Unable to access secure (HTTPS) sites in Firefox 43

Revision Information
  • Revision id: 114191
  • Created:
  • Creator: philipp
  • Comment: restart at the end of changing pref
  • Reviewed: Yes
  • Reviewed:
  • Reviewed by: AliceWyman
  • Is approved? Yes
  • Is current revision? No
  • Ready for localization: No
Revision Source
Revision Content

Firefox 43 included a change to reject new security certificates made using an old algorithm called “SHA-1”. Microsoft and Google will also be making similar changes to their products soon. Some users have experienced problems since this change with certain third party tools. This article explains how to see if this problem affects you and, if so, how to resolve it.

What causes this issue?

Some tools intercept your secure Internet traffic to decrypt your secure sessions and provide you with certain functionality. Such tools can include security scanners or antivirus products. Some of these tools provide your browser with a SHA-1 certificate. When Firefox encounters such a certificate, it rejects the connection, and shows you the SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED error. Since these tools intercept all HTTPS session and replace the real certificate with a SHA-1 certificate, you will see this error on all HTTPS sites, even if the site’s real certificate doesn’t use SHA-1.

How do I know if this affects me?

If you can access this article in Firefox, you're fine. Otherwise, try to access an HTTPS site like https://blog.mozilla.org, click “Advanced”, and if you see the error code “SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED”, then you’re affected.

What can I do to work around this problem?

The best way to fix this problem is to install the latest version of Firefox from the Firefox download page, which has a fix for this problem. You will need download and run the Firefox installer manually, using an unaffected copy of Firefox or another browser. If you are affected, then Firefox will not be able to automatically update.

Warning: Users on Windows XP and Windows Vista might not get served the latest version on the Firefox download page at the moment. If you are affected, please proceed like this:
  1. Type about:config in the address bar and press EnterReturn.
    A warning page may appear. Click Accept the Risk and Continue to go to the about:config page.
  2. In the about:config page, search for the preference security.pki.sha1_enforcement_level.
  3. Doubleclick on the security.pki.sha1_enforcement_level preference and set its value to 0.
  4. Close the about:config page and restart Firefox once for this change to take effect.

What is the correct solution to this problem?

This issue occurs because a third party application you are using intercepts secure connections made by your browser. In doing this, it replaces the website's certificate with a certificate uses a SHA-1 signature. To avoid problems with SHA-1 certificates in the future, you should try to identify the tool which is serving SHA-1 certificates (this is likely to be a security scanner or antivirus product) and configure it to use a stronger signature digest algorithm. You should also make sure that any products you’re using that might be doing man-in-the-middle are kept up to date.