X
Tap here to go to the mobile version of the site.

منتدى الدعم

We have difficulty trying to connect to our server using a browser. Google Chrome can connect, but Mozilla Firefox cannot.

Posted
  1. Problem: #

We have difficulty trying to connect to our server using a browser. Google Chrome can connect, but Mozilla Firefox cannot. This problem is related to the "Weak Diffie-Hellman and the Logjam Attack" (https://weakdh.org/)


  1. Activity log, sequence of actions we have conducted to try and fix the problem, and things we already know: #
1. Everything was fine
2. Firefox complained about the Weak Diffie-Hellman ephemeral key
3. Firefox can no longer access our server
4. But, Google Chrome CAN STILL access
5. Found out about "Weak Diffie-Hellman and the Logjam Attack"
   (https://weakdh.org/)
6. Tested Firefox using their website, and responded "Good News! Your browser is safe against the Logjam attack."
7. Tested Chrome using their website, and it responded that Chrome was vulnerable.
8. This explained why we could still access our server using Chrome
9. Updated Chrome to the latest version.
10. Tested Chrome using weakdh.org, and responded "Good News! Your
    browser is safe against the Logjam attack."
11. Tried accessing our site using Chrome, and it has the same error
    with Firefox.
12. Both Chrome and Firefox can no longer access the site at this
    point.
13. We followed the instruction located at
    https://weakdh.org/sysadmin.html for Apache Tomcat servers.

`ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA"`

14. Fix did not work both for Chrome and Firefox, still the same error.
15. We followed the instruction at
    http://stackoverflow.com/questions/30931692/diffie-hellman-public-key-error-with-tomcat-7

`ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"`

16. Fix WORKED for Chrome BUT NOT for Firefox.
17. Firefox has error code: ssl_error_bad_cert_alert
18. We experimented on lesser number of ciphers but none worked
19. `ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"`
20. Same error for Firefox, still OK for Chrome.


  1. **TECHNICAL DETAILS** #
    1. Certificate: ##
   Signature algorithm: sha256RSA
   Signature hash algorithm: sha256
   Public key: RSA (2048 Bits)
   Thumbprint algorithm: sha1
    1. Environment: ##
   Apache Tomcat 6.0
   Java 1.6.0_34
    1. Current server configuration: ##
   <Connector port="443" SSLEnabled="true" maxThreads="150" scheme="https" 
   secure="true" clientAuth="true" sslProtocol="TLS" 
   keystoreFile="********.pfx" 
   keystoreType="PKCS12" 
   keystorePass="********" 
   ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"/>
# Problem: # We have difficulty trying to connect to our server using a browser. Google Chrome can connect, but Mozilla Firefox cannot. This problem is related to the "Weak Diffie-Hellman and the Logjam Attack" (https://weakdh.org/) # Activity log, sequence of actions we have conducted to try and fix the problem, and things we already know: # 1. Everything was fine 2. Firefox complained about the Weak Diffie-Hellman ephemeral key 3. Firefox can no longer access our server 4. But, Google Chrome CAN STILL access 5. Found out about "Weak Diffie-Hellman and the Logjam Attack" (https://weakdh.org/) 6. Tested Firefox using their website, and responded "Good News! Your browser is safe against the Logjam attack." 7. Tested Chrome using their website, and it responded that Chrome was vulnerable. 8. This explained why we could still access our server using Chrome 9. Updated Chrome to the latest version. 10. Tested Chrome using weakdh.org, and responded "Good News! Your browser is safe against the Logjam attack." 11. Tried accessing our site using Chrome, and it has the same error with Firefox. 12. Both Chrome and Firefox can no longer access the site at this point. 13. We followed the instruction located at https://weakdh.org/sysadmin.html for Apache Tomcat servers. `ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA"` 14. Fix did not work both for Chrome and Firefox, still the same error. 15. We followed the instruction at http://stackoverflow.com/questions/30931692/diffie-hellman-public-key-error-with-tomcat-7 `ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"` 16. Fix WORKED for Chrome BUT NOT for Firefox. 17. Firefox has error code: ssl_error_bad_cert_alert 18. We experimented on lesser number of ciphers but none worked 19. `ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"` 20. Same error for Firefox, still OK for Chrome. # **TECHNICAL DETAILS** # ## Certificate: ## Signature algorithm: sha256RSA Signature hash algorithm: sha256 Public key: RSA (2048 Bits) Thumbprint algorithm: sha1 ## Environment: ## Apache Tomcat 6.0 Java 1.6.0_34 ## Current server configuration: ## <Connector port="443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="********.pfx" keystoreType="PKCS12" keystorePass="********" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"/>

Additional System Details

Installed Plug-ins

  • Google Update
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Next Generation Java Plug-in 11.51.2 for Mozilla browsers
  • The plugin allows you to have a better experience with Microsoft SharePoint
  • The plugin allows you to have a better experience with Microsoft Lync
  • NVIDIA 3D Vision Streaming plugin for Mozilla browsers
  • NVIDIA 3D Vision plugin for Mozilla browsers

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0

More Information

FredMcD
  • Top 10 Contributor
4254 solutions 59583 answers

You may have ad / mal-ware. Further information can be found in the Troubleshoot Firefox issues caused by malware article.

Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.


Type about:preferences#advanced<Enter> in the address bar.

Under Advanced, Select Network. Look for Configure How Firefox Connects and press the Settings button. If you are using a proxy, make sure those settings are correct. If there is no proxy, first use No Proxy. If there is a problem, then try System Proxy.


Some problems occurs when your Internet security program was set to trust the previous version of Firefox, but no longer recognizes your updated version as trusted. Now how to fix the problem: To allow Firefox to connect to the Internet again;

  • Make sure your Internet security software is up-to-date (i.e. you are running the latest version).
  • Remove Firefox from your program's list of trusted or recognized programs. For detailed instructions, see

Configure firewalls so that Firefox can access the Internet. {web link}


As a test, disable your protection programs.


Start Firefox in Safe Mode {web Link} by holding down the <Shift>
(Mac Options)
key, and then starting Firefox. Is the problem still there?

You may have ad / mal-ware. Further information can be found in the [[Troubleshoot Firefox issues caused by malware]] article. Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up. ------------------- Type '''about:preferences#advanced'''<Enter> in the address bar. Under '''Advanced,''' Select '''Network.''' Look for '''Configure How Firefox Connects''' and press the '''Settings''' button. If you are using a proxy, make sure those settings are correct. If there is no proxy, first use '''No Proxy.''' If there is a problem, then try '''System Proxy.''' ------------ Some problems occurs when your Internet security program was set to trust the previous version of Firefox, but no longer recognizes your updated version as trusted. Now how to fix the problem: To allow Firefox to connect to the Internet again; * Make sure your Internet security software is up-to-date (i.e. you are running the latest version). * Remove Firefox from your program's list of trusted or recognized programs. For detailed instructions, see '''[https://support.mozilla.org/en-US/kb/configure-firewalls-so-firefox-can-access-internet Configure firewalls so that Firefox can access the Internet.]''' {web link} ----------------------- As a test, disable your protection programs. ----------------- Start '''[https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode Firefox in Safe Mode]''' {web Link} by holding down the '''<Shift><br> ''(Mac Options)'' ''' key, and then starting Firefox. Is the problem still there?
cor-el
  • Top 10 Contributor
  • Moderator
17522 solutions 158440 answers

Can you post a link to your website so we can check what is happening?

Does it work if you add the domain to the whitelist pref?

  • security.tls.insecure_fallback_hosts

You can double-click the line to modify the pref and add the full domain (TEXT) to the value of this pref. If there are already websites (domains) in this list then add a comma and the new domain (no spaces). There should only be domains separated by a comma in the Value column (example.com,www.example.com).

You can toggle these prefs to false on the about:config page to disable the cipher suites that are involved with the Logjam vulnerability in case they are currently enabled.

  • security.ssl3.dhe_rsa_aes_128_sha
  • security.ssl3.dhe_rsa_aes_256_sha
Can you post a link to your website so we can check what is happening? Does it work if you add the domain to the whitelist pref? *security.tls.insecure_fallback_hosts You can double-click the line to modify the pref and add the full domain (TEXT) to the value of this pref. If there are already websites (domains) in this list then add a comma and the new domain (no spaces). There should only be domains separated by a comma in the Value column (example.com,www.example.com). You can toggle these prefs to false on the <b>about:config</b> page to disable the cipher suites that are involved with the Logjam vulnerability in case they are currently enabled. *security.ssl3.dhe_rsa_aes_128_sha *security.ssl3.dhe_rsa_aes_256_sha

Helpful Reply

FredMcD said

You may have ad / mal-ware. Further information can be found in the Troubleshoot Firefox issues caused by malware article. Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.

Type about:preferences#advanced<Enter> in the address bar.

Under Advanced, Select Network. Look for Configure How Firefox Connects and press the Settings button. If you are using a proxy, make sure those settings are correct. If there is no proxy, first use No Proxy. If there is a problem, then try System Proxy.


Some problems occurs when your Internet security program was set to trust the previous version of Firefox, but no longer recognizes your updated version as trusted. Now how to fix the problem: To allow Firefox to connect to the Internet again;

  • Make sure your Internet security software is up-to-date (i.e. you are running the latest version).
  • Remove Firefox from your program's list of trusted or recognized programs. For detailed instructions, see

Configure firewalls so that Firefox can access the Internet. {web link}


As a test, disable your protection programs.


Start Firefox in Safe Mode {web Link} by holding down the <Shift>
(Mac Options)
key, and then starting Firefox. Is the problem still there?

1.) Malwares may not be the cause since this problem is affecting all our clients. 2.) We do not have a proxy. However, I've tried some proxy settings and all attempts did not work. 3.) I'm running the latest firefox. 4.) I think this would not be an issue regarding firewalls since I can access other websites. 5.) I tried also running in Safe Mode and the issue is still there.

''FredMcD [[#answer-780732|said]]'' <blockquote> You may have ad / mal-ware. Further information can be found in the [[Troubleshoot Firefox issues caused by malware]] article. Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up. ------------------- Type '''about:preferences#advanced'''<Enter> in the address bar. Under '''Advanced,''' Select '''Network.''' Look for '''Configure How Firefox Connects''' and press the '''Settings''' button. If you are using a proxy, make sure those settings are correct. If there is no proxy, first use '''No Proxy.''' If there is a problem, then try '''System Proxy.''' ------------ Some problems occurs when your Internet security program was set to trust the previous version of Firefox, but no longer recognizes your updated version as trusted. Now how to fix the problem: To allow Firefox to connect to the Internet again; * Make sure your Internet security software is up-to-date (i.e. you are running the latest version). * Remove Firefox from your program's list of trusted or recognized programs. For detailed instructions, see '''[https://support.mozilla.org/en-US/kb/configure-firewalls-so-firefox-can-access-internet Configure firewalls so that Firefox can access the Internet.]''' {web link} ----------------------- As a test, disable your protection programs. ----------------- Start '''[https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode Firefox in Safe Mode]''' {web Link} by holding down the '''<Shift><br> ''(Mac Options)'' ''' key, and then starting Firefox. Is the problem still there? </blockquote> 1.) Malwares may not be the cause since this problem is affecting all our clients. 2.) We do not have a proxy. However, I've tried some proxy settings and all attempts did not work. 3.) I'm running the latest firefox. 4.) I think this would not be an issue regarding firewalls since I can access other websites. 5.) I tried also running in Safe Mode and the issue is still there.
jscher2000
  • Top 10 Contributor
8758 solutions 71655 answers

So just to summarize, the current situation is:

(1) Server passes logjam tests (2) Chrome connects (3) Firefox gives ssl_error_bad_cert_alert error

That's actually a very rare error on this forum and most of the posts relate to an issue with a client certificate accessing AKO mail, so that may not be relevant to your situation: https://support.mozilla.org/search/advanced?a=1&q=ssl_error_bad_cert_alert&sortby=1&w=2

So just to summarize, the current situation is: (1) Server passes logjam tests (2) Chrome connects (3) Firefox gives '''ssl_error_bad_cert_alert''' error That's actually a very rare error on this forum and most of the posts relate to an issue with a client certificate accessing AKO mail, so that may not be relevant to your situation: https://support.mozilla.org/search/advanced?a=1&q=ssl_error_bad_cert_alert&sortby=1&w=2