Connecting to https://mijnzakelijk.ing.nl/
Using Firefox 115.15.0esr (64-bits) on MacOS 14.3 (23D56) I'm not able to connect to https://mijnzakelijk.ing.nl/ while https://ing.nl/ connects just fine. These domains use different TLS versions, which may be related to the issue. The browser reports a failure to connect, and NS_ERROR_NET_INTERRUPT when viewing the networking tab. Tcpdump indicates the remote side disconnects by sending FIN on the tcp layer. I tried various config features to enable low TLS versions but that did not make a difference.
openssl s_client has no issue connecting, nor does Chrome, on the same system. For completeness here is the openssl transcript:
```` $ openssl s_client mijnzakelijk.ing.nl:443 Connecting to 145.221.213.243 CONNECTED(00000006) depth=2 C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1 verify return:1 depth=1 C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1 verify return:1 depth=0 jurisdictionC=NL, businessCategory=Private Organization, serialNumber=33031431, C=NL, ST=Noord-Holland, L=Amsterdam, O=ING Bank NV, CN=mijnzakelijk.ing.nl verify return:1 --- Certificate chain
0 s:jurisdictionC=NL, businessCategory=Private Organization, serialNumber=33031431, C=NL, ST=Noord-Holland, L=Amsterdam, O=ING Bank NV, CN=mijnzakelijk.ing.nl i:C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 7 11:27:00 2024 GMT; NotAfter: Sep 1 11:26:00 2025 GMT 1 s:C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1 i:C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Dec 12 16:56:15 2019 GMT; NotAfter: Dec 12 16:56:15 2029 GMT 2 s:C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1 i:C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 16 18:12:23 2014 GMT; NotAfter: Jan 16 18:12:23 2034 GMT
--- Server certificate
BEGIN CERTIFICATE-----
MIIHGDCCBgCgAwIBAgIQQAGRLJeiKhzmRghG5nIGzjANBgkqhkiG9w0BAQsFADBy ... ZthnKEctI1FJ7MLeY6+zNvJ8+sjEj9P61M85h+MthSw2Pm1wBGzGB9ncSRQ=
END CERTIFICATE-----
subject=jurisdictionC=NL, businessCategory=Private Organization, serialNumber=33031431, C=NL, ST=Noord-Holland, L=Amsterdam, O=ING Bank NV, CN=mijnzakelijk.ing.nl issuer=C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 5469 bytes and written 453 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:
Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 9A30DC8B6EF5D0EE82F9ACB4D53D787D7B4BCAB27F5E54DDB906BEC5A6CDC887 Session-ID-ctx: Master-Key: 04E64BF5ACC56AA2BB749AA3083DA0B498CCE36DB83A1BA78B19B9282F6B30362B8674D1F60D70594F21A08DC74006A5 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1726644699 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes
--- GET / HTTP/1.1
HTTP/1.1 404 Not Found ... ````
I would like to keep using Firefox for all my browsing, so I'm wondering what I can do to fix this. In about:config I have all settings containing "tls" to their defaults. I've tried enabling security.tls.version.enable-deprecated and lowering security.tls.version.min, but nothing seems to help.
I know from experience that contacting ING about such issues doesn't get you anywhere, and given the fact that another major browser has no issue I suspect it is best solved (or worked around) on the side of Firefox.