Firefox cannot display website that use certificate with DH key 1024 bits
After I change web site certificate to use DH key with 1024 bits length, Firefox can not display the web site and provided error like "Secure Connection failed ...". I had tried disable weak cipher dhe but still not working, I had test with Internet Explorer and determine the connection as TLS 1.2 with DH 1024 bits but I do need to browse this web site from Firefox please help.
- Using Firefox 47.0
被采纳的解决方案
My Firefox supports these ciphers, according to https://www.ssllabs.com/ssltest/viewMyClient.html:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) 128 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) 256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
So it seems your server doesn't support any ciphers used by Firefox 47.
定位到答案原位置 👍 0所有回复 (9)
Looks like you posted using Chrome. Any issues in Chrome? Usually Chrome displays any SSL-related warnings when you click the padlock in the address bar and then click Connection on the drop-down panel.
Could you use this diagnostic page to check your site: https://www.ssllabs.com/ssltest/
For example, it evaluates whether numerous different browsers would be able to connect. If their Firefox won't connect, then it's not just your Firefox.
If this is a general Firefox problem, can you give a link to the site?
It's an internal website, desktop that I need to connect to the website is using Firefox 47.0.1 but I just post this post using my laptop.
I can not use the diagnostic tool because it's an internal web site
What does Chrome show?
On that machine there is no Chrome install but on IE when I see the connection properties it is "TLS 1.2 AES with 128 bit encryption (High); DH with 1024 bit exchange".
Sorry, I don't know to translate that into the way Firefox describes its ciphers. Maybe you can find a tool that runs inside the firewall to interrogate the server and list out the ciphers it supports to see whether there is a match with Firefox.
Do you have any recommend tool to do that?
When I search around, there seem to be a lot of little scanners out there, but I don't know which ones are trustworthy.
For example:
After use 'NMAP' below is list of support cipher that website using:
C:\nmap\nmap-7.12>nmap --script ssl-enum-ciphers -p 443 10.136.82.105
Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-14 13:57 SE Asia Standard Tim e Nmap scan report for CcpCsPG2301 (10.136.82.105) Host is up (0.0019s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (dh 1024) - A | TLS_DHE_DSS_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (dh 1024) - A | TLS_DHE_DSS_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (dh 1024) - D | compressors: | NULL | cipher preference: server | warnings: | Weak certificate signature: SHA1 |_ least strength: D
Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds
C:\nmap\nmap-7.12>
选择的解决方案
My Firefox supports these ciphers, according to https://www.ssllabs.com/ssltest/viewMyClient.html:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) 128 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) 256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
So it seems your server doesn't support any ciphers used by Firefox 47.