This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Web app issue started with 36.0.1

  • 3 replies
  • 2 have this problem
  • 3 views
  • Last reply by secpro1

more options

We have a web application that works on all browsers and firefox before 36.0.1

Have done all the typical things, clearing cache, reinstalling ff, etc. Multiple different machine from different locations have been tested as well.

Our certs are up to date but this site currently is tls version 1.0 only, it's a legacy data center most folks are on a new platform and it works there... it has tls 1.1 n 1.2 but still seems like it should be working? It allows a secure connection to the first page and then when you execute the app from there is comes back with "secure connection reset". I can see the rst pkt coming from our systems as well but nothing else telling. As before, it works w/ all other browsers and firefox before the most recent version.

Prefix handling Both (with and without WWW) Valid from Mon Jun 04 17:00:00 PDT 2012 Valid until Wed Aug 05 05:00:00 PDT 2015 (expires in 4 months and 16 days) Key RSA 2048 bits (e 65537) Weak key (Debian) No Issuer DigiCert High Assurance CA-3 Signature algorithm SHA1withRSA WEAK Extended Validation No Revocation information CRL, OCSP Revocation status Good (not revoked) Trusted Yes


Additional Certificates (if supplied) Certificates provided 3 (4322 bytes) Chain issues Contains anchor

  1. 2

Subject DigiCert High Assurance CA-3 Fingerprint: a2e32a1a2e9fab6ead6b05f64ea0641339e10011 Valid until Sat Apr 02 17:00:00 PDT 2022 (expires in 7 years) Key RSA 2048 bits (e 65537) Issuer DigiCert High Assurance EV Root CA Signature algorithm SHA1withRSA WEAK

  1. 3

Subject DigiCert High Assurance EV Root CA In trust store Fingerprint: 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25 Valid until Sun Nov 09 16:00:00 PST 2031 (expires in 16 years and 7 months) Key RSA 2048 bits (e 65537) Issuer DigiCert High Assurance EV Root CA Self-signed Signature algorithm SHA1withRSA Weak, but no impact on root certificate

1 Sent by server Fingerprint: 8391780451d5684847681c413f81d5689a669ddd RSA 2048 bits (e 65537) / SHA1withRSA WEAK SIGNATURE 2 Sent by server DigiCert High Assurance CA-3 Fingerprint: a2e32a1a2e9fab6ead6b05f64ea0641339e10011 RSA 2048 bits (e 65537) / SHA1withRSA WEAK SIGNATURE 3 Sent by server In trust store DigiCert High Assurance EV Root CA Self-signed Fingerprint: 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25 RSA 2048 bits (e 65537) / SHA1withRSA Weak or insecure signature, but no impact on root certificate Configuration

Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3 No SSL 2 No


Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end) TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK 128 TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256

We have a web application that works on all browsers and firefox before 36.0.1 Have done all the typical things, clearing cache, reinstalling ff, etc. Multiple different machine from different locations have been tested as well. Our certs are up to date but this site currently is tls version 1.0 only, it's a legacy data center most folks are on a new platform and it works there... it has tls 1.1 n 1.2 but still seems like it should be working? It allows a secure connection to the first page and then when you execute the app from there is comes back with "secure connection reset". I can see the rst pkt coming from our systems as well but nothing else telling. As before, it works w/ all other browsers and firefox before the most recent version. Prefix handling Both (with and without WWW) Valid from Mon Jun 04 17:00:00 PDT 2012 Valid until Wed Aug 05 05:00:00 PDT 2015 (expires in 4 months and 16 days) Key RSA 2048 bits (e 65537) Weak key (Debian) No Issuer DigiCert High Assurance CA-3 Signature algorithm SHA1withRSA WEAK Extended Validation No Revocation information CRL, OCSP Revocation status Good (not revoked) Trusted Yes Additional Certificates (if supplied) Certificates provided 3 (4322 bytes) Chain issues Contains anchor #2 Subject DigiCert High Assurance CA-3 Fingerprint: a2e32a1a2e9fab6ead6b05f64ea0641339e10011 Valid until Sat Apr 02 17:00:00 PDT 2022 (expires in 7 years) Key RSA 2048 bits (e 65537) Issuer DigiCert High Assurance EV Root CA Signature algorithm SHA1withRSA WEAK #3 Subject DigiCert High Assurance EV Root CA In trust store Fingerprint: 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25 Valid until Sun Nov 09 16:00:00 PST 2031 (expires in 16 years and 7 months) Key RSA 2048 bits (e 65537) Issuer DigiCert High Assurance EV Root CA Self-signed Signature algorithm SHA1withRSA Weak, but no impact on root certificate 1 Sent by server Fingerprint: 8391780451d5684847681c413f81d5689a669ddd RSA 2048 bits (e 65537) / SHA1withRSA WEAK SIGNATURE 2 Sent by server DigiCert High Assurance CA-3 Fingerprint: a2e32a1a2e9fab6ead6b05f64ea0641339e10011 RSA 2048 bits (e 65537) / SHA1withRSA WEAK SIGNATURE 3 Sent by server In trust store DigiCert High Assurance EV Root CA Self-signed Fingerprint: 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25 RSA 2048 bits (e 65537) / SHA1withRSA Weak or insecure signature, but no impact on root certificate Configuration Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3 No SSL 2 No Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end) TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK 128 TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256

All Replies (3)

more options

It's confusing if the same certificate is treated as valid on one request and as not valid on another request. Is it possible that a second host is in the mix?

Just to confirm: it worked in 36.0 but not 36.0.1, or it worked in 35.0.1 and we're not sure about 36.0 but it doesn't work in 36.0.1?

more options

Speaking of cipher suites, Firefox 36 deprecated RC4 and treats it as not secure. So far, this has presented as "no padlock" on the address bar and so far as I know not the error you're getting, but I'll provide these threads for reference in case they're relevant:

more options

Correct pre 36.0.1 works. Will check on ciphers again but it all appears okay at this point. Thank you.