Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Why am I getting Secure Connection Failed / Connection Not Encrypted

  • 9 replies
  • 11 have this problem
  • 3 views
  • Last reply by BeanBagKing

more options

FireFox 37.0.2 (first noticed on 37.0.1), on both Windows and Mac

So some of our users noticed an internal site wouldn't work in FireFox recently. They get the big Secure Connection Failed page, and the security technical details just say "Connection Not Encrypted", not very descriptive. The connection IS encrypted though, with an internal certificate that's been installed in FireFox's chain.

I've used IIS Crypto (Nartac Software) to disable everything I could as far as old protocols, ciphers, and hashes are concerned. However, I cannot disable TLS 1.0 or SHA due to limitations with MSSQL Server (it requires those or fails to start). I mention this because I've read that FireFox will now throw that error if fallback to TLS 1.0 is enabled.

If this is true, is there a way of leaving TLS 1.0 enabled as a protocol while disabling fallback to it? The SSL Cipher Suite Order doesn't seem to have an option for TLS versions.

I can also confirm that adding the site to "security.tls.insecure_fallback_hosts" under FireFox's about:config page will prevent the Secure Connection Failed message and take you to the page, further indicating that it's some fallback protocol that I have enabled, I just have no idea what.

Here's the exact text on the page: Secure Connection Failed The connection to the server was reset while the page was loading. -The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. -Please contact the website owners to inform them of this problem.

And the text under Page Info -> Security -> Technical Details Connection Not Encrypted The website (redacted) does not support encryption for the page you are viewing. Information sent over the internet without encryption can be seen by other people while it is in transit

While this is an issue I would like to solve on the IIS side at the end of the day, I'm hoping someone here can give me more help with exactly why FireFox sees this error. I could use a more descriptive message. Why exactly is it failing? What does FireFox expect? Do I have something misconfigured, or is this just an error with FireFox?

If anyone has a list of what FireFox "expects" or what it doesn't expect, that would really help.

FireFox 37.0.2 (first noticed on 37.0.1), on both Windows and Mac So some of our users noticed an internal site wouldn't work in FireFox recently. They get the big Secure Connection Failed page, and the security technical details just say "Connection Not Encrypted", not very descriptive. The connection IS encrypted though, with an internal certificate that's been installed in FireFox's chain. I've used IIS Crypto (Nartac Software) to disable everything I could as far as old protocols, ciphers, and hashes are concerned. However, I cannot disable TLS 1.0 or SHA due to limitations with MSSQL Server (it requires those or fails to start). I mention this because I've read that FireFox will now throw that error if fallback to TLS 1.0 is enabled. If this is true, is there a way of leaving TLS 1.0 enabled as a protocol while disabling fallback to it? The SSL Cipher Suite Order doesn't seem to have an option for TLS versions. I can also confirm that adding the site to "security.tls.insecure_fallback_hosts" under FireFox's about:config page will prevent the Secure Connection Failed message and take you to the page, further indicating that it's some fallback protocol that I have enabled, I just have no idea what. Here's the exact text on the page: Secure Connection Failed The connection to the server was reset while the page was loading. -The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. -Please contact the website owners to inform them of this problem. And the text under Page Info -> Security -> Technical Details Connection Not Encrypted The website (redacted) does not support encryption for the page you are viewing. Information sent over the internet without encryption can be seen by other people while it is in transit While this is an issue I would like to solve on the IIS side at the end of the day, I'm hoping someone here can give me more help with exactly why FireFox sees this error. I could use a more descriptive message. Why exactly is it failing? What does FireFox expect? Do I have something misconfigured, or is this just an error with FireFox? If anyone has a list of what FireFox "expects" or what it doesn't expect, that would really help.

All Replies (9)

more options

https://www.ssllabs.com/ can help you with setting up a modern security system on your server. Also, I'd suggest you check out https://wiki.mozilla.org/Security/Server_Side_TLS. This is how Mozilla configures our servers, and can be useful to help you choose the level of compatibility you need for your system.

more options

For security reasons, we don't allow it to connect to outside sources, so SSLLabs is out. I did run O-Saft, which didn't reveal any glaring errors.

As far as the other document, it appears we are running closest to Intermediate compatibility due to our use of TLSv1.

I did find this... https://support.mozilla.org/gl/questions/1056444 Where the solution indicates "The website may try to fallback to TLS 1.0 in a way that is no longer allowed in current releases or may be using a deprecated cipher suite."

We aren't using a deprecated cipher suite, so I assume it's the fallback to TLS 1.0. I'm not sure why FF would completely kill a page for that though as TLS is still an acceptable protocol to use.

Also, there isn't a recommended configuration for IIS :( I don't suppose you would have any other documentation (Official/Mozilla or otherwise) that might give some tips?

more options

TLS 1.0 isn't an acceptable fallback, TLS 1.2 is the current version. I don't have anything specific for IIS, are you using RC4 cyphers? If you have an RC4 cypher you may be seeing this error, I'd suggest checking that.

more options

"TLS 1.0 isn't an acceptable fallback"

Why not?

No, we aren't using RC4 cyphers.

more options

Edit/Followup:

I'll add this to the why not. I understand that 1.0 is an older protocol, but no best practices I've found seem to indicate that it has serious security vulnerabilities or that it is now end of life. Here's what the SSL Labs deployment best practices have to say...

https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf In order to support older clients, you need to continue to support TLS v1.0 and TLS v1.1 for the time being. With some workarounds (explained in subsequent sections), these protocols can still be considered secure enough for most web sites.

Even the Mozilla documentation recommends it for Intermediate compatibility and several of the recommended server configurations have it on by default (Nginx, Apache, etc). The document mentions that, unless you do not need backward compatibility, prefer intermediate configuration, which includes TLSv1.

more options
more options

None of those appear to apply to us. Does FireFox have known issues with TLS 1.2 and SHA 512 certificates?

more options
more options

That was posted by Tyler Downer above.