"Secure Connection Failed" on www.pandora.com
When I browse to https://www.pandora.com/ I get the "Secure Connection Failed" error with exactly the same text as in the screenshot at https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message
This is a really poor error message. It tells me nothing about what's actually wrong and how to fix it. WHY did the secure connection fail? Is there any way to find this out?
The site gets an A- from SSL labs https://www.ssllabs.com/ssltest/analyze.html?d=www.pandora.com&lates... and definitely supports TLS 1.2, so I'm pretty sure the problem is with Firefox and not with Pandora, but the error message is horrible regardless.
Additional System Details
- User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
What is your computer system and Firefox?
There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connections and send their own certificate.
Windows 7, Firefox 49.0.2. It seems to be an extension problem. I use FoxyProxy to access Pandora. If I disable that extension I can connect to the site successfully. If I enable it I get that error message. However, if I clear "Site preferences" under Clear History and the browse to "www.pandora.com" (without "https://") it works once again... for a while. I've tried this several times now. I'll report this to the FoxyProxy team.
Please keep us posted.
Follow-up: this is not related to FoxyProxy at all, but seems to be related to proxy authentication. Here's a better description of the problem.
Firefox 49.0.2 running on Windows 7, all extensions disabled. I've cleared all history (cache, site preferences, etc.) I have an HTTP proxy configured (Manual Proxy Configuration, "Use this proxy server for all protocols" checked).
If I browse to an HTTPS site after starting Firefox before browsing to an HTTP (non-SSL) site the status bar quickly changes between "Looking up (host)...", "Connecting to (host)..." and "Waiting for (host)..." several times and then shows the "Secure Connection Failed" page, as in the screenshot on https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message
My proxy server requires HTTP authentication and Firefox does not even prompt for a username and password at this point. I control the proxy server and can see in its logs that there are no connection attempts yet.
If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal. It doesn't have to be the same site, e.g. I can browse to http://www.yahoo.com/ and then https://www.microsoft.com/ will work. However, if I cancel the proxy credentials prompt the issue continues. It takes a successful HTTP connection to make HTTPS work.
If I turn off authentication on the proxy server the issue does not occur (but I don't want to leave it open to the world permanently).
I've tried setting network.automatic-ntlm-auth.allow-proxies and network.negotiate-auth.allow-proxies to false and that didn't help.
I called for more help.
If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal
Can you set such a site as your home page?
- What happens if you uncheck "Use this proxy server for all protocols"? - What happens if you add a boolean pref called network.negotiate-auth.allow-insecure-ntlm-v1 and set it to true? - Do things work as expected without these suggestions and when using a current nightly? - What type of proxy is used (brand / party)?
FMX1 saidIf I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal
Can you set such a site as your home page?
I can, but I have to also manually reload it every time, otherwise it's just served from the cache and doesn't work around the problem. Not ideal.
- What happens if you uncheck "Use this proxy server for all protocols"?
If I manually set the same proxy for HTTP and SSL - the same thing. If I use the proxy for HTTP only then, of course, the problem doesn't occur, but then I can't listen to Pandora, either. :)
- What happens if you add a boolean pref called network.negotiate-auth.allow-insecure-ntlm-v1 and set it to true?
No change - as expected, since the proxy doesn't use NTLM.
- Do things work as expected without these suggestions and when using a current nightly?
The nightly actually works if I have that proxy configured for both HTTP and SSL! But if I configure the proxy for SSL only the issue continues to occur. So I think the only reason it works is that the nightly automatically opens a tab to mozilla.org, which it loads via HTTP, so in effect it automatically applies the workaround I've found, but does not actually fix the problem.
- What type of proxy is used (brand / party)?
It's a Polipo proxy.
If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal.
It takes a successful HTTP connection to make HTTPS work.
Are you sure HTTPS authentication should be able to work in Polipo? I’m not. :)
I searched for some keywords and found the quote "Polipo currently only implements the most insecure form of authentication, HTTP basic authentication, which sends usernames and passwords in clear over the network." in its manual. This may be no news, but that means HTTP authentication is just a prerequisite for Polipo, not Firefox. In order to meet that, you should tell Firefox to use HTTP even for HTTPS requests (probably explaining why Polipo logs see no requests at all), and then switch back. I think that would be rather special, and not worth the effort investigating.
Polipo is also rather old and no longer maintained, so you might want to switch to some other proxy if HTTPS authentication is important, unless you are able to trick it, but you might run into other limitations when "parent proxies" are involved. Or you could just drop the authentication.
This question on its mailing list archive may also interest you.
You could be right, because disabling authentication in Polipo makes the problem disappear, like I said. Something must have changed in Firefox recently, though, because I've been running with the exact same setup for years and it was working fine. Also, Firefox should really handle the failure to connect much better than it does.
Still, this gives me a possible way to fix the issue, so thank you. I'll look around for an alternative to Polipo. Tell me if you have any recommendations.
Modified by FMX1