Die Funktionalität dieser Website ist durch Wartungsarbeiten eingeschränkt, die Ihr Erlebnis verbessern sollen. Wenn ein Artikel Ihr Problem nicht löst und Sie eine Frage stellen möchten, können Sie unsere Gemeinschaft über @FirefoxSupport auf Twitter, /r/firefox oder Reddit fragen.

Hilfe durchsuchen

Vorsicht vor Support-Betrug: Wir fordern Sie niemals auf, eine Telefonnummer anzurufen, eine SMS an eine Telefonnummer zu senden oder persönliche Daten preiszugeben. Bitte melden Sie verdächtige Aktivitäten über die Funktion „Missbrauch melden“.

Weitere Informationen

Why does my web site give me the following "error code" when the pki credentials are requested: ssl_error_renegotiation_not_allowed?

  • 6 Antworten
  • 1179 haben dieses Problem
  • 7 Aufrufe
  • Letzte Antwort von mou123

more options

I have a Web Site with PKI authentication working well on Firefox 3.*, but when I use Firefox 4.* Beta versions I get an SSL error whit the following message: "Renegotiation is not allowed on this SSL socket" and this error code: "ssl_error_renegotiation_not_allowed". I've googled the issue and went all over the web but without results.

URL of affected sites

https://www.centraldirecto.fi.cr/sitio/AutCertificados/FirmarAcuerdoUso.aspx

I have a Web Site with PKI authentication working well on Firefox 3.*, but when I use Firefox 4.* Beta versions I get an SSL error whit the following message: "Renegotiation is not allowed on this SSL socket" and this error code: "ssl_error_renegotiation_not_allowed". I've googled the issue and went all over the web but without results. == URL of affected sites == https://www.centraldirecto.fi.cr/sitio/AutCertificados/FirmarAcuerdoUso.aspx

Alle Antworten (6)

more options

To enable SSL renegotiation you need to point your browser to about:config. After confirming that you know what you are doing, you need to search for:

   security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref

and set it to true. After this you should be able to access the site.

Source: http://dotomaz.tumblr.com/post/786443743/firefox-4-0b1-and-ssl-renegotiation

more options
more options

This surfaced for me on the default domain when using a wildcard certificate for multiple sub-domains on a single IP. IIS7 on Win08. Host header routing was working fine for all other sub-domains.

I resolved it by creating a separate default domain as the catch-all for requests on 443, and then using the specific host header for my prior default domain. This causes the browser to renegotiate with a second site, rather than the same site twice. No config changes were needed in FireFox.

more options

Sorry, that's the wrong answer. Setting security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref to "true" is not safe. This is explained at https://wiki.mozilla.org/Security:Renegotiation. Instead, you should change security.ssl.renego_unrestricted_hosts in the about:config dialogue to include the name of the website you are trying to reach, for example: webmail.example.com. For every additional site you have this problem with, you should add the url to the string, preceded by a comma, for example: webmail.example.com, mail.example.com. Do this ONLY for websites you know and trust. DO NOT CHANGE security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref to true. If you do, and your identity gets stolen, well, you were warned here. Furthermore, if you are doing this, you should also change security.ssl.treat_unsafe_negotiation_as_broken to true. This will give you a broken padlock indication whenever you visit a site that you have specifically allowed but that is using the old security negotiation scheme. Finally, you should contact the webmaster of the site you are accessing that is giving you the problem and tell them that they need to update their SSL/TLS protocol. The reason for this is all contained here at: https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken.

more options

You should contact website servers that have this problem and ask them to fix their servers.

You can link them to:

more options

how do i do that?