Version 37.0.1 - Secure Connection failed.
Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled.
We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html.
What would be causing this problem and how might it best be resolved?
All Replies (10)
What is the address of your site?
Can you post a link or the domain, so we can check the certificate?
What happens if you add the domain to the security.tls.insecure_fallback_hosts pref?
Did you check the Browser Console (Firefox/Tools > Web Developer) for error messages?
Note that SSL3 shouldn't be used these days and signing with SHA-256 is preferred.
The website may try to fallback to TLS 1.0 in a way that is no longer allowed in current releases or may be using or offering deprecated cipher suites.
You can open the about:config page via the location/address bar and use its search bar to locate this pref:
- security.tls.insecure_fallback_hosts
You can double-click the line to modify the pref and add the full domain to this pref. If there are already websites (domains) in this list then add a comma and the new domain (no spaces). You should only see domains separated by a comma in the value column.
If it's the domain matching your username, your ciphers are limited to RC4 ciphers. Starting in Firefox 36, this generated a warning icon in the address bar (exclamation triangle) as Firefox no longer considers it secure. However, I'm not sure what accounts for the more severe message you're getting now if the site supports TLS 1.2.
theswingsite said
Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled. We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html. What would be causing this problem and how might it best be resolved?
'What happens if you add the domain to the security.tls.insecure_fallback_hosts pref?
It works
It also works if I do the following Setting security.tls.version.fallback-limit to '0'
TLS 1.0 currently enabled for "server" no "client" registry entry
The Site is https://www.theswingsite.com
theswingsite said
Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled. We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html. What would be causing this problem and how might it best be resolved?
NOTE: This never happened in pre "37.0.0" releases, nor do other browsers have a problem.
theswingsite said
Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled. We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html. What would be causing this problem and how might it best be resolved?
One more piece of the puzzle. My Windows Server 2008R2 event log is showing.
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server
theswingsite said
'What happens if you add the domain to the security.tls.insecure_fallback_hosts pref? It works It also works if I do the following Setting security.tls.version.fallback-limit to '0'
That does not work for me on your site (trying to login as user asdf). Not sure what's going on.
theswingsite said
Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled. We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html. What would be causing this problem and how might it best be resolved?
I attached an image of what IISCrypto is reporting .
Any thoughts? Do FireFox developers respond here?
Nothing I try seems to resolve this problem. I need to know WHAT changed in Version 37, as I've never had this problem in the last 8 years.
Firefox developers generally do not monitor this forum.
I'm not very skilled at searching the bug database, but it appears there were approximately/at least 49 changes related to TLS in Firefox 37: https://bugzilla.mozilla.org/buglist.cgi?list_id=12203346&resolution=FIXED&query_format=advanced&component=Security%3A%20PSM&target_milestone=mozilla37&f2=cf_status_firefox37&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&limit=0
I can't tell which, if any, of those is causing the issue. There is a somewhat standard approach to tracking down problem change sets which is to look for a regression range, but this is somewhat time-consuming. See: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Mozmill/How_to_do_regression_testing