为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

FF 78.6.0 ESR SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED

  • 14 个回答
  • 1 人有此问题
  • 390 次查看
  • 最后回复者为 Mike Kaply

more options

hey all,

I get the following error ONLY for internal websites (we have our own Windows CA): SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED Yes, I could "ignore" the error, however this is not desired. I compared already the algorithm with some external certs (like Let's Encrypt). Same algorithm, no error....

Have already tried with several internal websites, but without success. Some information about the certificate: Algorithm: RSA 2048 key length Sign. Algorithm: SHA-256 with RSA Encryption V3

What is wrong? I have already tried a lot of things without success. Unfortunately, I no longer know what to do.We deploy the certificates (root+intermediate) via GPO (this works so far). We have the above mentioned problems only after switching from 68ESR to 78ESR.

Thanks in advance.

hey all, I get the following error ONLY for internal websites (we have our own Windows CA): '''SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED''' Yes, I could "ignore" the error, however this is not desired. I compared already the algorithm with some external certs (like Let's Encrypt). Same algorithm, no error.... Have already tried with several internal websites, but without success. Some information about the certificate: ''Algorithm: RSA 2048 key length Sign. Algorithm: SHA-256 with RSA Encryption V3'' What is wrong? I have already tried a lot of things without success. Unfortunately, I no longer know what to do.We deploy the certificates (root+intermediate) via GPO (this works so far). We have the above mentioned problems only after switching from 68ESR to 78ESR. Thanks in advance.

由mostRecentlyA于修改

被采纳的解决方案

Mike Kaply said

So you're running into this problem because all DHE cipher suites were disabled in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 We have a new policy - DisabledCiphers - that will allow you to reenable it. https://github.com/mozilla/policy-templates/blob/master/README.md The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine.

定位到答案原位置 👍 0

所有回复 (14)

more options

SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED is associated with a recent wave of changes in major browsers. Specifically, they are starting to treat certificates signed with the SHA-1 algorithm as insecure. This being phased in over time so it affects users unevenly.

If you want to revert to the default setting for this feature, you can make the following change temporarily (until Firefox 52, I believe):

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste pki and pause while the list is filtered

(3) If the security.pki.sha1_enforcement_level preference is bolded and "user set" to a value other than 4, right-click it and choose Reset to restore the value to 4, or double-click the preference, replace the current value with 4, and click OK

more options

FredMcD said

SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED is associated with a recent wave of changes in major browsers. Specifically, they are starting to treat certificates signed with the SHA-1 algorithm as insecure. This being phased in over time so it affects users unevenly. If you want to revert to the default setting for this feature, you can make the following change temporarily (until Firefox 52, I believe): (1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste pki and pause while the list is filtered (3) If the security.pki.sha1_enforcement_level preference is bolded and "user set" to a value other than 4, right-click it and choose Reset to restore the value to 4, or double-click the preference, replace the current value with 4, and click OK

Hey thanks. Tried this already, no success.

more options

I called for more help.


There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own.

https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can

https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites

https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message

https://support.mozilla.org/en-US/kb/connection-untrusted-error-message

Websites don't load - troubleshoot and fix error messages

http://kb.mozillazine.org/Error_loading_websites

What do the security warning codes mean

more options

In what year was this certificate issued ? Does Firefox has a builtin root certificate for this certificate ?

You can try security.pki.sha1_enforcement_level = 0

more options

cor-el said

In what year was this certificate issued ? Does Firefox has a builtin root certificate for this certificate ? You can try security.pki.sha1_enforcement_level = 0

security.pki.sha1_enforcement_level = 0 => no success, same problem.

- cert issued 12/2019 (valid for 2 years). - yes, intermediate and root cert are in firefox (and also Windows) cert store. I double checked this already.

more options

FredMcD said

I called for more help. There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own. https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message https://support.mozilla.org/en-US/kb/connection-untrusted-error-message Websites don't load - troubleshoot and fix error messages http://kb.mozillazine.org/Error_loading_websites What do the security warning codes mean

Hey thanks. I already removed the AV Client -> no success. All other Links didnt help me, thanks anyway..

As said before, I had no problems with previous version of Firefox (68ESR). Anything should be new ...

Btw, are there any solution to edit trusted Server (section certificates) from GPO? I dont want to edit the exception for xxxx Clients^^

由mostRecentlyA于修改

more options

For GPO you can check the certificates section on this page.

I will move this thread to Firefox for Enterprise.

more options

Any other suggestions how to solve this problem?

more options

So you're running into this problem because all DHE cipher suites were disabled in Firefox.

https://bugzilla.mozilla.org/show_bug.cgi?id=1496639

We have a new policy - DisabledCiphers - that will allow you to reenable it.

https://github.com/mozilla/policy-templates/blob/master/README.md

The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

more options

Mike Kaply said

So you're running into this problem because all DHE cipher suites were disabled in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 We have a new policy - DisabledCiphers - that will allow you to reenable it. https://github.com/mozilla/policy-templates/blob/master/README.md The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

my solution was to disable the setting "security.enterprise_roots.enabled", after this all internal websites are working. I deploy via Firefox-GPO the root and intermediate cert, install them in local Firefox certstore.. But I dont know, why this setting was the problem

more options

选择的解决方案

Mike Kaply said

So you're running into this problem because all DHE cipher suites were disabled in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 We have a new policy - DisabledCiphers - that will allow you to reenable it. https://github.com/mozilla/policy-templates/blob/master/README.md The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine.

more options

> my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine.

Interesting. That means that there was a problem with your Windows certs. Glad it's working.

more options

Mike Kaply said

> my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine. Interesting. That means that there was a problem with your Windows certs. Glad it's working.

But Idk what exactly was wrong? As mentioned, the sign algorithm etc. seems ok.

my current setting is: - install root and intermediate certs via gpo into firefox certstore - tell firefox dont to use the windows cert store (REG Key ImportEnterpriseRoots (which equals security.enterprise_roots.enabled) set this to FALSE)

So far, everything is ok.

more options

If you recreate the problem and then get the certificate contents, we could debug.

Best to open a bug in bugzilla.mozilla.org