access to low 40-bit ciphers no longer works with Firefox 19.0
Since updating to 19.0 I have a problem accessing https servers with old, less-secure ciphers:
Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
I have used about:config to set security.ssl3.rsa_rc4_40_md5;true, which is how I got this to work for older versions of Firefox. It is still set to true after update to 19.0, but access no longer works.
Additional System Details
- Google Update
- Shockwave Flash 11.6 r602
- Next Generation Java Plug-in 10.13.2 for Mozilla browsers
- NPRuntime Script Plug-in Library for Java(TM) Deploy
- LogMeIn, Inc. Remote Access Components
- Adobe PDF Plug-In For Firefox and Netscape 10.1.5
- The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
- VLC media player Web Plugin 2.0.2
- Adobe Shockwave for Director Netscape plug-in, version 184.108.40.2066
- Adobe Shockwave for Director Netscape plug-in, version 220.127.116.119
- Garmin Communicator Plug-In 18.104.22.168
- The plug-in allows you to open and edit files using Microsoft Office applications
- Zeon PDF Plugin For Mozilla
- Office Authorization plug-in for NPAPI browsers
- Office Plugin for Netscape Navigator
- User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
That is the result of the landing of this bug:
- bug 799007 - Remove support for low/weak/null cipher suites
(please do not comment in bug reports: https://bugzilla.mozilla.org/page.cgi?id=etiquette.html)
I use Firefox to access the management ports of IBM pSeries p5 machines. These run a basic webserver and use https with low-security ciphers. They are not updateable to change this. Up until now, setting security.ssl3.rsa_rc4_40_md5;true has allowed me to continue to use Firefox to access these systems. With this "bug fix", actually a reduction in basic functionality, I can no longer do so. Our production servers are thus currently at risk. Any suggestions as to how I can get this necessary functionality back? Use some sort of "lite" browser just to access these management ports? As FireFox is my browser of choice, I do not want to have to permanently back-level it and expose myself to future security risks.
Having tried a few "slim" browsers, which all also no longer support 40-bit or 56-bit ciphers, I have reverted to FF 17.03esr, which works a treat.
I shall now progress this issue further with IBM.
You can install a portable Firefox (ESR) version to access websites that do not work with the current Firefox release.