Using Firefox 115.15.0esr (64-bits) on MacOS 14.3 (23D56) I'm not able to connect to https://mijnzakelijk.ing.nl/ while https://ing.nl/ connects just fine. These domains … (閱讀更多)
Using Firefox 115.15.0esr (64-bits) on MacOS 14.3 (23D56) I'm not able to connect to https://mijnzakelijk.ing.nl/ while https://ing.nl/ connects just fine. These domains use different TLS versions, which may be related to the issue. The browser reports a failure to connect, and NS_ERROR_NET_INTERRUPT when viewing the networking tab. Tcpdump indicates the remote side disconnects by sending FIN on the tcp layer. I tried various config features to enable low TLS versions but that did not make a difference.
openssl s_client has no issue connecting, nor does Chrome, on the same system. For completeness here is the openssl transcript:
````
$ openssl s_client mijnzakelijk.ing.nl:443
Connecting to 145.221.213.243
CONNECTED(00000006)
depth=2 C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1
verify return:1
depth=1 C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1
verify return:1
depth=0 jurisdictionC=NL, businessCategory=Private Organization, serialNumber=33031431, C=NL, ST=Noord-Holland, L=Amsterdam, O=ING Bank NV, CN=mijnzakelijk.ing.nl
verify return:1
---
Certificate chain
0 s:jurisdictionC=NL, businessCategory=Private Organization, serialNumber=33031431, C=NL, ST=Noord-Holland, L=Amsterdam, O=ING Bank NV, CN=mijnzakelijk.ing.nl
i:C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 7 11:27:00 2024 GMT; NotAfter: Sep 1 11:26:00 2025 GMT
1 s:C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1
i:C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 12 16:56:15 2019 GMT; NotAfter: Dec 12 16:56:15 2029 GMT
2 s:C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1
i:C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 16 18:12:23 2014 GMT; NotAfter: Jan 16 18:12:23 2034 GMT
---
Server certificate
BEGIN CERTIFICATE-----
MIIHGDCCBgCgAwIBAgIQQAGRLJeiKhzmRghG5nIGzjANBgkqhkiG9w0BAQsFADBy
...
ZthnKEctI1FJ7MLeY6+zNvJ8+sjEj9P61M85h+MthSw2Pm1wBGzGB9ncSRQ=
END CERTIFICATE-----
subject=jurisdictionC=NL, businessCategory=Private Organization, serialNumber=33031431, C=NL, ST=Noord-Holland, L=Amsterdam, O=ING Bank NV, CN=mijnzakelijk.ing.nl
issuer=C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5469 bytes and written 453 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9A30DC8B6EF5D0EE82F9ACB4D53D787D7B4BCAB27F5E54DDB906BEC5A6CDC887
Session-ID-ctx:
Master-Key: 04E64BF5ACC56AA2BB749AA3083DA0B498CCE36DB83A1BA78B19B9282F6B30362B8674D1F60D70594F21A08DC74006A5
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1726644699
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
GET / HTTP/1.1
HTTP/1.1 404 Not Found
...
````
I would like to keep using Firefox for all my browsing, so I'm wondering what I can do to fix this. In about:config I have all settings containing "tls" to their defaults. I've tried enabling security.tls.version.enable-deprecated and lowering security.tls.version.min, but nothing seems to help.
I know from experience that contacting ING about such issues doesn't get you anywhere, and given the fact that another major browser has no issue I suspect it is best solved (or worked around) on the side of Firefox.