X
點擊此處開啟此網站的行動版。

技術支援討論區

I get ssl_error_no_cypher_overlap error accessing our internal web sites. It works on FF 24.8.1 but I get error with 38.3. Verified no chages in about:config

已張貼

It works on IE and FF 24.8.1 but I get error with 38.3.

I have verified there are no chages in about:config.

I have tried to change the enforcement (security.cert_pinning.enforcement_level) to 0 and it did not work. Set it back to 1.

IE and FF 24.8.1 both ask to add the exception. FF 38.3 does not.

I am running on Win2008 R2.

It works on IE and FF 24.8.1 but I get error with 38.3. I have verified there are no chages in about:config. I have tried to change the enforcement (security.cert_pinning.enforcement_level) to 0 and it did not work. Set it back to 1. IE and FF 24.8.1 both ask to add the exception. FF 38.3 does not. I am running on Win2008 R2.

額外的系統細節

已安裝的外掛程式

  • ActiveTouch General Plugin Container Version 105
  • Adobe PDF Plug-In For Firefox and Netscape 10.1.15
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Next Generation Java Plug-in 11.60.2 for Mozilla browsers
  • The plugin allows you to have a better experience with Microsoft SharePoint
  • Shockwave Flash 19.0.0.185
  • VMware Remote Console Plug-in

應用程式

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0

更多資訊

jscher2000
  • Top 10 Contributor
8785 個解決方法 71847 個答案

Since we can't get hands on with this site...

I assume all Firefox users get this on the internal sites, even with newer and non-server versions of Windows?

If you open Firefox's Web Console in the lower part of the tab, either

  • Ctrl+Shift+k or
  • "3-bar" menu button > Developer > Web Console

then reload the error page, does the console provide any additional detail about the problem?

And/or, do you have Google Chrome installed? If you visit the site in Google Chrome, click the padlock icon in the address bar, and then "Connection" on the drop-down panel, could you post its diagnosis of the strength of the site's security? That may flag up an issue that Firefox is not explaining as well as it could.

Since we can't get hands on with this site... I assume all Firefox users get this on the internal sites, even with newer and non-server versions of Windows? If you open Firefox's Web Console in the lower part of the tab, either * Ctrl+Shift+k or * "3-bar" menu button > Developer > Web Console then reload the error page, does the console provide any additional detail about the problem? And/or, do you have Google Chrome installed? If you visit the site in Google Chrome, click the padlock icon in the address bar, and then "Connection" on the drop-down panel, could you post its diagnosis of the strength of the site's security? That may flag up an issue that Firefox is not explaining as well as it could.
cor-el
  • Top 10 Contributor
  • Moderator
17567 個解決方法 158888 個答案

What connection settings are used if you check the Security tab in the Network Monitor (3-bar Menu button or Tools > Web Developer) in Firefox 38?

What connection settings are used if you check the Security tab in the Network Monitor (3-bar Menu button or Tools > Web Developer) in Firefox 38? *https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor#Security

提出問題者

Nothing shows up in the Console window

Nothing shows up in the Console window

提出問題者

I do not get the "Security Tab".

I do not get the "Security Tab".

提出問題者

We are not allowed to load Google Chrome.  :-(

We are not allowed to load Google Chrome. :-(
jscher2000
  • Top 10 Contributor
8785 個解決方法 71847 個答案

dooley0008 said

I do not get the "Security Tab".

The security tab should appear on the right side (after various other tabs such as Rules, Computed...) if you click an HTTPS connection in the Network Monitor. (It was added in Firefox 37, so should be in your version.) If that connection does not appear, try reloading the page in the top part of the tab.

''dooley0008 [[#answer-844954|said]]'' <blockquote> I do not get the "Security Tab". </blockquote> The security tab should appear on the right side (after various other tabs such as Rules, Computed...) if you click an HTTPS connection in the Network Monitor. (It was added in Firefox 37, so should be in your version.) If that connection does not appear, try reloading the page in the top part of the tab.

提出問題者

I did that with the same result. See pic.

I did that with the same result. See pic.
jscher2000
  • Top 10 Contributor
8785 個解決方法 71847 個答案

But if you click that row, no Security tab appears on the right?

Also, you may want to edit that image since it lists the server address in the blue title bar area.

But if you click that row, no Security tab appears on the right? Also, you may want to edit that image since it lists the server address in the blue title bar area.
cor-el
  • Top 10 Contributor
  • Moderator
17567 個解決方法 158888 個答案

The Security tab is only there if you connect via a secure HTTPS connection and not if you use an open HTTP connection.

The Security tab is only there if you connect via a secure HTTPS connection and not if you use an open HTTP connection.

提出問題者

An error occurred during a connection to east-web.mt.att.com:9443.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

An error occurred during a connection to east-web.mt.att.com:9443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

提出問題者

I over layed the address with the name on the pic and messages. Thanks for thinking about that.

I over layed the address with the name on the pic and messages. Thanks for thinking about that.

提出問題者

I did not click on the line. Once I did it appeared.

I did not click on the line. Once I did it appeared.

提出問題者

jscher - do you want a private conversation? I may be able to show you my screen.

jscher - do you want a private conversation? I may be able to show you my screen.
jscher2000
  • Top 10 Contributor
8785 個解決方法 71847 個答案

有幫助的回覆

Hmm, that doesn't tell us anything new.

If this is an old IIS server, it's possible that it only supports RC4 ciphers, which Firefox deprecated around the release of Firefox 38. What happens if you toggle this setting:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste rc4 and pause while the list is filtered

(3) Double-click the security.tls.unrestricted_rc4_fallback preference to switch it from the default value of false to true

You may need to clear cache before this takes effect on a server Firefox previously refused to connect to. See: How to clear the Firefox cache.

Hmm, that doesn't tell us anything new. If this is an old IIS server, it's possible that it only supports RC4 ciphers, which Firefox deprecated around the release of Firefox 38. What happens if you toggle this setting: (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste '''rc4''' and pause while the list is filtered (3) Double-click the '''security.tls.unrestricted_rc4_fallback''' preference to switch it from the default value of false to true You may need to clear cache before this takes effect on a server Firefox previously refused to connect to. See: [[How to clear the Firefox cache]].

提出問題者

It was already set to "true" by default. All the rc4 options are true by default.

It was already set to "true" by default. All the rc4 options are true by default.
jscher2000
  • Top 10 Contributor
8785 個解決方法 71847 個答案

dooley0008 said

It was already set to "true" by default. All the rc4 options are true by default.

Hmm, that setting might be unique to the ESR release. (It's normal for the others to be true by default.)

There were just so many changes between Firefox 24 and 38, which was quite a while ago, so I can't remember all the possible fixes. Here's one I found in a search that made Firefox 37 behave more like Firefox 36 with the combination of TLS 1.0 + RC4 cipher:

(1) Copy the host name of the server address. This is the part between the https:// protocol and the next / character, and not including either of those.

(2) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

(3) In the search box above the list, type or paste tls and pause while the list is filtered

(4) Double-click the security.tls.insecure_fallback_hosts preference to display a box where you can paste the copied host name. If you have something here already, add a comma at the end before pasting to separate the new host name from the previous name(s). Then click OK to save the change.

Then try reloading the site.

''dooley0008 [[#answer-844967|said]]'' <blockquote> It was already set to "true" by default. All the rc4 options are true by default. </blockquote> Hmm, that setting might be unique to the ESR release. (It's normal for the others to be true by default.) There were just so many changes between Firefox 24 and 38, which was quite a while ago, so I can't remember all the possible fixes. Here's one I found in a search that made Firefox 37 behave more like Firefox 36 with the combination of TLS 1.0 + RC4 cipher: (1) Copy the host name of the server address. This is the part ''between'' the https:// protocol and the next / character, and not including either of those. (2) In a new tab, type or paste '''about:config''' in the address bar and press Enter. Click the button promising to be careful. (3) In the search box above the list, type or paste '''tls''' and pause while the list is filtered (4) Double-click the '''security.tls.insecure_fallback_hosts''' preference to display a box where you can paste the copied host name. If you have something here already, add a comma at the end before pasting to separate the new host name from the previous name(s). Then click OK to save the change. Then try reloading the site.

提出問題者

Same result

Same result

提出問題者

Here are the tls options

Here are the tls options
cor-el
  • Top 10 Contributor
  • Moderator
17567 個解決方法 158888 個答案

Does that server support TLS 1.0 and higher or only SSL3?

What does it say in "Tools > Page Info > Security" in Firefox 24?

The SSleuth works from Firefox 25 and later, so won't of much use either just like the Network Monitor.

Does that server support TLS 1.0 and higher or only SSL3? What does it say in "Tools > Page Info > Security" in Firefox 24? The SSleuth works from Firefox 25 and later, so won't of much use either just like the Network Monitor. * https://addons.mozilla.org/firefox/addon/ssleuth
cor-el
  • Top 10 Contributor
  • Moderator
17567 個解決方法 158888 個答案

Does Google Chrome work on your operating system?

Does Google Chrome work on your operating system?