X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

Why does my web site give me the following "error code" when the pki credentials are requested: ssl_error_renegotiation_not_allowed?

Posted

I have a Web Site with PKI authentication working well on Firefox 3.*, but when I use Firefox 4.* Beta versions I get an SSL error whit the following message: "Renegotiation is not allowed on this SSL socket" and this error code: "ssl_error_renegotiation_not_allowed". I've googled the issue and went all over the web but without results.

URL of affected sites

https://www.centraldirecto.fi.cr/sitio/AutCertificados/FirmarAcuerdoUso.aspx

Additional System Details

Installed Plug-ins

  • -Google Update
  • Shockwave Flash 10.1 r53
  • iTunes Detector Plug-in
  • 3.0.50106.0
  • Windows Presentation Foundation (WPF) plug-in for Mozilla browsers
  • 1.5
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Next Generation Java Plug-in 1.6.0_20 for Mozilla browsers
  • Adobe PDF Plug-In For Firefox and Netscape
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • DRM Netscape Network Object
  • Npdsplay dll
  • DRM Store Netscape Plugin

Application

  • User Agent: Mozilla/5.0 (Windows; Windows NT 5.1; rv:2.0b2) Gecko/20100720 Firefox/4.0b2 (.NET CLR 3.5.30729)

More Information

Papnase 0 solutions 1 answers

Helpful Reply

To enable SSL renegotiation you need to point your browser to about:config. After confirming that you know what you are doing, you need to search for:

   security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref

and set it to true. After this you should be able to access the site.

Source: http://dotomaz.tumblr.com/post/786443743/firefox-4-0b1-and-ssl-renegotiation

asgerhansen 0 solutions 1 answers

https://job.jobnet.dk/CV/LoginCertificate.aspx this page have it to

jbethke 0 solutions 1 answers

This surfaced for me on the default domain when using a wildcard certificate for multiple sub-domains on a single IP. IIS7 on Win08. Host header routing was working fine for all other sub-domains.

I resolved it by creating a separate default domain as the catch-all for requests on 443, and then using the specific host header for my prior default domain. This causes the browser to renegotiate with a second site, rather than the same site twice. No config changes were needed in FireFox.

John 0 solutions 6 answers

Helpful Reply

Sorry, that's the wrong answer. Setting security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref to "true" is not safe. This is explained at https://wiki.mozilla.org/Security:Renegotiation. Instead, you should change security.ssl.renego_unrestricted_hosts in the about:config dialogue to include the name of the website you are trying to reach, for example: webmail.example.com. For every additional site you have this problem with, you should add the url to the string, preceded by a comma, for example: webmail.example.com, mail.example.com. Do this ONLY for websites you know and trust. DO NOT CHANGE security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref to true. If you do, and your identity gets stolen, well, you were warned here. Furthermore, if you are doing this, you should also change security.ssl.treat_unsafe_negotiation_as_broken to true. This will give you a broken padlock indication whenever you visit a site that you have specifically allowed but that is using the old security negotiation scheme. Finally, you should contact the webmaster of the site you are accessing that is giving you the problem and tell them that they need to update their SSL/TLS protocol. The reason for this is all contained here at: https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken.

cor-el
  • Top 10 Contributor
  • Moderator
10746 solutions 96695 answers

You should contact website servers that have this problem and ask them to fix their servers.

You can link them to:

mou123 0 solutions 1 answers

how do i do that?