This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Buscar en Ayuda

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Why does my web site give me the following "error code" when the pki credentials are requested: ssl_error_renegotiation_not_allowed?

  • 6 respuestas
  • 1179 tienen este problema
  • 1 visita
  • Última respuesta de mou123

more options

I have a Web Site with PKI authentication working well on Firefox 3.*, but when I use Firefox 4.* Beta versions I get an SSL error whit the following message: "Renegotiation is not allowed on this SSL socket" and this error code: "ssl_error_renegotiation_not_allowed". I've googled the issue and went all over the web but without results.

URL of affected sites

https://www.centraldirecto.fi.cr/sitio/AutCertificados/FirmarAcuerdoUso.aspx

I have a Web Site with PKI authentication working well on Firefox 3.*, but when I use Firefox 4.* Beta versions I get an SSL error whit the following message: "Renegotiation is not allowed on this SSL socket" and this error code: "ssl_error_renegotiation_not_allowed". I've googled the issue and went all over the web but without results. == URL of affected sites == https://www.centraldirecto.fi.cr/sitio/AutCertificados/FirmarAcuerdoUso.aspx

Todas las respuestas (6)

more options

To enable SSL renegotiation you need to point your browser to about:config. After confirming that you know what you are doing, you need to search for:

   security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref

and set it to true. After this you should be able to access the site.

Source: http://dotomaz.tumblr.com/post/786443743/firefox-4-0b1-and-ssl-renegotiation

more options
more options

This surfaced for me on the default domain when using a wildcard certificate for multiple sub-domains on a single IP. IIS7 on Win08. Host header routing was working fine for all other sub-domains.

I resolved it by creating a separate default domain as the catch-all for requests on 443, and then using the specific host header for my prior default domain. This causes the browser to renegotiate with a second site, rather than the same site twice. No config changes were needed in FireFox.

more options

Sorry, that's the wrong answer. Setting security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref to "true" is not safe. This is explained at https://wiki.mozilla.org/Security:Renegotiation. Instead, you should change security.ssl.renego_unrestricted_hosts in the about:config dialogue to include the name of the website you are trying to reach, for example: webmail.example.com. For every additional site you have this problem with, you should add the url to the string, preceded by a comma, for example: webmail.example.com, mail.example.com. Do this ONLY for websites you know and trust. DO NOT CHANGE security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref to true. If you do, and your identity gets stolen, well, you were warned here. Furthermore, if you are doing this, you should also change security.ssl.treat_unsafe_negotiation_as_broken to true. This will give you a broken padlock indication whenever you visit a site that you have specifically allowed but that is using the old security negotiation scheme. Finally, you should contact the webmaster of the site you are accessing that is giving you the problem and tell them that they need to update their SSL/TLS protocol. The reason for this is all contained here at: https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken.

more options

You should contact website servers that have this problem and ask them to fix their servers.

You can link them to:

more options

how do i do that?