[opensuse] mozilla ssl/tls problem?
Normally I have no problem with https, but yesterday I tried accessing the 3ware web-service running on a storageserver, and that simply didn't work. I googled some and saw references to some possible mozilla SSL/TLS problem - I then tried opera instead, and that worked fine! Has anyone else experienced this or similar? -- Per Jessen, Zürich (16.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 10.05.2012 10:08, schrieb Per Jessen:
Normally I have no problem with https, but yesterday I tried accessing the 3ware web-service running on a storageserver, and that simply didn't work. I googled some and saw references to some possible mozilla SSL/TLS problem - I then tried opera instead, and that worked fine!
Has anyone else experienced this or similar?
You didn't tell us which flavour and version of "mozilla" you are using ;-) So just a very wild initial guess: What is your setting for "security.enable_md5_signatures"? And if that guess is wrong could you probably add more information like what "mozilla" has to say about your connection (error message or simply nothing?). Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Wolfgang Rosenauer wrote:
Am 10.05.2012 10:08, schrieb Per Jessen:
Normally I have no problem with https, but yesterday I tried accessing the 3ware web-service running on a storageserver, and that simply didn't work. I googled some and saw references to some possible mozilla SSL/TLS problem - I then tried opera instead, and that worked fine!
Has anyone else experienced this or similar?
You didn't tell us which flavour and version of "mozilla" you are using ;-)
Sorry, yes I should have added that - firefox 11.0. Same result with FF 12 (on Windows).
So just a very wild initial guess: What is your setting for "security.enable_md5_signatures"?
Looking in about:config, I don't see that one at all. Whether in 11 or 12.
And if that guess is wrong could you probably add more information like what "mozilla" has to say about your connection (error message or simply nothing?).
Mostly nothing - only "connection reset". I ran a tcpdump and that is all I see there too. -- Per Jessen, Zürich (17.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/10/2012 10:08 AM, Per Jessen wrote:
Normally I have no problem with https, but yesterday I tried accessing the 3ware web-service running on a storageserver, and that simply didn't work. I googled some and saw references to some possible mozilla SSL/TLS problem - I then tried opera instead, and that worked fine!
Has anyone else experienced this or similar?
https is using a chain of trust. It's possible that the website's SSL cert was certified by someone your browser did not trust ... but another browser did (because it's trusting different root certificates). ... or the website temporarily changed the SSL cert to e.g. a self-signed one. ... or there was a network problem and the SSL startup handshake was corrupted. BTW: "that simply didn't work" is not a very useful message. The browsers usually show detailed information about the certificate and its chain until the root certificate. If something is wrong, then it will complain e.g. that the cert expired. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bernhard Voelker wrote:
On 05/10/2012 10:08 AM, Per Jessen wrote:
Normally I have no problem with https, but yesterday I tried accessing the 3ware web-service running on a storageserver, and that simply didn't work. I googled some and saw references to some possible mozilla SSL/TLS problem - I then tried opera instead, and that worked fine!
Has anyone else experienced this or similar?
https is using a chain of trust. It's possible that the website's SSL cert was certified by someone your browser did not trust ... but another browser did (because it's trusting different root certificates).
... or the website temporarily changed the SSL cert to e.g. a self-signed one. ... or there was a network problem and the SSL startup handshake was corrupted.
It's not really a website, it's a webserver on the storage server on our local network. It's not a temporary issue, I still have no connection with Firefox, whereas Opera 9.62 works.
BTW: "that simply didn't work" is not a very useful message.
I agree, but that is pretty much what Firefox tells me - "connection reset".
The browsers usually show detailed information about the certificate and its chain until the root certificate. If something is wrong, then it will complain e.g. that the cert expired.
Well, it doesn't in this case. Besides, it works with Opera. -- Per Jessen, Zürich (17.5°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/10/2012 10:26 AM, Per Jessen wrote:
BTW: "that simply didn't work" is not a very useful message. I agree, but that is pretty much what Firefox tells me - "connection reset".
Hmm, that may mean that the server enforces an SSL handshake algorithm which FF does not allow (e.g. because it's too old and considered too weak). Does Opera show which algorithm is being used? Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bernhard Voelker wrote:
On 05/10/2012 10:26 AM, Per Jessen wrote:
BTW: "that simply didn't work" is not a very useful message. I agree, but that is pretty much what Firefox tells me - "connection reset".
Hmm, that may mean that the server enforces an SSL handshake algorithm which FF does not allow (e.g. because it's too old and considered too weak). Does Opera show which algorithm is being used?
Which might suggest that perhaps there's a newer version of the 3ware server available? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dave Howorth wrote:
Bernhard Voelker wrote:
On 05/10/2012 10:26 AM, Per Jessen wrote:
BTW: "that simply didn't work" is not a very useful message. I agree, but that is pretty much what Firefox tells me - "connection reset".
Hmm, that may mean that the server enforces an SSL handshake algorithm which FF does not allow (e.g. because it's too old and considered too weak). Does Opera show which algorithm is being used?
Which might suggest that perhaps there's a newer version of the 3ware server available?
I did have a look for a newer 3dm2 (the webserver) - afaict, there isn't one, but I did come across this: http://kb.lsi.com/KnowledgebaseArticle16641.aspx It looks like patches (for multiple browsers) are underway. -- Per Jessen, Zürich (18.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-10 11:28, Per Jessen wrote:
It looks like patches (for multiple browsers) are underway.
Maybe I'm wrong, but I read it as the patch is the culprit of your problem. That is, that there was a security problem, it was patched, and as a result, you can not connect anymore. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+rjuMACgkQIvFNjefEBxqzHgCgxUTiCmM4xdU9eJ2d79UwWdk6 0uMAn3Ii6pPpHosHuuXrqVoVJtDael6U =iZ9V -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-05-10 11:28, Per Jessen wrote:
It looks like patches (for multiple browsers) are underway.
Maybe I'm wrong, but I read it as the patch is the culprit of your problem. That is, that there was a security problem, it was patched, and as a result, you can not connect anymore.
Yes, that's how I read it too, but skimming through it led me to think another patch was on the way. -- Per Jessen, Zürich (21.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
I did have a look for a newer 3dm2 (the webserver) - afaict, there isn't one, but I did come across this:
http://kb.lsi.com/KnowledgebaseArticle16641.aspx
It looks like patches (for multiple browsers) are underway.
If you click on the 'KB 16625' link at the bottom, it takes you to a page that claims links to patched copies of 3dm2. I haven't yet upgraded Firefox on machines where 3dm2 is used (pure luck, no wisdom), so I'll let you experiment first with the patched 3dm2 ;) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dave Howorth wrote:
Per Jessen wrote:
I did have a look for a newer 3dm2 (the webserver) - afaict, there isn't one, but I did come across this:
http://kb.lsi.com/KnowledgebaseArticle16641.aspx
It looks like patches (for multiple browsers) are underway.
If you click on the 'KB 16625' link at the bottom, it takes you to a page that claims links to patched copies of 3dm2.
I haven't yet upgraded Firefox on machines where 3dm2 is used (pure luck, no wisdom), so I'll let you experiment first with the patched 3dm2 ;)
How did I miss that ... thanks for spotting it! -- Per Jessen, Zürich (21.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Dave Howorth wrote:
Per Jessen wrote:
I did have a look for a newer 3dm2 (the webserver) - afaict, there isn't one, but I did come across this:
http://kb.lsi.com/KnowledgebaseArticle16641.aspx
It looks like patches (for multiple browsers) are underway.
If you click on the 'KB 16625' link at the bottom, it takes you to a page that claims links to patched copies of 3dm2.
I haven't yet upgraded Firefox on machines where 3dm2 is used (pure luck, no wisdom), so I'll let you experiment first with the patched 3dm2 ;)
How did I miss that ... thanks for spotting it!
The updated 3dm2 daemon works - again, thanks for spotting it. -- Per Jessen, Zürich (21.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 10.05.2012 11:28, schrieb Per Jessen:
Dave Howorth wrote:
Bernhard Voelker wrote:
On 05/10/2012 10:26 AM, Per Jessen wrote:
BTW: "that simply didn't work" is not a very useful message. I agree, but that is pretty much what Firefox tells me - "connection reset".
Hmm, that may mean that the server enforces an SSL handshake algorithm which FF does not allow (e.g. because it's too old and considered too weak). Does Opera show which algorithm is being used?
Which might suggest that perhaps there's a newer version of the 3ware server available?
I did have a look for a newer 3dm2 (the webserver) - afaict, there isn't one, but I did come across this:
http://kb.lsi.com/KnowledgebaseArticle16641.aspx
It looks like patches (for multiple browsers) are underway.
As Carlos wrote there are no patches underway but Firefox was fixed to prevent certain attacks. https://bugzilla.mozilla.org/show_bug.cgi?id=665814 This affects your 3dm2. The other bug https://bugzilla.mozilla.org/show_bug.cgi?id=702111 seems to describe broken server implementations. It also describes a temporary workaround by exporting NSS_SSL_CBC_RANDOM_IV=0 before starting Firefox. Please try that and wait for a proper fix for your firmware. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bernhard Voelker wrote:
On 05/10/2012 10:26 AM, Per Jessen wrote:
BTW: "that simply didn't work" is not a very useful message. I agree, but that is pretty much what Firefox tells me - "connection reset".
Hmm, that may mean that the server enforces an SSL handshake algorithm which FF does not allow (e.g. because it's too old and considered too weak). Does Opera show which algorithm is being used?
Opera says the following: 1) server name does not match certificate name 2) certificate not signed by a trusted authority Protocol: TLS v1.0, 256bit AES (1024bit RSA/SHA) -- Per Jessen, Zürich (18.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Bernhard Voelker -
Carlos E. R. -
Dave Howorth -
Per Jessen -
Wolfgang Rosenauer