An https site I have been using for years suddenly is no longer accessible "because the authenticity of the received data could no longer be verified."
It works on Furefox on Windows7 Pro and on Internet Explorer but not on Windows 7 Home Edition, and not on my Android phone. Any ideas how to work around thus?
Chosen solution
In another thread, you indicated that the site is https://teradatanet.teradata.com/
That site uses TLS 1.0, an older version of the SSL standard that Firefox 37 no longer treats as secure. This is a change from Firefox 36.
You can make a site-specific exception for the problem server so Firefox allows TLS 1.0 -- this is for Windows, I have not tested on Android:
Here's how:
(1) Copy the host name of the server address. This is the part between the https:// protocol and the next / character, and not including either of those. In this case: teradatanet.teradata.com
(2) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(3) In the search box above the list, type or paste tls and pause while the list is filtered
(4) Double-click the security.tls.insecure_fallback_hosts preference to display a box where you can paste the copied host name. If you have something here already, add a comma at the end before pasting to separate the new host name from the previous name(s). Then click OK to save the change.
When you reload that site, Firefox 37 will now redirect to a second server (note the additional 0 in the host name):
https://teradatanet0.teradata.com/Site0083/oam/UI/Login?goto=https://teradatanet.teradata.com/c/portal/login
So repeat steps 1 and 4 with the additional host name (in step 4, add the second host name after a comma, do not delete the first one).
Now when you reload, it should work like Firefox 36. Instead of a gray padlock, you should see the gray exclamation triangle warning icon, indicating a problem with the connection. In this case, the problem is that the server uses an RC4 cipher, which Firefox 36 and higher treat as insecure/hackable.
Read this answer in context 👍 8All Replies (17)
The exact url is rather important here.
Chosen Solution
In another thread, you indicated that the site is https://teradatanet.teradata.com/
That site uses TLS 1.0, an older version of the SSL standard that Firefox 37 no longer treats as secure. This is a change from Firefox 36.
You can make a site-specific exception for the problem server so Firefox allows TLS 1.0 -- this is for Windows, I have not tested on Android:
Here's how:
(1) Copy the host name of the server address. This is the part between the https:// protocol and the next / character, and not including either of those. In this case: teradatanet.teradata.com
(2) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(3) In the search box above the list, type or paste tls and pause while the list is filtered
(4) Double-click the security.tls.insecure_fallback_hosts preference to display a box where you can paste the copied host name. If you have something here already, add a comma at the end before pasting to separate the new host name from the previous name(s). Then click OK to save the change.
When you reload that site, Firefox 37 will now redirect to a second server (note the additional 0 in the host name):
https://teradatanet0.teradata.com/Site0083/oam/UI/Login?goto=https://teradatanet.teradata.com/c/portal/login
So repeat steps 1 and 4 with the additional host name (in step 4, add the second host name after a comma, do not delete the first one).
Now when you reload, it should work like Firefox 36. Instead of a gray padlock, you should see the gray exclamation triangle warning icon, indicating a problem with the connection. In this case, the problem is that the server uses an RC4 cipher, which Firefox 36 and higher treat as insecure/hackable.
Yep! That does it. Thank you very much.
That fixed my Android phone too. The mystery remains: why does this URL still work with Firefox 37.0.1 on Windows 7 Pro when security.tls.insecure_fallback_hosts is still set to an empty string?
GJColeman78 said
The mystery remains: why does this URL still work with Firefox 37.0.1 on Windows 7 Pro when security.tls.insecure_fallback_hosts is still set to an empty string?
Could you check on whether any of your other tls preferences have been modified on the Win7Pro system?
Ah! Good question! On my Windows Pro system the Preference value "security.tls.unrestricted_rc4_fallback" is not defined, but it is set to "true" in the Windows Home installation of Firefox. So maybe it is using a default fallback list? Maybe I could also have fixed this by setting security.tls.unrestricted_rc4_fallback to false?
I think security.tls.unrestricted_rc4_fallback is a preference that will be introduced in Firefox 38 (currently available as "Beta") and would have no effect in Firefox 37.
It should default to false, but I don't think this affects the TLS 1.0 issue either way. Instead, it affects the gray exclamation triangle warning icon issue. (Actually, I can't say whether it's a warning in Firefox 38 or a hard block, I haven't researched that.)
Oh, okay. During this discussion, in desperation before I had any idea of a solution I had installed the Beta version (38) on Windows Home. That's why I now see security.tls.unrestricted_rc4_fallback there. But that's the only difference in tls settings I can see.
Hmm, I don't know why your Windows 7 Pro Firefox 37 didn't have the same objections as your home system (and as my system).
Well, if it shows up in the future I guess I know what to do. I just rebooted the 'Pro system for another reason and it still works. Thanks.
I'm running FF 37.0.2 under Mac OS 10.10.3, and whenever I try to access 23andme.com, I get a "Secure Connection Failed" error. I added the domain to the security.tls.insecure_fallback_hosts string, but still get the error.
Open this chrome URI by pasting or typing this URI in the location/address bar to open the "Add Security Exception" window and check the certificate:
- chrome://pippki/content/exceptionDialog.xul
In the location field type/paste the URL of the website:
https://23andme.com
- retrieve the certificate via the "Get certificate" button
- inspect the certificate via the "View..." button
Many thanks. When I try that procedure, I am told "no information available".
I see this information in the certificate viewer.
You can check the connection settings.
- Firefox > Preferences > Advanced > Network : Connection > Settings
- https://support.mozilla.org/kb/Options+window+-+Advanced+panel
If you do not need to use a proxy to connect to internet then try to select "No Proxy" if "Use the system proxy settings" or one of the others do not work properly.
Try to disable IPv6 (check for other possible causes as well).
I'm not using a proxy. I tried disabling IPv6 and prefetching using the about:config flags, but still the problem persists. This is the only website I haven't been able to access using FF. I can access the website without trouble using Safari and Chrome.
At this point, I have to conclude that there's a bug or, equivalently, unintended feature in FF that is stopping me.
Try to rename the cert8.db file (cert8.db.old) and delete the cert_override.txt file in the Firefox profile folder to remove intermediate certificates and exceptions that Firefox has stored.
If that has helped to solve the problem then you can remove the renamed cert8.db.old file. Otherwise you can rename (or copy) the cert8.db.old file to cert8.db to restore the previously stored intermediate certificates. Firefox will automatically store intermediate certificates when you visit websites that send such a certificate.
If that didn't help then remove or rename secmod.db (secmod.db.old) as well.
You can use this button to go to the currently used Firefox profile folder:
- Help > Troubleshooting Information > Profile Directory: Show Folder (Linux: Open Directory; Mac: Show in Finder)
- http://kb.mozillazine.org/Profile_folder_-_Firefox
No dice. I renamed both cert8.db and secmod.db and restarted, but still can't access 23andme.com.