Add security exception option is showing up
So we installed a certificate on our webapp server to enable ssl and after installing it, the ssl enabled url is opening in chrome and IE, just fine, but not in Firefox. Even the option to add security exception is not showing but the page just says "Secure Connection Failed" Here's what we have tried so far. 1. In about:config,
a. change the security.tls.insecure_fallback_hosts =vzdrm.companyname.com b. Change security.ssl.enable_ocsp_stapling to false
2. Install the certificate from the server to the local machine in Firefox's "your certificates" Tab. As shown in the picture.
There's something wierd thing happened and I am not totally sure what iworked. So I installed fiddler trace on one of the VM sandboxes to see what's going on, and when I started it, it gave me a warning saying something like "HTTPS traffic decryption option is disabled. Click here to enable it". When I did it, it asked me that it would like to install a root certificate. Right after I did it and tried loading the webapp url again, it loaded fine and even the option to 'add security exception' came up. I see that in the Firefox's certificate manager(servers tab), it shows the fiddler certicate is installed. I thought may be if I try to manually install this certificate in the servers tab, it may work in my local machine but I dont see an option to import certificate in the server tab. I would appreciate any input on this.
All Replies (10)
Below are the screenshots.
In your second screenshot, is that the same subdomain as the problem page? If you click the gray lock with the yellow warning triangle, can you figure out why it's not a green lock? Sometimes it's a weak cipher, and other times it's mixed (HTTP) display content in the page.
The "Secure Connection Failed" page typically has scanty information about the problem. If the padlock appeared normally, it could be taken to mean "connection failed," but yours doesn't have any kind of padlock. Does anything in the following article help:
Secure connection failed and Firefox did not connect
I installed fiddler trace on one of the VM sandboxes to see what's going on, and when I started it, it gave me a warning saying something like "HTTPS traffic decryption option is disabled. Click here to enable it". When I did it, it asked me that it would like to install a root certificate. Right after I did it and tried loading the webapp url again, it loaded fine and even the option to 'add security exception' came up. I see that in the Firefox's certificate manager(servers tab), it shows the fiddler certicate is installed. I thought may be if I try to manually install this certificate in the servers tab, it may work in my local machine but I dont see an option to import certificate in the server tab. I would appreciate any input on this.
It would only be useful to install the Fiddler certificate on your local machine if you plan to run Fiddler on it. That shouldn't be necessary.
If you test your server on this page, does it show that their Firefox test machines can connect?
https://www.ssllabs.com/ssltest/
If their Firefoxes can connect, yours also should be able to connect. If they can't, there hopefully is an explanation of the problem.
This is what more information page is saying.
Your Page Info dialog lists the full URL, by the way, in case you want to remove/edit that.
The DO_NOT_TRUST issuer is typical of the Fiddler Root signing certificate, so is that screenshot from your VM or your local system? The cipher information looks favorable, so the warning triangle probably relates to mixed display content in the page.
Note that on the Server you can only add a security exception (the Add Exception button in this tab opens the same window as the button found on the error page and the chrome uri). If you need to import a certificate then you need to use one of the tabs that show this button.
If pages are loaded in an (i)frame then you may also not be able to add an exception. You can check the latter via the right-click context menu.
@jscher2000 The screenshot is from VM. Also, its an internal server so I don't see it showing up on the ssl test website.
If you test your server on this page, does it show that their Firefox test machines can connect?
https://www.ssllabs.com/ssltest/
If their Firefoxes can connect, yours also should be able to connect. If they can't, there hopefully is an explanation of the problem.
@cor-el
I am not exactly sure what you are referring to. Can you pleasecor-el said
Note that on the Server you can only add a security exception (the Add Exception button in this tab opens the same window as the button found on the error page and the chrome uri). If you need to import a certificate then you need to use one of the tabs that show this button. If pages are loaded in an (i)frame then you may also not be able to add an exception. You can check the latter via the right-click context menu.
send a screenshot, if you can.
If you cannot use the SSLLabs diagnostic, there may be some other tool you can use to see what cipher suites are reported to browsers as enabled on the server so you can check whether Firefox supports any of them.
I used the below script and this is the output I am getting. I know something's wrong as it is displaying unknown response for each of them. Here's the script I used. https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers jscher2000 said
If you cannot use the SSLLabs diagnostic, there may be some other tool you can use to see what cipher suites are reported to browsers as enabled on the server so you can check whether Firefox supports any of them.
The first line mentions a library from 2008, so perhaps there's a way to get a newer script that can probe for more modern ciphers?