Solve Error code: ssl_error_renegotiation_not_allowed with Firefox 39.0
I am using Firefox 39.0 to do some transactions with a public government organization. I am required to use my electronic identity card which uses a certificate that I installed by June 2014. However, now I can't work since I am getting this Error code: ssl_error_renegotiation_not_allowed. I have been searching for solutions and it seems this error requires changing the security settings of Firefox, however I cannot find the sessing "ssl_error_renegotiation_not_allowed...". What can I do?
Thanks so much in advance
All Replies (2)
Check this article. https://wiki.mozilla.org/Security:Renegotiation
Hint: read the entire article.
Not that this fixes the problem for you in any way, the change has already been introduced in FF 38. And you aren't the only one having problems with vulnerable servers. https://bugzilla.mozilla.org/show_bug.cgi?id=1166348
The only real fix is adjusting the server configuration. In the mean time you may install an older version of Firefox and clone your existing profile. Then start the old version for only accessing that vulnerable site with the cloned profile.
Modified by christ1
I think you are looking for something that no longer exists in current Firefox 39.
It may be best asking your public government organisation if their methods are still secure, and whether you need to update your certificate ?
I may expect a security conscious organisation to have methods that work with current secure browsers.
Forum Note In case you do need to use insecure methods i will leave some notes here. Downgrading to a separate custom install of Firefox 37 for use on the problem site may work. But of course that would not be secure
and rather defeats the object of trying to use secure methods involving an electronic identity card.
What I have found so far
- https://wiki.mozilla.org/Security:Renegotiation#security.ssl.renego_unrestricted_hosts
security.ssl.renego_unrestricted_hosts
Empty by default.
This string preference is a list oft host names, separated by comma (,) where renegotiation may be performed, even when using the old vulnerable protocol. No wildcards are supported.
Example: www.dns1.com,mail.dns2.com
This preference was removed in Firefox 38. See bug 1123020.
Looking at some of the bugs, I am not even sure all the Mozilla documentation is fully up to date. Allso see
RC4 is now disabled when using TLS, except for a few specifically whitelisted Web sites. This whitelist is an interim measure until those sites are fixed (bug 1124039). This fallback is controlled by the security.tls.unrestricted_rc4_fallback preference, true by default for the moment (bug 1138882). Web sites needing to fall back to an insecure version of TLS in order to work are now in a hardcoded whitelist which will shrink over time (bug 1114816). The whitelist can be disabled by setting security.tls.insecure_fallback_hosts.use_static_list to false.
- https://developer.mozilla.org/en-US/Firefox/Releases/39/Site_Compatibility#Security
SSLv3 support has been removed
DHE keys less than 1023-bit are no longer accepted {logjam)
?? This pref no longer has value by default. Now the whitelist is built into Firefox binary (bug 1128227). This pref was left for users to add some non-whitelisted sites. {bug1114816#c27)