Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

"Secure Connection Failed" on www.pandora.com

  • 9 replies
  • 1 has this problem
  • 15 views
  • Last reply by FMX1

more options

When I browse to https://www.pandora.com/ I get the "Secure Connection Failed" error with exactly the same text as in the screenshot at https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message

This is a really poor error message. It tells me nothing about what's actually wrong and how to fix it. WHY did the secure connection fail? Is there any way to find this out?

The site gets an A- from SSL labs https://www.ssllabs.com/ssltest/analyze.html?d=www.pandora.com&lates... and definitely supports TLS 1.2, so I'm pretty sure the problem is with Firefox and not with Pandora, but the error message is horrible regardless.

When I browse to https://www.pandora.com/ I get the "Secure Connection Failed" error with exactly the same text as in the screenshot at https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message This is a really poor error message. It tells me nothing about what's actually wrong and how to fix it. WHY did the secure connection fail? Is there any way to find this out? The site gets an A- from SSL labs [https://www.ssllabs.com/ssltest/analyze.html?d=www.pandora.com&latest] and definitely supports TLS 1.2, so I'm pretty sure the problem is with Firefox and not with Pandora, but the error message is horrible regardless.

All Replies (9)

more options

What is your computer system and Firefox?

There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connections and send their own certificate.

http://www.ehow.com/how_11385212_troubleshoot-reset-connection-firefox.html

https://support.mozilla.org/en-US/kb/server-not-found-connection-problem

https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can

more options

Windows 7, Firefox 49.0.2. It seems to be an extension problem. I use FoxyProxy to access Pandora. If I disable that extension I can connect to the site successfully. If I enable it I get that error message. However, if I clear "Site preferences" under Clear History and the browse to "www.pandora.com" (without "https://") it works once again... for a while. I've tried this several times now. I'll report this to the FoxyProxy team.

more options

Please keep us posted.

more options

Follow-up: this is not related to FoxyProxy at all, but seems to be related to proxy authentication. Here's a better description of the problem.

Firefox 49.0.2 running on Windows 7, all extensions disabled. I've cleared all history (cache, site preferences, etc.) I have an HTTP proxy configured (Manual Proxy Configuration, "Use this proxy server for all protocols" checked).

If I browse to an HTTPS site after starting Firefox before browsing to an HTTP (non-SSL) site the status bar quickly changes between "Looking up (host)...", "Connecting to (host)..." and "Waiting for (host)..." several times and then shows the "Secure Connection Failed" page, as in the screenshot on https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message

This happens on every HTTPS site I try, e.g. https://support.mozilla.org/, https://www.google.com/, https://www.pandora.com/, https://www.ycombinator.com/ (note that this last one does not use HSTS).

My proxy server requires HTTP authentication and Firefox does not even prompt for a username and password at this point. I control the proxy server and can see in its logs that there are no connection attempts yet.

If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal. It doesn't have to be the same site, e.g. I can browse to http://www.yahoo.com/ and then https://www.microsoft.com/ will work. However, if I cancel the proxy credentials prompt the issue continues. It takes a successful HTTP connection to make HTTPS work.

If I turn off authentication on the proxy server the issue does not occur (but I don't want to leave it open to the world permanently).

I've tried setting network.automatic-ntlm-auth.allow-proxies and network.negotiate-auth.allow-proxies to false and that didn't help.

more options

I called for more help.

FMX1 said

If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal

Can you set such a site as your home page?

more options

Though this is not my best area of expertise, a few thoughts after reading this and this question and some bugs (1311720, 486508 and 1291700):

- What happens if you uncheck "Use this proxy server for all protocols"? - What happens if you add a boolean pref called network.negotiate-auth.allow-insecure-ntlm-v1 and set it to true? - Do things work as expected without these suggestions and when using a current nightly? - What type of proxy is used (brand / party)?

more options

FredMcD said

FMX1 said
If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal

Can you set such a site as your home page?

I can, but I have to also manually reload it every time, otherwise it's just served from the cache and doesn't work around the problem. Not ideal.


Tonnes said

- What happens if you uncheck "Use this proxy server for all protocols"?

If I manually set the same proxy for HTTP and SSL - the same thing. If I use the proxy for HTTP only then, of course, the problem doesn't occur, but then I can't listen to Pandora, either. :)

- What happens if you add a boolean pref called network.negotiate-auth.allow-insecure-ntlm-v1 and set it to true?

No change - as expected, since the proxy doesn't use NTLM.

- Do things work as expected without these suggestions and when using a current nightly?

The nightly actually works if I have that proxy configured for both HTTP and SSL! But if I configure the proxy for SSL only the issue continues to occur. So I think the only reason it works is that the nightly automatically opens a tab to mozilla.org, which it loads via HTTP, so in effect it automatically applies the workaround I've found, but does not actually fix the problem.

- What type of proxy is used (brand / party)?

It's a Polipo proxy.

more options

FMX1 said

If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal.
It takes a successful HTTP connection to make HTTPS work.

Are you sure HTTPS authentication should be able to work in Polipo? I’m not. :)

I searched for some keywords and found the quote "Polipo currently only implements the most insecure form of authentication, HTTP basic authentication, which sends usernames and passwords in clear over the network." in its manual. This may be no news, but that means HTTP authentication is just a prerequisite for Polipo, not Firefox. In order to meet that, you should tell Firefox to use HTTP even for HTTPS requests (probably explaining why Polipo logs see no requests at all), and then switch back. I think that would be rather special, and not worth the effort investigating.

Polipo is also rather old and no longer maintained, so you might want to switch to some other proxy if HTTPS authentication is important, unless you are able to trick it, but you might run into other limitations when "parent proxies" are involved. Or you could just drop the authentication.

This question on its mailing list archive may also interest you.

more options

You could be right, because disabling authentication in Polipo makes the problem disappear, like I said. Something must have changed in Firefox recently, though, because I've been running with the exact same setup for years and it was working fine. Also, Firefox should really handle the failure to connect much better than it does.

Still, this gives me a possible way to fix the issue, so thank you. I'll look around for an alternative to Polipo. Tell me if you have any recommendations.

Modified by FMX1