Connecting to https://mijnzakelijk.ing.nl/
Using Firefox 115.15.0esr (64-bits) on MacOS 14.3 (23D56) I'm not able to connect to https://mijnzakelijk.ing.nl/ while https://ing.nl/ connects just fine. These domains use different TLS versions, which may be related to the issue. The browser reports a failure to connect, and NS_ERROR_NET_INTERRUPT when viewing the networking tab. Tcpdump indicates the remote side disconnects by sending FIN on the tcp layer. I tried various config features to enable low TLS versions but that did not make a difference.
openssl s_client has no issue connecting, nor does Chrome, on the same system. For completeness here is the openssl transcript:
```` $ openssl s_client mijnzakelijk.ing.nl:443 Connecting to 145.221.213.243 CONNECTED(00000006) depth=2 C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1 verify return:1 depth=1 C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1 verify return:1 depth=0 jurisdictionC=NL, businessCategory=Private Organization, serialNumber=33031431, C=NL, ST=Noord-Holland, L=Amsterdam, O=ING Bank NV, CN=mijnzakelijk.ing.nl verify return:1 --- Certificate chain
0 s:jurisdictionC=NL, businessCategory=Private Organization, serialNumber=33031431, C=NL, ST=Noord-Holland, L=Amsterdam, O=ING Bank NV, CN=mijnzakelijk.ing.nl i:C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 7 11:27:00 2024 GMT; NotAfter: Sep 1 11:26:00 2025 GMT 1 s:C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1 i:C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Dec 12 16:56:15 2019 GMT; NotAfter: Dec 12 16:56:15 2029 GMT 2 s:C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1 i:C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 16 18:12:23 2014 GMT; NotAfter: Jan 16 18:12:23 2034 GMT
--- Server certificate
BEGIN CERTIFICATE-----
MIIHGDCCBgCgAwIBAgIQQAGRLJeiKhzmRghG5nIGzjANBgkqhkiG9w0BAQsFADBy ... ZthnKEctI1FJ7MLeY6+zNvJ8+sjEj9P61M85h+MthSw2Pm1wBGzGB9ncSRQ=
END CERTIFICATE-----
subject=jurisdictionC=NL, businessCategory=Private Organization, serialNumber=33031431, C=NL, ST=Noord-Holland, L=Amsterdam, O=ING Bank NV, CN=mijnzakelijk.ing.nl issuer=C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 5469 bytes and written 453 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:
Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 9A30DC8B6EF5D0EE82F9ACB4D53D787D7B4BCAB27F5E54DDB906BEC5A6CDC887 Session-ID-ctx: Master-Key: 04E64BF5ACC56AA2BB749AA3083DA0B498CCE36DB83A1BA78B19B9282F6B30362B8674D1F60D70594F21A08DC74006A5 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1726644699 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes
--- GET / HTTP/1.1
HTTP/1.1 404 Not Found ... ````
I would like to keep using Firefox for all my browsing, so I'm wondering what I can do to fix this. In about:config I have all settings containing "tls" to their defaults. I've tried enabling security.tls.version.enable-deprecated and lowering security.tls.version.min, but nothing seems to help.
I know from experience that contacting ING about such issues doesn't get you anywhere, and given the fact that another major browser has no issue I suspect it is best solved (or worked around) on the side of Firefox.
Musyśo se pla swójogo konta pśizjawiś, aby na pśinoski wótegronił. Pšosym stajśo pšašanje, jolic hyšći njamaśo wužywaŕske konto.