Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

MediaWiki 1.35 login fails with "Secure Connection Failed" and no error code (HTTP/2 related?)

  • 7 replies
  • 1 has this problem
  • 9 views
  • Last reply by jered

more options

[Update: This works correctly with HTTP/2 disabled, so it is somehow HTTP/2 related. Firefox's partner is terminated with ATS 8.0.2, so this is most likely an interaction with Traffic Server, but debugging help is still needed.]

I recently upgraded from Mediawiki 1.31 to 1.35 on Debian 10. Since this upgrade, attempts to log in with Firefox are impossible -- Safari and Chrome work fine. Firefox 96.0 displays the attached error "Secure Connection Failed" but no security error is provided. This seems to be a defect in Firefox, but I am having difficulty diagnosing further.

Looking at both server trace logs as well as the Firefox debugging tools, I see Firefox does an expected POST request to the login page:

 POST https://newwiki.convivian.com/mediawiki/index.php?title=Special:UserLogin&returnto=Main Page

The MediaWiki server replies with a 302 Found and redirect to the Main Page on successful login, but Firefox considers this response insecure on some way that is not indicated. The "Security" tab in DevTools shows no security errors on the transaction.

I am able to reproduce this on multiple machines running Firefox 96.0, as well as with Troubleshooting Mode enabled. No errors occur with other tested browsers.

Is there a way to extract further debugging information from the browser?

Attached screenshots

Modified by jered

All Replies (7)

more options

Unfortunately, there is no explanatory code on that error page which would be linked to a defect in the connection parameters, etc.

If you try the identical URL without it being a redirect, any difference in accessing it?

Helpful?

more options

The 302 Redirect sets cookies to confirm a logged-in state (which are discarded due to this error), so going to the redirect page (https://newwiki.convivian.com/wiki/Main_Page) just results in a login request again.

I can give you a login to this wiki instance (it's empty) if you have better tools than I do; I just don't want to post the credentials publicly. :-) You can PM me here, or mail jered@convivian.com and I'll give you a test account.

It's clearly both 1) a Firefox issue, and 2) a server-side config matter that is tickling that issue -- I'd rather fix #2 first....

Helpful?

more options

Firefox 96 turned on some new cookie-related features which can affect authentication, especially across related sites or between HTTP and HTTPS:

Helpful?

more options

Hmm; interesting, but I don't think this is the issue here. The schema is https and the host doesn't change during the login process, so these cookie restrictions shouldn't be the issue (and even if so shouldn't produce the error in the screenshot above). It's really mystifying! Perhaps there's some way to enable more logging at the NSS layer on the client side?

Helpful?

more options

More data: Disabling HTTP/2 causes things to work normally.

Helpful?

more options

jered said

More data: Disabling HTTP/2 causes things to work normally.

This one? network.http.spdy.enabled.http2

Normally, if a server doesn't support HTTP/2, Firefox falls back to HTTP/1.1 without mentioning it. I'm connecting to the index page with 1.1. Of course, it says "Login required" so I guess the issue arises during the login process for some reason.

Here's the MDN page on logging: https://developer.mozilla.org/docs/Mozilla/Debugging/HTTP_logging

Helpful?

more options

Yup; that setting. I suspect this is an incompatibility between Firefox 96 and my version of ATS -- disabling HTTP/2 on the server side also (unsurprisingly) resolves it.

The logging page is helpful, thank you! I'll try that and also see if upgrading ATS resolves things.

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.