X
Tap here to go to the mobile version of the site.

Fóram Tacaíochta

Cuireadh an snáithe seo sa chartlann. Cuir ceist nua má tá cabhair uait.

After updating FF to 33.0 I now get: error code: sec_error_invalid_key

Postáilte

I visit sites that have local ssl certificates installed (self signed), typically I get the warning about this, accept, confirm, etc. All used to be good. I just now received an update to FF to 33.0, now none of these sites work. (I'm in the Beta channel) I'm getting: error code: sec_error_invalid_key

The sites in question, are all mine, and work well on other browsers.

I visit sites that have local ssl certificates installed (self signed), typically I get the warning about this, accept, confirm, etc. All used to be good. I just now received an update to FF to 33.0, now none of these sites work. (I'm in the Beta channel) I'm getting: error code: sec_error_invalid_key The sites in question, are all mine, and work well on other browsers.

Tuilleadh mionsonraí faoin chóras

Breiseáin Shuiteáilte

  • Microsoft Office for Mac SharePoint Browser Plug-in
  • thinkorswim loader
  • thinkDesktop configuration loader
  • Displays Java applet content, or a placeholder if Java is not installed.
  • Blue Jeans Installation Plugin
  • Blue Jeans Video Plugin
  • Shockwave Flash 14.0 r0
  • Provides information about the default web browser
  • Version 5.4.2.18903
  • Microsoft Lync 2010 Meeting Join Plug-in
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in web pages. For more information, visit the QuickTime Web site.
  • Adobe® Acrobat® Plug-in for Web Browsers, Version 11.0.07
  • The Google Earth Plugin allows you to view 3D imagery and terrain in your web browser.
  • Unity Web Player version 4.2.0f4. (c) 2013 Unity Technologies ApS. All rights reserved.
  • WebEx64 General Plugin Container Version 205
  • Office Live Update v1.0
  • NPAPI Plguin used by inSite(sm) from American Express(R)
  • Picasa plugin.

Feidhmchlár

  • User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:33.0) Gecko/20100101 Firefox/33.0

Tuilleadh Eolais

cor-el
  • Top 10 Contributor
  • Moderator
17567 réiteach 158879 freagra

Did (does) Firefox 32 work or does that version fail as well?

You can try to rename the cert8.db file in the Firefox profile folder to see if that has effect.

Did (does) Firefox 32 work or does that version fail as well? You can try to rename the cert8.db file in the Firefox profile folder to see if that has effect. *http://kb.mozillazine.org/Profile_folder_-_Firefox
thiefsy 0 réiteach 1 freagra

I have same problem. I downgraded to FF 32, site with self-signed certificate works normally. Then I again upgraded to FF33beta, error code: sec_error_invalid_key.

Renaming cert8.db file doesn't help.

I have same problem. I downgraded to FF 32, site with self-signed certificate works normally. Then I again upgraded to FF33beta, error code: sec_error_invalid_key. Renaming cert8.db file doesn't help.
cor-el
  • Top 10 Contributor
  • Moderator
17567 réiteach 158879 freagra

That is probably because Firefox 33 has fully switched to libPKIX that is more stricter and you can no longer disable this library and fall back to the previous NSS code.

  • bug 975229 - Remove NSS-based certificate verification

Please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

That is probably because Firefox 33 has fully switched to libPKIX that is more stricter and you can no longer disable this library and fall back to the previous NSS code. * https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/ *[https://bugzilla.mozilla.org/show_bug.cgi?id=975229 bug 975229] - Remove NSS-based certificate verification <i>Please do not comment in bug reports<br>https://bugzilla.mozilla.org/page.cgi?id=etiquette.html</i>

Freagra Cabhrach

So that means I need to use IE or Chrome instead? I downgraded to FF 32 and it is working again.

FF has to fix this!

So that means I need to use IE or Chrome instead? I downgraded to FF 32 and it is working again. FF has to fix this!
the-edmeister
  • Top 25 Contributor
  • Moderator
5411 réiteach 40287 freagra

I trust that you are aware that Firefox 33 is a Beta build, which won't be released until Oct 14th.

Are you using Extended Validation (EV) certificates or the Domain Validated (DV) certificates?

I trust that you are aware that Firefox 33 is a Beta build, which won't be released until Oct 14th. Are you using Extended Validation (EV) certificates or the Domain Validated (DV) certificates?
IT Fixt 1 réiteach 5 freagra

"I trust that you are aware that Firefox 33 is a Beta build, which won't be released until Oct 14th."

Yes, but the question is: will it be fixed? AFAICS this breaks Webmin, in general. Worse, if I try and add an exception in Options, FF says it can't get any identifying information from the site, so even that simple workaround isn't available. I'm not inclined to buy commercial SSL certificates for Webmin!

"I trust that you are aware that Firefox 33 is a Beta build, which won't be released until Oct 14th." Yes, but the question is: ''will'' it be fixed? AFAICS this breaks Webmin, in general. Worse, if I try and add an exception in Options, FF says it can't get any identifying information from the site, so even that simple workaround isn't available. I'm not inclined to buy commercial SSL certificates for Webmin!
FTWMike 0 réiteach 2 freagra

Freagra Cabhrach

And the answer is NO it won't be fixed, 33.0 released today and this is still an issue. Must revert back to 32.x or go to some other browser.

And the answer is NO it won't be fixed, 33.0 released today and this is still an issue. Must revert back to 32.x or go to some other browser.

Athraithe ag FTWMike ar

JokMontoya 0 réiteach 1 freagra

I had this problem with Firefox 33 and 2 of my 3 webmin sites, I checked the certificates expiration date and the ones with problems had expired.

I renewed the certificates in Webmin and Firefox asked me to add an exception for those selfsigned certificates as usual.

I had this problem with Firefox 33 and 2 of my 3 webmin sites, I checked the certificates expiration date and the ones with problems had expired. I renewed the certificates in Webmin and Firefox asked me to add an exception for those selfsigned certificates as usual.

Athraithe ag JokMontoya ar

Fab de Coarraze 0 réiteach 13 freagra

I have 10th of routers with self-sign certs. I checked the cert with a still 32 FF and the cert expires in 2020. When I try to connect with FF33 I get the same sec_error_invalid_key. I removed the permanent exception cert from the local store and try to set it manually again: I get the error: ~unable to get identification status for the site~ (approx translation to english)

I have 10th of routers with self-sign certs. I checked the cert with a still 32 FF and the cert expires in 2020. When I try to connect with FF33 I get the same sec_error_invalid_key. I removed the permanent exception cert from the local store and try to set it manually again: I get the error: ~unable to get identification status for the site~ (approx translation to english)
Fab de Coarraze 0 réiteach 13 freagra

Here is a temporary workaround for Linux: sudo apt-get remove firefox (do not specify purge, this will keep your profile as is) sudo dpkg -i /var/cache/apt/archives/firefox then type tab key to list the available versions in your apt cache. Do the same with related packages (eg. locale language pack, desktop integration) that are already installed. Then complete the command: sudo dpkg -i /var/cache/apt/archives/firefox*32*.deb At this time you're nearly safe. Immediately launch synaptic package manager, seach firefox (32 and related) installed, select it, click Package in the menu and check the "Lock version". You are now safe. Monitor the firefox release notes to know when you can release the version lock.

Here is a temporary workaround for Linux: sudo apt-get remove firefox ('''do not specify''' purge, this will keep your profile as is) sudo dpkg -i /var/cache/apt/archives/firefox '''then type tab key''' to list the available versions in your apt cache. Do the same with related packages (eg. locale language pack, desktop integration) that are already installed. Then complete the command: sudo dpkg -i /var/cache/apt/archives/firefox*32*.deb At this time you're nearly safe. Immediately launch synaptic package manager, seach firefox (32 and related) installed, select it, click '''Package''' in the menu and check the "'''Lock version'''". You are now safe. Monitor the firefox release notes to know when you can release the version lock.

Athraithe ag Fab de Coarraze ar

philipp
  • Top 25 Contributor
  • Moderator
5320 réiteach 23501 freagra

hello, i'm not sure if it applies to your situation, but support for some certificates with weak signatures has been removed in firefox 33: https://developer.mozilla.org/en-US/Firefox/Releases/33/Site_Compatibility#Security

hello, i'm not sure if it applies to your situation, but support for some certificates with weak signatures has been removed in firefox 33: https://developer.mozilla.org/en-US/Firefox/Releases/33/Site_Compatibility#Security
JohnGB 0 réiteach 3 freagra

I have the same problem with Firefox 33.0 when connecting to Webmin running on a local network Ubuntu 12.04 Server.

I have the same problem with Firefox 33.0 when connecting to Webmin running on a local network Ubuntu 12.04 Server.
PapsW 0 réiteach 1 freagra

Hallo,

I create in Webmin a new local ssl certificate and now it is working with FF 33.

Webmin Configuration -> SSL Encryption -> Self-Signed Certificate

Kind regard PapsW

Hallo, I create in Webmin a new local ssl certificate and now it is working with FF 33. Webmin Configuration -> SSL Encryption -> Self-Signed Certificate Kind regard PapsW
FTWMike 0 réiteach 2 freagra

Apparently the root issue with non-Webmin certs is key length within the certificates. FF 34 beta broke out the error with a new error text of "mozilla_pkix_error_inadequate_key_size" but I'm still not finding any kind of override. 'They' need to understand we don't have any say over the key length on many of these devices, they are what they are and we need to be able to override them.

Encrypted traffic even weakly encrypted is preferable to clear text when it contains logins and passwords.

Apparently the root issue with non-Webmin certs is key length within the certificates. FF 34 beta broke out the error with a new error text of "mozilla_pkix_error_inadequate_key_size" but I'm still not finding any kind of override. 'They' need to understand we don't have any say over the key length on many of these devices, they are what they are and we need to be able to override them. Encrypted traffic even weakly encrypted is preferable to clear text when it contains logins and passwords.

Athraithe ag FTWMike ar

cor-el
  • Top 10 Contributor
  • Moderator
17567 réiteach 158879 freagra

See:

  • Several cipher suites have been disabled
  • RSA certificates using weak signatures less than 1024-bit are no longer accepted
See: *https://developer.mozilla.org/en-US/Firefox/Releases/33/Site_Compatibility#Security *Several cipher suites have been disabled *RSA certificates using weak signatures less than 1024-bit are no longer accepted
BenKennish 0 réiteach 4 freagra

I visited https://news.ycombinator.com/ with Firefox 33.0.2 on Windows 7 and it's giving me "(Error code: sec_error_unknown_issuer)" and there is no "I understand the risks" button. In this case, I'm not particularly bothered about having a secure connection but the http:// site auto redirects to the https:// one and Firefox will not let me ignore the validation error.

Whilst I understand that this behaviour is probably sensible for the typical Firefox user, it is not acceptable for developers and those who use admin control panels. Could we perhaps have an "about:config" variable such as "security.tls.allow-ignore-errors" that brings back the "I understand the risks" button?

Cheers, Ben

I visited https://news<i></i>.ycombinator<i></i>.com/ with Firefox 33.0.2 on Windows 7 and it's giving me "(Error code: sec_error_unknown_issuer)" and there is no "I understand the risks" button. In this case, I'm not particularly bothered about having a secure connection but the http:// site auto redirects to the https:// one and Firefox will not let me ignore the validation error. Whilst I understand that this behaviour is probably sensible for the typical Firefox user, it is not acceptable for developers and those who use admin control panels. Could we perhaps have an "about:config" variable such as "security.tls.allow-ignore-errors" that brings back the "I understand the risks" button? Cheers, Ben

Athraithe ag cor-el ar

pion19 0 réiteach 4 freagra

Problem still exists, including Firefox 34, 35, 36.0b7 see https://support.mozilla.org/en-US/questions/1045971

important addition: I have restored https-access to my router by these tricks in about:config Modify security.tls.version.min from 1 to 0 sometimes it's necessary also to Modify security.tls.version.fallback-limit from 1 to 0 please see link above

Problem still exists, including Firefox 34, 35, 36.0b7 see https://support.mozilla.org/en-US/questions/1045971 important addition: I have restored https-access to my router by these tricks in '''about:config''' Modify '''security.tls.version.min''' from '''1''' to '''0''' sometimes it's necessary also to Modify '''security.tls.version.fallback-limit''' from '''1''' to '''0''' please see link above

Athraithe ag pion19 ar

cor-el
  • Top 10 Contributor
  • Moderator
17567 réiteach 158879 freagra
See also: Phasing out Certificates with 1024-bit RSA Keys: *https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/ Phase 2: Phasing out Certificates with 1024-bit RSA Keys: *https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/