X
Tap here to go to the mobile version of the site.

Support Forum

Secure Connection Failed

Posted

We have a websites which applied the government certificate authority of Taiwan running as SSL. This is untrusted in Firefox but still can be added as exception website before not anymore today for version 31.0 upgrate. Could you help us to figure it out for this big trouble? Thank you very much! websites as following: https://www.safetaiwan.tw

Sincerely Stanley

We have a websites which applied the government certificate authority of Taiwan running as SSL. This is untrusted in Firefox but still can be added as exception website before not anymore today for version 31.0 upgrate. Could you help us to figure it out for this big trouble? Thank you very much! websites as following: https://www.safetaiwan.tw Sincerely Stanley

Chosen solution

Hi Stanley, In the new Firefox 31 there was a new certificate verification added.

Firefox version 31 uses a new verification library to perform security checks on a website. This new library might be causing the OCSP error and preventing access to the site.

The engineers are currently trying to resolve the issue, but in the meantime, you can work around this by changing the following configuration:

  1. Type in about:config in your address bar.
  2. You'll see a This might void your warranty! message. Click I'll be careful, I promise!.
  3. In the Search field, type in "'security.use_mozillapkix_verification"' to bring up that preference.
  4. Double-click on the preference to set its value to false.

The error message for the site in question: [Error code: sec_error_bad_signature]

Borrowing cor-el instructions for some firewalls monitor https connection a nd send own certs:

   *http://support.kaspersky.com/6851
   *http://forum.kaspersky.com/index.php?showtopic=264057

1 Go to SETTINGS 2 Click on the BROWN BOX icon 3 Go to NETWORK 4 Click on INSTALL CERTIFICATE (Kaspersky security certificate) follow install instructions.

Read this answer in context 9

Additional System Details

Installed Plug-ins

  • Next Generation Java Plug-in 10.65.2 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Shockwave Flash 14.0 r0
  • Google Update
  • 5.1.30214.0
  • Garena Talk Plugin
  • GEPlugin
  • NPWLPG
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Office Authorization plug-in for NPAPI browsers

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0

More Information

guigs
  • Administrator
  • Moderator
1052 solutions 11489 answers

Chosen Solution

Hi Stanley, In the new Firefox 31 there was a new certificate verification added.

Firefox version 31 uses a new verification library to perform security checks on a website. This new library might be causing the OCSP error and preventing access to the site.

The engineers are currently trying to resolve the issue, but in the meantime, you can work around this by changing the following configuration:

  1. Type in about:config in your address bar.
  2. You'll see a This might void your warranty! message. Click I'll be careful, I promise!.
  3. In the Search field, type in "'security.use_mozillapkix_verification"' to bring up that preference.
  4. Double-click on the preference to set its value to false.

The error message for the site in question: [Error code: sec_error_bad_signature]

Borrowing cor-el instructions for some firewalls monitor https connection a nd send own certs:

   *http://support.kaspersky.com/6851
   *http://forum.kaspersky.com/index.php?showtopic=264057

1 Go to SETTINGS 2 Click on the BROWN BOX icon 3 Go to NETWORK 4 Click on INSTALL CERTIFICATE (Kaspersky security certificate) follow install instructions.

Hi Stanley, In the new Firefox 31 there was a new certificate verification added. Firefox version 31 uses a new verification library to perform security checks on a website. This new library might be causing the OCSP error and preventing access to the site. The engineers are currently trying to resolve the issue, but in the meantime, you can work around this by changing the following configuration: # Type in about:config in your address bar. # You'll see a This might void your warranty! message. Click I'll be careful, I promise!. # In the Search field, type in "'security.use_mozillapkix_verification"' to bring up that preference. # Double-click on the preference to set its value to false. The error message for the site in question: [Error code: sec_error_bad_signature] Borrowing cor-el instructions for some firewalls monitor https connection a nd send own certs: *[http://support.kaspersky.com/6851] *[http://forum.kaspersky.com/index.php?showtopic=264057 ] 1 Go to SETTINGS 2 Click on the BROWN BOX icon 3 Go to NETWORK 4 Click on INSTALL CERTIFICATE (Kaspersky security certificate) follow install instructions.
jscher2000
  • Top 10 Contributor
7040 solutions 57418 answers

According to this test page, your web server is not sending the intermediate certificates: http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=www.safetaiwan.tw&protocol=https

When I look at the certificate dialog in IE/Chrome (they share the Windows certificate store), there appear to be four certificates: root, first intermediate, second intermediate, your site. Basically, Firefox wants you to send everything except the root.

The details on how to do that depend on your server. Your server sends this information:

Apache/2.2.27 (Win32) mod_ssl/2.2.27 OpenSSL/1.0.1g PHP/5.3.28

Although the best instructions are from your issuer, here is another page for reference in case it helps: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/0/certificate-installation-apache--mod_ssl

Also, this should help in case other browsers become stricter in the future.

According to this test page, your web server is not sending the intermediate certificates: http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=www.safetaiwan.tw&protocol=https When I look at the certificate dialog in IE/Chrome (they share the Windows certificate store), there appear to be four certificates: root, first intermediate, second intermediate, your site. Basically, Firefox wants you to send everything except the root. The details on how to do that depend on your server. Your server sends this information: Apache/2.2.27 (Win32) mod_ssl/2.2.27 OpenSSL/1.0.1g PHP/5.3.28 Although the best instructions are from your issuer, here is another page for reference in case it helps: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/0/certificate-installation-apache--mod_ssl Also, this should help in case other browsers become stricter in the future.

Question owner

Hi guigs2, Thanks for your patient response, it's work after following you instructions! Although, I hope it could still be more flexible to offer users options not be too strict. I'm sincerely looking forward to hear good news about the next upgrade for this issue on Firefox.

And also thanks to jscher2000, It's helpful advices.

Hi guigs2, Thanks for your patient response, it's work after following you instructions! Although, I hope it could still be more flexible to offer users options not be too strict. I'm sincerely looking forward to hear good news about the next upgrade for this issue on Firefox. And also thanks to jscher2000, It's helpful advices.
guigs
  • Administrator
  • Moderator
1052 solutions 11489 answers

Hi stanleychung, This may also be a good reference for strict issues with the domain name you mentioned. It would be good to gather examples of this for the security team.

Can you please provide an example of the certificate to the bug https://bugzilla.mozilla.org/show_bug.cgi?id=1049185 and cc yourself so that we can follow up on the strict calls.

Thank you!

Hi stanleychung, This may also be a good reference for strict issues with the domain name you mentioned. It would be good to gather examples of this for the security team. Can you please provide an example of the certificate to the bug [https://bugzilla.mozilla.org/show_bug.cgi?id=1049185] and cc yourself so that we can follow up on the strict calls. Thank you!
psubhash982 0 solutions 1 answers

400error,500error,Cn certificet,basic constraints error totely encountered to me please help! help me..

400error,500error,Cn certificet,basic constraints error totely encountered to me please help! help me..
jscher2000
  • Top 10 Contributor
7040 solutions 57418 answers

Hi psubhash982, are these problems on all sites or on particular sites?

The subject of this thread was safetaiwan.tw so if you are having a problem on a different site, I suggest posting a new question with your system details. You can start that using this link:

https://support.mozilla.org/questions/new/desktop/fix-problems

If the articles suggested on the form are not helpful, please scroll down to continue with entering your question.

Hi psubhash982, are these problems on all sites or on particular sites? The subject of this thread was '''safetaiwan.tw''' so if you are having a problem on a different site, I suggest posting a new question with your system details. You can start that using this link: https://support.mozilla.org/questions/new/desktop/fix-problems If the articles suggested on the form are not helpful, please scroll down to continue with entering your question.