Om de ûnderfining foar jo te ferbetterjen is tydlik de funksjonaliteit dan dizze website troch ûnderhâldswurk beheind. Wannear in artikel jo probleem net oplost en jo in fraach stelle wolle, kin ús stipemienskip jo helpe yn @FirefoxSupport op Twitter en /r/firefox op Reddit.

Sykje yn Support

Mij stipescams. Wy sille jo nea freegje in telefoannûmer te beljen, der in sms nei ta te stjoeren of persoanlike gegevens te dielen. Meld fertochte aktiviteit mei de opsje ‘Misbrûk melde’.

Mear ynfo

Dizze konversaasje is argivearre. Stel in nije fraach as jo help nedich hawwe.

Firefox updates (in this case Version 28) cause ciphers mismatch

  • 3 antwurd
  • 2 hawwe dit probleem
  • 1 werjefte
  • Lêste antwurd fan cor-el

more options

Hi , I am using Solaris 10 above Tomcat 6 I installed the latest version of Firefox – version 28. In addition, I installed the ECC Cipher suite regarding to https://bugzilla.mozilla.org/show_bug.cgi?id=235773

I had a problem that causes a cipher mismatch whenever an update of Firefox is released and installed. This problem repeats itself and the solution was to remove the cipher that is not supported. Firefox update number 28 caused a mismatch. In order for the website to load and function properly I had to remove the TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher.

The following ciphers are in use:

TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA

Currently, the site is not loaded via Firefox (Error_Code: ssl_error_internal_error_alert) however, it works perfectly under chrome and IE.
Only after TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher removal, the site returns to function.

This scenario also happened on firefox build 26 (a month ago) and the solution was to remove TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA cipher.

1.	Does Firefox support SSL Certificates for the ECC algorithm?   
2.	Do I need to remove all ECC ciphers in order for the websites to work properly? 
3.	Is there a recommended ciphers suite that I could use so I won't encounter these problems?

Thanks. Liran

Hi , I am using Solaris 10 above Tomcat 6 I installed the latest version of Firefox – version 28. In addition, I installed the ECC Cipher suite regarding to https://bugzilla.mozilla.org/show_bug.cgi?id=235773 I had a problem that causes a cipher mismatch whenever an update of Firefox is released and installed. This problem repeats itself and the solution was to remove the cipher that is not supported. Firefox update number 28 caused a mismatch. In order for the website to load and function properly I had to remove the TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher. The following ciphers are in use: <pre><nowiki>TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA</nowiki></pre> Currently, the site is not loaded via Firefox (Error_Code: ssl_error_internal_error_alert) however, it works perfectly under chrome and IE.<br /> Only after TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher removal, the site returns to function. This scenario also happened on firefox build 26 (a month ago) and the solution was to remove TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA cipher. <pre><nowiki>1. Does Firefox support SSL Certificates for the ECC algorithm? 2. Do I need to remove all ECC ciphers in order for the websites to work properly? 3. Is there a recommended ciphers suite that I could use so I won't encounter these problems?</nowiki></pre> Thanks. Liran

Bewurke troch cor-el op

Alle antwurden (3)

more options

There have been more reports about this:

Possibly a consequence of this bug fix:

  • bug 936828 - Change order of cipher suites offered in client hello to match modern best practices

Please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

more options

Hi cor-el, thank you for the detailed solution.

I change the security.tls.version.max on about.config from "3" to "0" and it solves the problem but it seams the solution is not the recommended one.

You recommended to change SSL cipher priority on mozilla manually, or otherwise install the patch that will update the entire workstations.

Can you please provide some information on : 1.How to change manually the priority of the ciphers on about:config ? (I found the article http://kb.mozillazine.org/About:config but I did not find how to do the change).

2. I'm not familiar of the way I should install the patches. (change-cipher-order-v2.patch, fix-comment.patch). As I know, the scripts should run under linux machine, but what if the workstation run under windows, I should write powershell script ?

Thanks again.

more options

You can't use the about:config page to change the order of cipher suits.
You can only enable and disable cipher suits by toggling the pref.
I don't know that much about in what order Firefox will try to connect to a server after analyzing the server response, so I'm afraid that I can't help you.

You can try to ask in the crypto newsgroup.