X
Tap here to go to the mobile version of the site.

Support Forum

"Secure connection failed" SSL_ERROR_NO_CYPHER_OVERLAP, no "Advanced" button, v.50.1.0

Posted

After the automatic update to 50.1.0, I am no longer able to connect to https web interfaces of appliances on my LAN/VPN.

Before the update, I would receive a "Secure Connection Failed" page with an "Advanced" button that would allow me to confirm the security exception and continue to the web page.

Initially after the update, there was no "Advanced" option and the error code was SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT. As part of exploring solutions, I did a refresh of Firefox. After the refresh, the error code is now SSL_ERROR_NO_CYPHER_OVERLAP and there is still no "Advanced" button.

I can access the page via Internet Explorer after confirming a security exception. My OS is Windows 7 Home Premium Service Pack 1.

After the automatic update to 50.1.0, I am no longer able to connect to https web interfaces of appliances on my LAN/VPN. Before the update, I would receive a "Secure Connection Failed" page with an "Advanced" button that would allow me to confirm the security exception and continue to the web page. Initially after the update, there was no "Advanced" option and the error code was SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT. As part of exploring solutions, I did a refresh of Firefox. After the refresh, the error code is now SSL_ERROR_NO_CYPHER_OVERLAP and there is still no "Advanced" button. I can access the page via Internet Explorer after confirming a security exception. My OS is Windows 7 Home Premium Service Pack 1.
Attached screenshots

Chosen solution

The device is on the market today and is at the latest firmware version.

I have since tried Chrome, which does allow the security exception, but does not support the plugin required.

So IE it is then. Ugh.

Thanks for all your help.

Read this answer in context 0

Additional System Details

Installed Plug-ins

  • Adobe PDF Plug-In For Firefox and Netscape 15.20.20039
  • CANON iMAGE GATEWAY Album Plugin Utility Module for IJ
  • Citrix Online App Detector Plugin
  • Google Update
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Next Generation Java Plug-in 11.101.2 for Mozilla browsers
  • BlackBerry WebSL Browser Plug-In
  • Shockwave Flash 24.0 r0
  • Adobe Shockwave for Director Netscape plug-in, version 12.1
  • 5.1.50901.0
  • npTimeGrid-v-3.1.0.287567
  • VMware Remote Console Plug-in
  • NPWLPG
  • npIPCReg DLL - 3.1.0.9
  • npmedia-v-3.1.0.287567

Application

  • Firefox 50.1.0
  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
  • Support URL: https://support.mozilla.org/1/firefox/50.1.0/WINNT/en-US/

Extensions

  • Application Update Service Helper 1.0 (aushelper@mozilla.org)
  • Multi-process staged rollout 1.5 (e10srollout@mozilla.org)
  • Pocket 1.0.5 (firefox@getpocket.com)
  • Web Compat 1.0 (webcompat@mozilla.org)
  • Logitech SetPoint 6.5 ({F003DA68-8256-4b37-A6C4-350FA04494DF}) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: Intel(R) HD Graphics 3000
  • adapterDescription2: NVIDIA GeForce GT 555M
  • adapterDeviceID: 0x0116
  • adapterDeviceID2: 0x0deb
  • adapterDrivers: igdumd64 igd10umd64 igd10umd64 igdumd32 igd10umd32 igd10umd32
  • adapterDrivers2: nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um
  • adapterRAM: Unknown
  • adapterRAM2: 1024
  • adapterSubsysID: 398117aa
  • adapterSubsysID2: 398117aa
  • adapterVendorID: 0x8086
  • adapterVendorID2: 0x10de
  • crashGuards: []
  • currentAudioBackend: wasapi
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 6.2.9200.21976
  • driverDate: 1-29-2014
  • driverDate2: 10-28-2013
  • driverVersion: 9.17.10.3347
  • driverVersion2: 9.18.13.2762
  • featureLog: {u'fallbacks': [], u'features': [{u'status': u'available', u'description': u'Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'HW_COMPOSITING'}, {u'status': u'available', u'description': u'Direct3D11 Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_COMPOSITING'}, {u'status': u'disabled', u'description': u'Direct3D9 Compositing', u'log': [{u'status': u'disabled', u'message': u'Disabled by default', u'type': u'default'}], u'name': u'D3D9_COMPOSITING'}, {u'status': u'available', u'description': u'Direct2D', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'DIRECT2D'}, {u'status': u'available', u'description': u'Direct3D11 hardware ANGLE', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_HW_ANGLE'}]}
  • info: {u'AzureCanvasAccelerated': 0, u'AzureCanvasBackend': u'direct2d 1.1', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'direct2d 1.1'}
  • isGPU2Active: False
  • numAcceleratedWindows: 3
  • numTotalWindows: 3
  • supportsHardwareH264: Yes; Using D3D9 API
  • webgl2Renderer: (no info)
  • webglRenderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 3000 Direct3D11 vs_4_1 ps_4_1)
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 11

Modified Preferences

Misc

  • User JS: No
  • Accessibility: No
James
  • Moderator
1603 solutions 11349 answers

Normally this error occurs on a website that is outdated in still supporting RC4 and having the security.tls.unrestricted_rc4_fallback preference toggled to false.

RC4 support has been completely removed in Firefox 50.0 and later as it is no longer able to be overridden. https://www.fxsitecompat.com/en-CA/docs/2016/rc4-support-has-been-completely-removed/ https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/

Since you have Windows you could use the portable Firefox 45.6.0 ESR and enable the Preference just for this one thing that is insecure. The portable build can run on hdd or flash drive and will not touch your normal Firefox 50.1.0 install or Profile. http://portableapps.com/apps/internet/firefox-portable-esr

Normally this error occurs on a website that is outdated in still supporting RC4 and having the '''security.tls.unrestricted_rc4_fallback''' preference toggled to false. RC4 support has been completely removed in Firefox 50.0 and later as it is no longer able to be overridden. https://www.fxsitecompat.com/en-CA/docs/2016/rc4-support-has-been-completely-removed/ https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/ Since you have Windows you could use the portable Firefox 45.6.0 ESR and enable the Preference just for this one thing that is insecure. The portable build can run on hdd or flash drive and will not touch your normal Firefox 50.1.0 install or Profile. http://portableapps.com/apps/internet/firefox-portable-esr

Modified by James

jscher2000
  • Top 10 Contributor
8961 solutions 73431 answers

Many older devices have firmware updates to upgrade their SSL/TLS interfaces, but many do not. If yours falls into the category of being stuck in the past, unfortunately, you may no longer be able to manage it using Firefox. Have you already searched for updates?

Many older devices have firmware updates to upgrade their SSL/TLS interfaces, but many do not. If yours falls into the category of being stuck in the past, unfortunately, you may no longer be able to manage it using Firefox. Have you already searched for updates?

Chosen Solution

The device is on the market today and is at the latest firmware version.

I have since tried Chrome, which does allow the security exception, but does not support the plugin required.

So IE it is then. Ugh.

Thanks for all your help.

The device is on the market today and is at the latest firmware version. I have since tried Chrome, which does allow the security exception, but does not support the plugin required. So IE it is then. Ugh. Thanks for all your help.
jscher2000
  • Top 10 Contributor
8961 solutions 73431 answers

Helpful Reply

Please also complain to the manufacturer. Some users (Mac and Linux) do not even have IE as an option so they would be completely out of luck.

Please also complain to the manufacturer. Some users (Mac and Linux) do not even have IE as an option so they would be completely out of luck.
James
  • Moderator
1603 solutions 11349 answers

sangfroid said

The device is on the market today and is at the latest firmware version.

On the market as in still being manufactured or some stores still having them in stock.

What is the device model anyways?

''sangfroid [[#answer-950745|said]]'' <blockquote> The device is on the market today and is at the latest firmware version. </blockquote> On the market as in still being manufactured or some stores still having them in stock. What is the device model anyways?
cor-el
  • Top 10 Contributor
  • Moderator
17873 solutions 161723 answers

What cipher suite and TLS version is Google Chrome using?

What cipher suite and TLS version is Google Chrome using?

Question owner

I have already submitted a request to Amcrest referencing this thread.

The product is an Amcrest Security Camera DVR (irony): Device Model:HCVR Record Channel:8 System Version:3.200.AC04.5, Build Date: 2015-09-16 Device Type:AMDV10808 Soft Version:10001 Device ID:Amcrest

================================================

Regarding Google Chrome: Version 55.0.2883.87 m Google Chrome is up to date.


https://cc.dcsec.uni-hannover.de/ reports:

SSL Cipher Suite Details of Your Browser

This websites gives you information on the SSL cipher suites your browser supports for securing HTTPS connections. Cipher Suites Supported by Your Browser (ordered by preference):

SpecCipher Suite NameKey SizeDescription (1a,1a)UnknownUnknown (cc,a9)UnknownUnknown (cc,a8)UnknownUnknown (cc,14)ECDHE-ECDSA-CHACHA20-POLY1305-SHA256128 BitKey exchange: ECDH, encryption: ChaCha20 Poly1305, MAC: SHA256. (cc,13)ECDHE-RSA-CHACHA20-POLY1305-SHA256128 BitKey exchange: ECDH, encryption: ChaCha20 Poly1305, MAC: SHA256. (c0,2b)ECDHE-ECDSA-AES128-GCM-SHA256128 BitKey exchange: ECDH, encryption: AES, MAC: SHA256. (c0,2f)ECDHE-RSA-AES128-GCM-SHA256128 BitKey exchange: ECDH, encryption: AES, MAC: SHA256. (c0,2c)ECDHE-ECDSA-AES256-GCM-SHA384256 BitKey exchange: ECDH, encryption: AES, MAC: SHA384. (c0,30)ECDHE-RSA-AES256-GCM-SHA384256 BitKey exchange: ECDH, encryption: AES, MAC: SHA384. (c0,09)ECDHE-ECDSA-AES128-SHA128 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. (c0,13)ECDHE-RSA-AES128-SHA128 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. (c0,0a)ECDHE-ECDSA-AES256-SHA256 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. (c0,14)ECDHE-RSA-AES256-SHA256 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. (00,9c)RSA-AES128-GCM-SHA256128 BitKey exchange: RSA, encryption: AES, MAC: SHA256. (00,9d)RSA-AES256-GCM-SHA384256 BitKey exchange: RSA, encryption: AES, MAC: SHA384. (00,2f)RSA-AES128-SHA128 BitKey exchange: RSA, encryption: AES, MAC: SHA1. (00,35)RSA-AES256-SHA256 BitKey exchange: RSA, encryption: AES, MAC: SHA1. (00,0a)RSA-3DES-EDE-SHA168 BitKey exchange: RSA, encryption: 3DES, MAC: SHA1.

Further information:

User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Preferred SSL/TLS version: TLSv1 SNI information: cc.dcsec.uni-hannover.de SSL stack current time: Tue, 28 May 1985 18:55:23

This connection uses TLSv1.2 with ECDHE-RSA-AES128-GCM-SHA256 and a 128 Bit key for encryption.

Raw:

Version: 3.1 Ciphers: 1a1a,cca9,cca8,cc14,cc13,c02b,c02f,c02c,c030,c009,c013,c00a,c014,9c,9d,2f,35,0a Extensions: 0a0a,ff01,0000,0017,0023,000d,0005,0012,0010,7550,000b,000a,fafa Remote Time: Tue, 28 May 1985 18:55:23

This service is provided by the DCSEC research group at Leibniz University Hannover. Imprint If you have any comments or questions please contact Sascha Fahl


Details from Chrome about the appliance page:

Security Overview This page is insecure (broken HTTPS).

Certificate Error There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).

SHA-1 Certificate The certificate for this site expires in 2016, and the certificate chain contains a certificate signed using SHA-1. Secure Resources All resources on this page are served securely.

Obsolete Connection Settings The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and a strong cipher (AES_128_GCM).


Certificate:

Version: V3 Serial Number: ?30 30 65 30 34 63 36 38 30 34 66 37 31 34 32 37 34 34 34 39 30 35 Signature algorithm: sha1RSA Signature hash algorithm: sha1 Issurer: O = Amcrest Technologies LLC L = Houston S = Taxas C = US CN = Product Root CA Valid from: ?Thursday, ?March ?26, ?2015 12:28:25 AM Valid to: ?Saturday, ?March ?26, ?2016 12:28:25 AM Subject: O = Amcrest Technologies LLC L = Houston S = Taxas C = US CN = 192.168.1.108 Public key: RA (1024 Bits) Subject Key Identifier: ac 28 85 02 fc 07 d8 d0 18 02 f5 35 27 ec ec 03 ed af 62 eb Basic Constraints: Subject Type=End Entity Path Length Constraint=None Thumbprint algorithm: sha1 Thumbprint: ?a8 72 7b 58 b7 08 f7 34 4e 12 a5 bd 68 e4 79 a1 56 97 5d 90

I have already submitted a request to Amcrest referencing this thread. The product is an Amcrest Security Camera DVR (irony): Device Model:HCVR Record Channel:8 System Version:3.200.AC04.5, Build Date: 2015-09-16 Device Type:AMDV10808 Soft Version:10001 Device ID:Amcrest ============================================================ Regarding Google Chrome: Version 55.0.2883.87 m Google Chrome is up to date. ------------------------------------------------------------ https://cc.dcsec.uni-hannover.de/ reports: SSL Cipher Suite Details of Your Browser This websites gives you information on the SSL cipher suites your browser supports for securing HTTPS connections. Cipher Suites Supported by Your Browser (ordered by preference): SpecCipher Suite NameKey SizeDescription (1a,1a)UnknownUnknown (cc,a9)UnknownUnknown (cc,a8)UnknownUnknown (cc,14)ECDHE-ECDSA-CHACHA20-POLY1305-SHA256128 BitKey exchange: ECDH, encryption: ChaCha20 Poly1305, MAC: SHA256. (cc,13)ECDHE-RSA-CHACHA20-POLY1305-SHA256128 BitKey exchange: ECDH, encryption: ChaCha20 Poly1305, MAC: SHA256. (c0,2b)ECDHE-ECDSA-AES128-GCM-SHA256128 BitKey exchange: ECDH, encryption: AES, MAC: SHA256. (c0,2f)ECDHE-RSA-AES128-GCM-SHA256128 BitKey exchange: ECDH, encryption: AES, MAC: SHA256. (c0,2c)ECDHE-ECDSA-AES256-GCM-SHA384256 BitKey exchange: ECDH, encryption: AES, MAC: SHA384. (c0,30)ECDHE-RSA-AES256-GCM-SHA384256 BitKey exchange: ECDH, encryption: AES, MAC: SHA384. (c0,09)ECDHE-ECDSA-AES128-SHA128 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. (c0,13)ECDHE-RSA-AES128-SHA128 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. (c0,0a)ECDHE-ECDSA-AES256-SHA256 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. (c0,14)ECDHE-RSA-AES256-SHA256 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. (00,9c)RSA-AES128-GCM-SHA256128 BitKey exchange: RSA, encryption: AES, MAC: SHA256. (00,9d)RSA-AES256-GCM-SHA384256 BitKey exchange: RSA, encryption: AES, MAC: SHA384. (00,2f)RSA-AES128-SHA128 BitKey exchange: RSA, encryption: AES, MAC: SHA1. (00,35)RSA-AES256-SHA256 BitKey exchange: RSA, encryption: AES, MAC: SHA1. (00,0a)RSA-3DES-EDE-SHA168 BitKey exchange: RSA, encryption: 3DES, MAC: SHA1. Further information: User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Preferred SSL/TLS version: TLSv1 SNI information: cc.dcsec.uni-hannover.de SSL stack current time: Tue, 28 May 1985 18:55:23 This connection uses TLSv1.2 with ECDHE-RSA-AES128-GCM-SHA256 and a 128 Bit key for encryption. Raw: Version: 3.1 Ciphers: 1a1a,cca9,cca8,cc14,cc13,c02b,c02f,c02c,c030,c009,c013,c00a,c014,9c,9d,2f,35,0a Extensions: 0a0a,ff01,0000,0017,0023,000d,0005,0012,0010,7550,000b,000a,fafa Remote Time: Tue, 28 May 1985 18:55:23 This service is provided by the DCSEC research group at Leibniz University Hannover. Imprint If you have any comments or questions please contact Sascha Fahl ------------------------------------------------------------ Details from Chrome about the appliance page: Security Overview This page is insecure (broken HTTPS). Certificate Error There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID). SHA-1 Certificate The certificate for this site expires in 2016, and the certificate chain contains a certificate signed using SHA-1. Secure Resources All resources on this page are served securely. Obsolete Connection Settings The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and a strong cipher (AES_128_GCM). ------------------------------------------------------------ Certificate: Version: V3 Serial Number: ?30 30 65 30 34 63 36 38 30 34 66 37 31 34 32 37 34 34 34 39 30 35 Signature algorithm: sha1RSA Signature hash algorithm: sha1 Issurer: O = Amcrest Technologies LLC L = Houston S = Taxas C = US CN = Product Root CA Valid from: ?Thursday, ?March ?26, ?2015 12:28:25 AM Valid to: ?Saturday, ?March ?26, ?2016 12:28:25 AM Subject: O = Amcrest Technologies LLC L = Houston S = Taxas C = US CN = 192.168.1.108 Public key: RA (1024 Bits) Subject Key Identifier: ac 28 85 02 fc 07 d8 d0 18 02 f5 35 27 ec ec 03 ed af 62 eb Basic Constraints: Subject Type=End Entity Path Length Constraint=None Thumbprint algorithm: sha1 Thumbprint: ?a8 72 7b 58 b7 08 f7 34 4e 12 a5 bd 68 e4 79 a1 56 97 5d 90
jscher2000
  • Top 10 Contributor
8961 solutions 73431 answers

sangfroid said

Details from Chrome about the appliance page:

Security Overview This page is insecure (broken HTTPS).

Certificate Error There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).

SHA-1 Certificate The certificate for this site expires in 2016, and the certificate chain contains a certificate signed using SHA-1.

Secure Resources All resources on this page are served securely.

Obsolete Connection Settings The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and a strong cipher (AES_128_GCM).

Let's start with that issue about the key exchange, and check on your settings in general.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste TLS and pause while the list is filtered

(3) If you have any non-default settings (typically bolded and having a status of "user set"), you can make a note of the values in case they turn out to be important for some other reason, then right-click > Reset each prefer to its default value.

If you have any locked preferences (typically italicized), you may have an external lock file modifying your Firefox configuration.

(4) In the search box above the list, type or paste security.ss and pause while the list is filtered

(5) If you have any non-default settings (typically bolded and having a status of "user set"), you can make a note of the values in case they turn out to be important for some other reason, then right-click > Reset each prefer to its default value.

However: Please double-click each of these to switch them from true to false (this works around any servers that have not yet been fixed for the Logjam vulnerability):

  • security.ssl3.dhe_rsa_aes_128_sha => false
  • security.ssl3.dhe_rsa_aes_256_sha => false

Again, if you have any locked preferences (typically italicized), you may have an external lock file modifying your Firefox configuration.

Then if you reload the router's page again, do you get the other error page with the Advanced button?

''sangfroid [[#answer-951045|said]]'' <blockquote> Details from Chrome about the appliance page: <br><br> Security Overview This page is insecure (broken HTTPS). <br><br> Certificate Error There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID). <br><br> SHA-1 Certificate The certificate for this site expires in 2016, and the certificate chain contains a certificate signed using SHA-1.<br><br> Secure Resources All resources on this page are served securely. <br><br> Obsolete Connection Settings The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and a strong cipher (AES_128_GCM). </pre> </blockquote> Let's start with that issue about the key exchange, and check on your settings in general. (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste '''TLS''' and pause while the list is filtered (3) If you have any non-default settings (typically bolded and having a status of "user set"), you can make a note of the values in case they turn out to be important for some other reason, then right-click > Reset each prefer to its default value. If you have any ''locked'' preferences (typically italicized), you may have an external lock file modifying your Firefox configuration. (4) In the search box above the list, type or paste '''security.ss''' and pause while the list is filtered (5) If you have any non-default settings (typically bolded and having a status of "user set"), you can make a note of the values in case they turn out to be important for some other reason, then right-click > Reset each prefer to its default value. '''However:''' Please double-click each of these to switch them from true to false (this works around any servers that have not yet been fixed for the Logjam vulnerability): * security.ssl3.dhe_rsa_aes_128_sha => false * security.ssl3.dhe_rsa_aes_256_sha => false Again, if you have any ''locked'' preferences (typically italicized), you may have an external lock file modifying your Firefox configuration. Then if you reload the router's page again, do you get the other error page with the Advanced button?

Question owner

Sorry, I have tried many workarounds including this. It gives the same page.

I regard the answers above as complete, and will mark using a different browser as 'solved', so that other users may realize that Firefox has moved beyond them.

Again, thank you all for the help.

Sorry, I have tried many workarounds including this. It gives the same page. I regard the answers above as complete, and will mark using a different browser as 'solved', so that other users may realize that Firefox has moved beyond them. Again, thank you all for the help.
cor-el
  • Top 10 Contributor
  • Moderator
17873 solutions 161723 answers

Quote: ECDHE-RSA-AES128-GCM-SHA256

That looks like cipher suite:

  • security.ssl3.ecdhe_rsa_aes_128_gcm_sha256

Try to enable only this cipher suite and disable all the others in case there is a problem with the cipher order that Firefox tries.

Quote: ''ECDHE-RSA-AES128-GCM-SHA256'' That looks like cipher suite: *security.ssl3.ecdhe_rsa_aes_128_gcm_sha256 Try to enable only this cipher suite and disable all the others in case there is a problem with the cipher order that Firefox tries.

Helpful Reply

When all other security.ssl3.* settings, except

  • security.ssl3.ecdhe_rsa_aes_128_gcm_sha256

are set, the connection fails with the same message and no "Advanced" button.

Further, I swept the security.ssl3.* settings, enabling only one at a time. Same response in each case as expected, based on James' response above.

When all other security.ssl3.* settings, except * security.ssl3.ecdhe_rsa_aes_128_gcm_sha256 are set, the connection fails with the same message and no "Advanced" button. Further, I swept the security.ssl3.* settings, enabling only one at a time. Same response in each case as expected, based on James' response above.