X
Tap here to go to the mobile version of the site.

Support Forum

Version 37.0.1 - Secure Connection failed.

Posted

Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled.

We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html.

What would be causing this problem and how might it best be resolved?

Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled. We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html. What would be causing this problem and how might it best be resolved?

Additional System Details

Installed Plug-ins

  • Adobe PDF Plug-In For Firefox and Netscape 11.0.10
  • Citrix Online App Detector Plugin
  • plugin
  • GEPlugin
  • Google Update
  • Intel web components updater - Installs and updates the Intel web components
  • Intel web components for Intel® Identity Protection Technology
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Office Authorization plug-in for NPAPI browsers
  • Shockwave Flash 17.0 r0
  • Yahoo Application State Plugin version 1.0.0.7

Application

  • Firefox 37.0.1
  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
  • Support URL: https://support.mozilla.org/1/firefox/37.0.1/WINNT/en-US/

Extensions

  • Adblock Plus 2.6.9 ({d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d})
  • Clear Cache Button 0.9f ({563e4790-7e70-11da-a72b-0800200c9a66})
  • E-Web Print 1.19.00 (e-webprint@epson.com)
  • Firebug 2.0.9 (firebug@software.joehewitt.com)
  • Avast Online Security 10.2.0.187 (wrc@avast.com) (Inactive)
  • FiddlerHook 2.4.8.3 (fiddlerhook@fiddler2.com) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: Intel(R) HD Graphics 4000
  • adapterDescription2:
  • adapterDeviceID: 0x0166
  • adapterDeviceID2:
  • adapterDrivers: igdumd64 igd10umd64 igd10umd64 igdumd32 igd10umd32 igd10umd32
  • adapterDrivers2:
  • adapterRAM: Unknown
  • adapterRAM2:
  • adapterSubsysID: 397717aa
  • adapterSubsysID2:
  • adapterVendorID: 0x8086
  • adapterVendorID2:
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 6.2.9200.16571
  • driverDate: 12-12-2012
  • driverDate2:
  • driverVersion: 9.17.10.2932
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'direct2d 1.1', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'direct2d 1.1', u'AzureSkiaAccelerated': 0}
  • isGPU2Active: False
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • webglRenderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 4000 Direct3D11 vs_5_0 ps_5_0)
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 11

Modified Preferences

Misc

  • User JS: No
  • Accessibility: No
user293 39 solutions 279 answers

What is the address of your site?

What is the address of your site?
cor-el
  • Top 10 Contributor
  • Moderator
17521 solutions 158427 answers

Can you post a link or the domain, so we can check the certificate?

What happens if you add the domain to the security.tls.insecure_fallback_hosts pref?

Did you check the Browser Console (Firefox/Tools > Web Developer) for error messages?

Note that SSL3 shouldn't be used these days and signing with SHA-256 is preferred.


The website may try to fallback to TLS 1.0 in a way that is no longer allowed in current releases or may be using or offering deprecated cipher suites.

You can open the about:config page via the location/address bar and use its search bar to locate this pref:

  • security.tls.insecure_fallback_hosts

You can double-click the line to modify the pref and add the full domain to this pref. If there are already websites (domains) in this list then add a comma and the new domain (no spaces). You should only see domains separated by a comma in the value column.


Can you post a link or the domain, so we can check the certificate? What happens if you add the domain to the security.tls.insecure_fallback_hosts pref? Did you check the Browser Console (Firefox/Tools > Web Developer) for error messages? *https://developer.mozilla.org/Tools/Browser_Console Note that SSL3 shouldn't be used these days and signing with SHA-256 is preferred. *https://wiki.mozilla.org/Security/Server_Side_TLS ---- The website may try to fallback to TLS 1.0 in a way that is no longer allowed in current releases or may be using or offering deprecated cipher suites. You can open the <b>about:config</b> page via the location/address bar and use its search bar to locate this pref: *security.tls.insecure_fallback_hosts You can double-click the line to modify the pref and add the full domain to this pref. If there are already websites (domains) in this list then add a comma and the new domain (no spaces). You should only see domains separated by a comma in the value column. ---- *https://developer.mozilla.org/en-US/Firefox/Releases/36/Site_Compatibility#Security *https://developer.mozilla.org/en-US/Firefox/Releases/37/Site_Compatibility#Security
jscher2000
  • Top 10 Contributor
8758 solutions 71655 answers

If it's the domain matching your username, your ciphers are limited to RC4 ciphers. Starting in Firefox 36, this generated a warning icon in the address bar (exclamation triangle) as Firefox no longer considers it secure. However, I'm not sure what accounts for the more severe message you're getting now if the site supports TLS 1.2.

If it's the domain matching your username, your ciphers are limited to RC4 ciphers. Starting in Firefox 36, this generated a warning icon in the address bar (exclamation triangle) as Firefox no longer considers it secure. However, I'm not sure what accounts for the more severe message you're getting now if the site supports TLS 1.2.

Question owner

theswingsite said

Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled. We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html. What would be causing this problem and how might it best be resolved?


'What happens if you add the domain to the security.tls.insecure_fallback_hosts pref? It works

It also works if I do the following Setting security.tls.version.fallback-limit to '0'

TLS 1.0 currently enabled for "server" no "client" registry entry


The Site is https://www.theswingsite.com

''theswingsite [[#question-1058196|said]]'' <blockquote> Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled. We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html. What would be causing this problem and how might it best be resolved? </blockquote> '''What happens if you add the domain to the security.tls.insecure_fallback_hosts pref?'' It works It also works if I do the following Setting security.tls.version.fallback-limit to '0' TLS 1.0 currently enabled for "server" no "client" registry entry The Site is https://www.theswingsite.com

Question owner

theswingsite said

Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled. We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html. What would be causing this problem and how might it best be resolved?


NOTE: This never happened in pre "37.0.0" releases, nor do other browsers have a problem.

''theswingsite [[#question-1058196|said]]'' <blockquote> Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled. We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html. What would be causing this problem and how might it best be resolved? </blockquote> NOTE: This never happened in pre "37.0.0" releases, nor do other browsers have a problem.

Question owner

theswingsite said

Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled. We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html. What would be causing this problem and how might it best be resolved?


One more piece of the puzzle. My Windows Server 2008R2 event log is showing.

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server

''theswingsite [[#question-1058196|said]]'' <blockquote> Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled. We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html. What would be causing this problem and how might it best be resolved? </blockquote> One more piece of the puzzle. My Windows Server 2008R2 event log is showing. An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server
jscher2000
  • Top 10 Contributor
8758 solutions 71655 answers

theswingsite said

'What happens if you add the domain to the security.tls.insecure_fallback_hosts pref? It works It also works if I do the following Setting security.tls.version.fallback-limit to '0'

That does not work for me on your site (trying to login as user asdf). Not sure what's going on.

''theswingsite [[#answer-719805|said]]'' <blockquote> '''What happens if you add the domain to the security.tls.insecure_fallback_hosts pref?'' It works It also works if I do the following Setting security.tls.version.fallback-limit to '0'</blockquote> That does not work for me on your site (trying to login as user asdf). Not sure what's going on.

Question owner

theswingsite said

Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled. We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html. What would be causing this problem and how might it best be resolved?


I attached an image of what IISCrypto is reporting .

''theswingsite [[#question-1058196|said]]'' <blockquote> Started getting Secure Connection failed with Version 37.0.1. The site has SHA-2 certificates TLS 1.0 disabled and TLS 1.1 and 1.2 enabled. SLS 3.0 is also enabled. We've got a "B" rating with https://www.ssllabs.com/ssltest/analyze.html. What would be causing this problem and how might it best be resolved? </blockquote> I attached an image of what IISCrypto is reporting .

Question owner

Any thoughts? Do FireFox developers respond here?

Nothing I try seems to resolve this problem.   I need to know WHAT changed in Version 37, as I've never had this problem in the last 8 years.
Any thoughts? Do FireFox developers respond here? Nothing I try seems to resolve this problem. I need to know WHAT changed in Version 37, as I've never had this problem in the last 8 years.
jscher2000
  • Top 10 Contributor
8758 solutions 71655 answers

Firefox developers generally do not monitor this forum.

I'm not very skilled at searching the bug database, but it appears there were approximately/at least 49 changes related to TLS in Firefox 37: https://bugzilla.mozilla.org/buglist.cgi?list_id=12203346&resolution=FIXED&query_format=advanced&component=Security%3A%20PSM&target_milestone=mozilla37&f2=cf_status_firefox37&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&limit=0

I can't tell which, if any, of those is causing the issue. There is a somewhat standard approach to tracking down problem change sets which is to look for a regression range, but this is somewhat time-consuming. See: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Mozmill/How_to_do_regression_testing

Firefox developers generally do not monitor this forum. I'm not very skilled at searching the bug database, but it appears there were approximately/at least 49 changes related to TLS in Firefox 37: https://bugzilla.mozilla.org/buglist.cgi?list_id=12203346&resolution=FIXED&query_format=advanced&component=Security%3A%20PSM&target_milestone=mozilla37&f2=cf_status_firefox37&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&limit=0 I can't tell which, if any, of those is causing the issue. There is a somewhat standard approach to tracking down problem change sets which is to look for a regression range, but this is somewhat time-consuming. See: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Mozmill/How_to_do_regression_testing