Browser Console:
Open the console using Ctrl+Shift+j
Click the trash can in the upper left corner
In a regular tab, try loading the Google home page
Check the console for error messages -- anything related to the certificate or connection you could copy/paste here?
There are no messages in the browser console.
Well, so far, you are not able to provide any information other than the three words "Secure Connection Failed" so we have nothing to go on. Are you sure there isn't any more information available as to the reason for the failure on the error page?
Here are a few other things to try:
[A] Try to bypass proxies [B] Bypass extensions [C] Disable HTTP/2
For A:
You could check whether you have Firefox set to use a proxy server in settings, and switch that off as a test. You can do that on the Options page:
"3-bar" menu button (or Tools menu) > Options
In the left column, click Advanced. On the right side, click the "Network" mini-tab and then the "Settings" button.
The default of "Use system proxy settings" piggybacks on your Windows LAN connection settings, but you could try "No proxy" to see whether that helps.
For B:
Test in Firefox's Safe Mode, where Firefox temporarily deactivates extensions, hardware acceleration, and some other advanced features to help you assess whether these are causing the problem.
If Firefox is not running: Hold down the Shift key when starting Firefox.
If Firefox is running: You can restart Firefox in Safe Mode using either:
- "3-bar" menu button > "?" button > Restart with Add-ons Disabled
- Help menu > Restart with Add-ons Disabled
and OK the restart.
Both scenarios: A small dialog should appear. Click "Start in Safe Mode" (not Refresh).
Any improvement?
For C:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste http2 and pause while the list is filtered
(3) Double-click the network.http.spdy.enabled.http2 preference to switch it from true to false
Does that change the error pages you get to a more informative page?