Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

How do I fix "Error code: ssl_error_bad_mac_read"?

more options

When trying to access our website's sign-in page using Firefox, we started receiving the following message:

"Secure Connection Failed

An error occurred during a connection. SSL received a record with an incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_read) "

I can work around this issue personally by setting "security.tls.fallback-limit" from 3 to 1, but I need to figure out how to solve the issue on the host end as it's not practical to ask end users to make those setting changes.

Also, I don't have any issues with Internet Explorer, Chrome, Safari, Opera browsers.

When trying to access our website's sign-in page using Firefox, we started receiving the following message: "Secure Connection Failed An error occurred during a connection. SSL received a record with an incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_read) " I can work around this issue personally by setting "security.tls.fallback-limit" from 3 to 1, but I need to figure out how to solve the issue on the host end as it's not practical to ask end users to make those setting changes. Also, I don't have any issues with Internet Explorer, Chrome, Safari, Opera browsers.

由smisgen于修改

所有回复 (4)

more options

additional info added to original post.

由smisgen于修改

more options

smisgen said

I can work around this issue personally by setting "security.tls.fallback-limit" from 3 to 1, but I need to figure out how to solve the issue on the host end as it's not practical to ask end users to make those setting changes.

That's also not a change you would want to encourage...

Firefox is not completely allergic to TLS 1.0, for example, I only support TLS 1.0 on my personal site:

https://jeffersonscher.com/res/jstest.php

But your server appears not to be handling the downgrade from TLS 1.2 to TLS 1.0 in the manner that Firefox requires starting in Firefox 37. And while there is another workaround (adding the host name to the security.tls.insecure_fallback_hosts preference) it really would be preferable to adjust the SSL settings on the server if you can.

This test page will flag up the issues for you: https://www.ssllabs.com/ssltest/

Then you can check with your webserver provider on appropriate settings changes for your version.

more options

Here is what I've gotten from them, is there anything that pops out as causing this specific issue? I am currently in a situation where I am more or less limited to making changes to the configuration file and not any kind of software upgrades. Hoping I can at least get Firefox going for the time being until we can revamp the software.

Configuration

Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3 No SSL 2 No


Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end) TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128


Protocol Details Secure Renegotiation Not supported ACTION NEEDED (more info) Secure Client-Initiated Renegotiation No Insecure Client-Initiated Renegotiation Supported INSECURE (more info) BEAST attack Not mitigated server-side (more info) TLS 1.0: 0x35 POODLE (SSLv3) No, SSL 3 not supported (more info) POODLE (TLS) Vulnerable INSECURE (more info) Downgrade attack prevention Unknown (requires support for at least two protocols) TLS compression No RC4 No Heartbeat (extension) No Heartbleed (vulnerability) No (more info) OpenSSL CCS vuln. (CVE-2014-0224) No (more info) Forward Secrecy No WEAK (more info) Next Protocol Negotiation (NPN) No Session resumption (caching) Yes Session resumption (tickets) No OCSP stapling No Strict Transport Security (HSTS) No Public Key Pinning (HPKP) No Long handshake intolerance No TLS extension intolerance No TLS version intolerance TLS 1.98 TLS 2.98 Incorrect SNI alerts - Uses common DH prime No SSL 2 handshake compatibility Yes

more options

smisgen said

Protocol Details
Secure Renegotiation Not supported ACTION NEEDED (more info)
Secure Client-Initiated Renegotiation No
Insecure Client-Initiated Renegotiation Supported INSECURE (more info)

Those are the ones that I think became a problem in Firefox 37.

Alternately, if you can support TLS 1.2, then it won't be an issue because Firefox won't have to fall back to TLS 1.0.