SSL_ERROR_ACCESS_DENIED_ALERT Improperly reported and can't be bypassed
My question seems to be similar to this one: https://support.mozilla.org/en-US/questions/1162567 The resolution of that problem doesn't apply to my problem however.
When trying to access a number of websites: https://awesomewm.org/ https://linux.die.net/ (etc)
The page reports an SSL_ERROR_ACCESS_DENIED_ALERT as shown in the attached screenshot. All solutions I've found pre-suppose I'm missing certificates, and being on a Windows machine in a corporate environment that proxys the SSL connections to MTM them, I assumed that as well. I'm able to reach these sites without problem in both Chrome and IE11.
I first tried setting the security.enterprise_roots.enabled in Firefox about:config to true, restarted, and no effect. I exported all trusted certificates from my Windows Credential store, and successfully imported them into Firefox as Authorities, but restarting Firefox and trying again didn't solve the problem. I tried renaming the SiteSecurityServiceState.txt in my profile directory to something else, as suggested by the similar support issue, restarted and it still didn't work. I tried to "Forget about this site" as the other support issue recommends, but the site doesn't appear in my history. I tried clearing my cached content and restarting. No effect. I checked for any similar variants in my Site Data in the Firefox settings, they don't appear there. I tried shutting down Firefox and deleting my cert8.db from my profile directory and restarting Firefox. No effect.
I started Firefox in Safe Mode, and it worked. So I manually disabled all my Add Ons, restarted Firefox, and it's not working again.
I wiped all my cookies and restart Firefox, no effect.
Summary: It seems the error is erroneous since I'm not getting errors about the certificates being rejected/invalid, but about the content from the server after its identity has already been validated being wrong. It goes away in Safe Mode, but is unrelated to Add-Ons. I have no record of the problematic site in any of my other user data that I can find.
How do I get it to stop producing this error and allow me to reach these sites?
Modified by TinyTankPU
Chosen solution
Well I don't know what happened, but the exact same corporate environment that didn't work yesterday with the 57 beta is now working today with the released 57. All the sites that were problematic, now work fine. I have all add-ons enabled as I would normally. There shouldn't be a difference between the 57 beta from yesterday and the 57 release today, but it seems there is something different.
Solution: Switch to a release version.
Not really a solution, but the only thing that's worked.
Read this answer in context 👍 0All Replies (11)
This error code doesn't come up here very often. When I research this code, it corresponds to:
RFC 5246: access_denied
A valid certificate was received, but when access control was applied, the sender decided not to proceed with negotiation. This message is always fatal.
One bug report indicated this is an alert from the server side of the transaction, suggesting the server received something inappropriate or incorrect from Firefox (or an intermediary) in the transaction. Hmm... like what? So hard to find good documentation.
The Safe Mode test is interesting. Other than disabling extensions, Safe Mode doesn't make a lot of changes that would seem related. ??
One other thing you might try:
New Profile Test
This takes about 3 minutes, plus the time to test your sites.
Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.
Click the Create a New Profile button, then click Next. Assign a name like Oct2017, ignore the option to relocate the profile folder, and click the Finish button.
After creating the profile, scroll down to it and click the Set as default profile button below that profile, then scroll back up and click the Restart normally button. (There are some other buttons, but please ignore them.)
Firefox should exit and then start up using the new profile, which will just look brand new.
Do your sites work any better in the new profile?
Does the effect persist if your exit Firefox and start it up again normally?
When you are done with the experiment, open the about:profiles page again, click the Set as default profile button for your normal profile, then click the Restart normally button to get back to it.
You can check for problems with preferences.
Delete possible user.js and numbered prefs-##.js files and rename/remove the prefs.js file to reset all prefs to the default value including prefs set via user.js and prefs that are no longer supported in current Firefox releases.
You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.
- Help -> Troubleshooting Information -> Profile Directory:
Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder - http://kb.mozillazine.org/Profile_folder_-_Firefox
jscher2000 said
This error code doesn't come up here very often. When I research this code, it corresponds to: RFC 5246: access_deniedA valid certificate was received, but when access control was applied, the sender decided not to proceed with negotiation. This message is always fatal.One bug report indicated this is an alert from the server side of the transaction, suggesting the server received something inappropriate or incorrect from Firefox (or an intermediary) in the transaction. Hmm... like what? So hard to find good documentation.
The Safe Mode test is interesting. Other than disabling extensions, Safe Mode doesn't make a lot of changes that would seem related. ??
One other thing you might try:
New Profile Test
This takes about 3 minutes, plus the time to test your sites.
Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.
Click the Create a New Profile button, then click Next. Assign a name like Oct2017, ignore the option to relocate the profile folder, and click the Finish button.
After creating the profile, scroll down to it and click the Set as default profile button below that profile, then scroll back up and click the Restart normally button. (There are some other buttons, but please ignore them.)
Firefox should exit and then start up using the new profile, which will just look brand new.
Do your sites work any better in the new profile?
Does the effect persist if your exit Firefox and start it up again normally?
When you are done with the experiment, open the about:profiles page again, click the Set as default profile button for your normal profile, then click the Restart normally button to get back to it.
I did exactly what you described, and it didn't change anything. I created a brand new profile and restarted normally, I then immediately went directly to the first link that's problematic (it's still working in Chrome and IE), and it gives the same error.
Do you use a proxy? You can check that here:
- Windows: "3-bar" menu button (or Tools menu) > Options
- Mac: "3-bar" menu button (or Firefox menu) > Preferences
- Linux: "3-bar" menu button (or Edit menu) > Preferences
- Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
Firefox 56-57: In the search box at the top of the page on the right side, type proxy and Firefox should filter to the "Settings" button, which you can click.
Firefox 38-55: In the left column, click Advanced. Then on the right side, with the "Network" mini-tab active, click the "Settings" button.
In All Versions: The default of "Use system proxy settings" piggybacks on your Windows/IE "LAN" setting. "Auto-detect" can lead to a flaky connection. You may want to try "No proxy".
Any difference?
Modified by jscher2000 - Support Volunteer
cor-el said
You can check for problems with preferences. Delete possible user.js and numbered prefs-##.js files and rename/remove the prefs.js file to reset all prefs to the default value including prefs set via user.js and prefs that are no longer supported in current Firefox releases. You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.
- Help -> Troubleshooting Information -> Profile Directory:
Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder- http://kb.mozillazine.org/Profile_folder_-_Firefox
I tried what you suggested. From the about:profiles page I opened both the root and local profile directories via the associated buttons. The Root location was the only one with either a prof.js or a user.js, having only a prof.js.
I shut down Firefox, renamed it to prof.js.old, then opened Firefox again. When it came up, it had obviously lost my preferences (as intended), but going to the websites still doesn't work and produces the same errors.
Modified by TinyTankPU
jscher2000 said
Do you use a proxy? You can check that here:Firefox 56-57: In the search box at the top of the page on the right side, type proxy and Firefox should filter to the "Settings" button, which you can click. Firefox 38-55: In the left column, click Advanced. Then on the right side, with the "Network" mini-tab active, click the "Settings" button. In All Versions: The default of "Use system proxy settings" piggybacks on your Windows/IE "LAN" setting. "Auto-detect" can lead to a flaky connection. You may want to try "No proxy". Any difference?
- Windows: "3-bar" menu button (or Tools menu) > Options
- Mac: "3-bar" menu button (or Firefox menu) > Preferences
- Linux: "3-bar" menu button (or Edit menu) > Preferences
- Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
I know there's actually a proxy on the network that's proxying all outgoing network activity from my corporate network, and that's not something I can bypass. That's the reason I initially assumed my problem was a certificate issue.
I did what you suggested and set it to No Proxy in the Firefox settings instead of Use System Settings. After restarting Firefox, it still didn't fix the problem.
Modified by TinyTankPU
Sorry, you did mention the proxy originally. So we still have:
- Firefox Safe Mode - those sites work
- Regular Mode with extensions disabled, no proxy - error
- New profile - error
I'm out of ideas for now.
I just had a chance to test the same sites with the same version of the browser but outside the corporate network that proxys SSL connections. It works fine as long as it doesn't need to go through a proxy.
The results suggest that Firefox specifically is either 1) performing more stringent SSL content checks than other browsers and only when not in Safe Mode while the SSL proxy is causing these issues, or 2) there's a bug in the SSL content checking of the Firefox browser that only occurs when not in Safe Mode while my proxy happens to trigger the problem.
Is there further investigation I can do to figure out what is failing? Is there a detailed real-time debug output I can pull?
Maybe try a HTTP log.
cor-el said
Maybe try a HTTP log.
I just got a minor Beta update to Firefox and the websites that were working in Safe Mode no longer work in Safe Mode.
It took me a while, but I eventually got time to grab the HTTP log. After a few times running the logging and examining the output, I ended up having to create a new profile, delete the existing one, and refresh Firefox, then run in Safe Mode to eliminate as much cruft as possible. I've posted the log of the failure (https://pastebin.com/wZkhcmmz) when absolutely nothing else is going on.
Having examined the log myself, it appears that one line 734 nsSocketTransport calls PR_Write, which then returns an error [n=-1] on line 735. This causes line 736 to report ErrorAccordingToNSPR. It seems to give this two more tries (again on lines 830 and 854), but then the rest is logging of the failure handling cascading to the user.
I can't figure out what module the PR_Read is in to enable additional logging for that module specifically (if that's possible).
Chosen Solution
Well I don't know what happened, but the exact same corporate environment that didn't work yesterday with the 57 beta is now working today with the released 57. All the sites that were problematic, now work fine. I have all add-ons enabled as I would normally. There shouldn't be a difference between the 57 beta from yesterday and the 57 release today, but it seems there is something different.
Solution: Switch to a release version.
Not really a solution, but the only thing that's worked.
Modified by TinyTankPU