Why does my web site give me the following "error code" when the pki credentials are requested: ssl_error_renegotiation_not_allowed?
I have a Web Site with PKI authentication working well on Firefox 3.*, but when I use Firefox 4.* Beta versions I get an SSL error whit the following message: "Renegotiation is not allowed on this SSL socket" and this error code: "ssl_error_renegotiation_not_allowed". I've googled the issue and went all over the web but without results.
URL of affected sites
Additional System Details
- -Google Update
- Shockwave Flash 10.1 r53
- iTunes Detector Plug-in
- Windows Presentation Foundation (WPF) plug-in for Mozilla browsers
- NPRuntime Script Plug-in Library for Java(TM) Deploy
- Next Generation Java Plug-in 1.6.0_20 for Mozilla browsers
- Adobe PDF Plug-In For Firefox and Netscape
- The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
- DRM Netscape Network Object
- Npdsplay dll
- DRM Store Netscape Plugin
- User Agent: Mozilla/5.0 (Windows; Windows NT 5.1; rv:2.0b2) Gecko/20100720 Firefox/4.0b2 (.NET CLR 3.5.30729)
To enable SSL renegotiation you need to point your browser to about:config. After confirming that you know what you are doing, you need to search for:
and set it to true. After this you should be able to access the site.
https://job.jobnet.dk/CV/LoginCertificate.aspx this page have it to
This surfaced for me on the default domain when using a wildcard certificate for multiple sub-domains on a single IP. IIS7 on Win08. Host header routing was working fine for all other sub-domains.
I resolved it by creating a separate default domain as the catch-all for requests on 443, and then using the specific host header for my prior default domain. This causes the browser to renegotiate with a second site, rather than the same site twice. No config changes were needed in FireFox.
Sorry, that's the wrong answer. Setting security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref to "true" is not safe. This is explained at https://wiki.mozilla.org/Security:Renegotiation. Instead, you should change security.ssl.renego_unrestricted_hosts in the about:config dialogue to include the name of the website you are trying to reach, for example: webmail.example.com. For every additional site you have this problem with, you should add the url to the string, preceded by a comma, for example: webmail.example.com, mail.example.com. Do this ONLY for websites you know and trust. DO NOT CHANGE security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref to true. If you do, and your identity gets stolen, well, you were warned here. Furthermore, if you are doing this, you should also change security.ssl.treat_unsafe_negotiation_as_broken to true. This will give you a broken padlock indication whenever you visit a site that you have specifically allowed but that is using the old security negotiation scheme. Finally, you should contact the webmaster of the site you are accessing that is giving you the problem and tell them that they need to update their SSL/TLS protocol. The reason for this is all contained here at: https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken.
You should contact website servers that have this problem and ask them to fix their servers.
You can link them to:
- https://bugzilla.mozilla.org/show_bug.cgi?id=526689 Bug 526689 – SSL3 & TLS Renegotiation Vulnerability
how do i do that?