X
Thinta lapha ukuze uye kuveshini yamakhalekhukhwini kusayithi.

Isithangami Sabeseki

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

Unable to connect to internal SSL sites with unknown CA's after 36.0 update.

Kuphostiwe

Last week my browser auto-updated to version 36.0 and I am now no longer able to connect to certain internal corporate websites. These sites either have self-signed certs, or certs signed by an internal CA. They do not use certs signed by publicly known "trusted" CA's.

For example, one of the errors that I receive is below:

Secure Connection Failed An error occurred during a connection to [HOST]:[PORT]. SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert)

Although a warning message is received in IE or Chrome we are given the option to proceed and the site opens correctly, despite those browsers also indicating that the servers cert is not trusted.

I have added the internal CA's cert to the Authorities tab in the Firefox Certificate Manager, but am still not able to connect to the internal site.

Firefox allows me to accept some incorrect certs (or at least it did in the past), why is this not the default behavior with *all* certificate related problems? I realize that there are malicious sites out there, but there are also internal ones that are being blocked as well. Is there a config option that can be set so a user is prompted for all cert errors and they can decide to proceed if desired instead of just being blocked from the site? I understand blocking by default, but there also needs to be a way to proceed for advanced users.

Are there any configuration options to loosen the cert standards for sites? All other sites seem to load properly and otherwise there are no problems with the browser.

Sorry if this is the wrong place to post, I wasn't sure where to.

Thanks for any assistance!

-Beaty

Last week my browser auto-updated to version 36.0 and I am now no longer able to connect to certain internal corporate websites. These sites either have self-signed certs, or certs signed by an internal CA. They do not use certs signed by publicly known "trusted" CA's. For example, one of the errors that I receive is below: Secure Connection Failed An error occurred during a connection to [HOST]:[PORT]. SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert) Although a warning message is received in IE or Chrome we are given the option to proceed and the site opens correctly, despite those browsers also indicating that the servers cert is not trusted. I have added the internal CA's cert to the Authorities tab in the Firefox Certificate Manager, but am still not able to connect to the internal site. Firefox allows me to accept some incorrect certs (or at least it did in the past), why is this not the default behavior with *all* certificate related problems? I realize that there are malicious sites out there, but there are also internal ones that are being blocked as well. Is there a config option that can be set so a user is prompted for all cert errors and they can decide to proceed if desired instead of just being blocked from the site? I understand blocking by default, but there also needs to be a way to proceed for advanced users. Are there any configuration options to loosen the cert standards for sites? All other sites seem to load properly and otherwise there are no problems with the browser. Sorry if this is the wrong place to post, I wasn't sure where to. Thanks for any assistance! -Beaty

Eminye Imininingwane Yohlelo

Fakela amapulagi

  • ActiveTouch General Plugin Container Version 105
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.10
  • Adobe PDF Plug-In For Firefox and Netscape "9.5.5"
  • Citrix Access Gateway
  • Citrix Online App Detector Plugin
  • GEPlugin
  • Version 5.38.6.0
  • Google Update
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Next Generation Java Plug-in 11.31.2 for Mozilla browsers
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Office Authorization plug-in for NPAPI browsers
  • NVIDIA 3D Vision Streaming plugin for Mozilla browsers
  • NVIDIA 3D Vision plugin for Mozilla browsers
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Shockwave Flash 16.0 r0
  • 5.1.30514.0
  • VMware Remote Console Plug-in
  • VMware Remote Console and Client Integration Plug-in

Isisebenziso

  • Firefox 36.0
  • Umsebenzisi oyi-ejenti: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
  • I-URL Yokweseka: https://support.mozilla.org/1/firefox/36.0/WINNT/en-US/

Izandiso

  • Flashblock 1.5.18 ({3d7eb24f-2740-49df-8937-200b1cc08f8a})
  • Ghostery 5.4.2 (firefox@ghostery.com)
  • IP Address and Domain Information 2.0.2 (jid0-jJRRRBMgoShUhb07IvnxTBAl29w@jetpack)
  • NoScript 2.6.9.15 ({73a6fe31-595d-460b-a920-fcc0f8843232})
  • Restartless Restart 9 (restartless.restart@erikvold.com)
  • Session Manager 0.8.1.6 ({1280606b-2510-4fe0-97ef-9b5a22eafe30})
  • Xmarks 4.3.6 (foxmarks@kei.com)
  • IDS_SS_NAME IDS_SS_VERSION ({D19CA586-DD6C-4a0a-96F8-14644F340D60}) (Akusebenzi)

I-Javascript

  • incrementalGCEnabled: True

Imidwebo

  • adapterDescription: NVIDIA NVS 3100M
  • adapterDescription2:
  • adapterDeviceID: 0x0a6c
  • adapterDeviceID2:
  • adapterDrivers: nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um
  • adapterDrivers2:
  • adapterRAM: 512
  • adapterRAM2:
  • adapterSubsysID: 040b1028
  • adapterSubsysID2:
  • adapterVendorID: 0x10de
  • adapterVendorID2:
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 6.2.9200.16571
  • driverDate: 8-3-2011
  • driverDate2:
  • driverVersion: 8.17.12.8026
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'direct2d', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'direct2d', u'AzureSkiaAccelerated': 0}
  • isGPU2Active: False
  • numAcceleratedWindows: 7
  • numTotalWindows: 7
  • webglRenderer: Google Inc. -- ANGLE (NVIDIA NVS 3100M Direct3D9Ex vs_3_0 ps_3_0)
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 11

Okuthandwayo Okulungisiwe

Misc

  • Umsebenzisi JS: Cha
  • Ukufinyeleleka: Cha
guigs 1072 izisombululo 11697 izimpendulo
Kuphostiwe

This should go into detail of what configurations were added in this version:

This should go into detail of what configurations were added in this version: *[https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/] *1024 rsa keys

Umnikazi wombuzo

guigs2 said

This should go into detail of what configurations were added in this version:

Thanks, but this doesn't really help.

The certificate in use on this server is 2048 bits. I think that the problem stems from the cert being signed by an internal CA rather than a public one.

What I really want to be able to do is proceed to the site even though Firefox doesn't like the CA or perceived problems with the cert. The browser should give me an option to continue even if it doesn't like the security used. I realize that it is trying to protect users from malicious sites, but this is not the case. Is there a config option that can be enabled to relax the SSL requirements?

I did have server exceptions for the certificates in question.

Unless there is a config option that I can set, then it looks like my only option would be to downgrade to 35, which I don't really want to do.

''guigs2 [[#answer-699089|said]]'' <blockquote> This should go into detail of what configurations were added in this version: *[https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/] *1024 rsa keys </blockquote> Thanks, but this doesn't really help. The certificate in use on this server is 2048 bits. I think that the problem stems from the cert being signed by an internal CA rather than a public one. What I really want to be able to do is proceed to the site even though Firefox doesn't like the CA or perceived problems with the cert. The browser should give me an option to continue even if it doesn't like the security used. I realize that it is trying to protect users from malicious sites, but this is not the case. Is there a config option that can be enabled to relax the SSL requirements? I did have server exceptions for the certificates in question. Unless there is a config option that I can set, then it looks like my only option would be to downgrade to 35, which I don't really want to do.
mimi89999 5 izisombululo 44 izimpendulo
Kuphostiwe

Install your CA certificate in Firefox. preferences --> advanced --> Certificates --> View Certificates --> Authorities --> Import

Install your CA certificate in Firefox. preferences --> advanced --> Certificates --> View Certificates --> Authorities --> Import

Umnikazi wombuzo

Tried that before posting, sorry for not mentioning it. Still the same error:

Secure Connection Failed

An error occurred during a connection to [HOST]. SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert)

   The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem.


The only thing that's changed between the two is the recent browser update.

Tried that before posting, sorry for not mentioning it. Still the same error: '''Secure Connection Failed An error occurred during a connection to [HOST]. SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.''' The only thing that's changed between the two is the recent browser update.
mimi89999 5 izisombululo 44 izimpendulo
Kuphostiwe

What AV software are you using?

What AV software are you using?

Umnikazi wombuzo

McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.8 with the 05-Mar DAT's. SiteAdvisor Enterprise is also installed but it isn't enabled though.

I receive a cert error and can still connect to the site in IE & Chrome, but would prefer to use FF since that is what I use for the majority of my browsing.

McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.8 with the 05-Mar DAT's. SiteAdvisor Enterprise is also installed but it isn't enabled though. I receive a cert error and can still connect to the site in IE & Chrome, but would prefer to use FF since that is what I use for the majority of my browsing.

Okulungisiwe ngu BeatyMcCloud

mimi89999 5 izisombululo 44 izimpendulo
Kuphostiwe

Have you tried with everything disabled in McAfee?

Have you tried with everything disabled in McAfee?
mimi89999 5 izisombululo 44 izimpendulo
Kuphostiwe
If it doesn't work use this instructions: https://stackoverflow.com/questions/21024526/ssl-error-illegal-parameter-alert

Umnikazi wombuzo

Hmm, I hadn't tried disabling McAfee, but after doing so the result is the same.

I had previously lowered the TLS Security config options to 0 as outlined in the Stack Overflow link and that didn't help either.

I am connected to the corporate network through a VPN, but we do not use a proxy.

The SO link got me to thinking though, could this be a problem with the cipher used? Looking at the cert details in IE it indicates that the version is V3 and the algorithm and hash are sha1RSA and sha1, respectively.

Is there a way to get debugging information for the HTTPS request?

Hmm, I hadn't tried disabling McAfee, but after doing so the result is the same. I had previously lowered the TLS Security config options to 0 as outlined in the Stack Overflow link and that didn't help either. I am connected to the corporate network through a VPN, but we do not use a proxy. The SO link got me to thinking though, could this be a problem with the cipher used? Looking at the cert details in IE it indicates that the version is V3 and the algorithm and hash are sha1RSA and sha1, respectively. Is there a way to get debugging information for the HTTPS request?
mimi89999 5 izisombululo 44 izimpendulo
Kuphostiwe

You could test your website/server here: https://www.ssllabs.com/ssltest/

You could test your website/server here: https://www.ssllabs.com/ssltest/

Umnikazi wombuzo

Unfortunately it's an internal server that is not accessible from the outside. Do you happen to know if there is a F/OSS app that will do the same thing which I can run from an internal system? I wasn't able to find one.

Unfortunately it's an internal server that is not accessible from the outside. Do you happen to know if there is a F/OSS app that will do the same thing which I can run from an internal system? I wasn't able to find one.
mimi89999 5 izisombululo 44 izimpendulo
Kuphostiwe

How much servers do you have?

How much servers do you have?
mimi89999 5 izisombululo 44 izimpendulo
Kuphostiwe

What web server software are they running (Apache, Nginx...)?

What web server software are they running (Apache, Nginx...)?

Umnikazi wombuzo

I'm not sure what web server is actually being used; the machine is an RSA Two-Factor Authentication Manager. I suspect that it is Apache based.

I was able to run an SSL/TLS Capabilities test of the browser from the SSL Labs site and even though I had set the TLS Security config options to 0 it doesn't look like the protocols are enabled for use.

TLS 1.2 Yes TLS 1.1 No TLS 1.0 No SSL 3 No SSL 2 No

I'm not sure what web server is actually being used; the machine is an RSA Two-Factor Authentication Manager. I suspect that it is Apache based. I was able to run an SSL/TLS Capabilities test of the browser from the SSL Labs site and even though I had set the TLS Security config options to 0 it doesn't look like the protocols are enabled for use. TLS 1.2 Yes TLS 1.1 No TLS 1.0 No '''SSL 3 No''' SSL 2 No
mimi89999 5 izisombululo 44 izimpendulo
Kuphostiwe

What about Cipher Suites?

What about Cipher Suites?
cor-el
  • Top 10 Contributor
  • Moderator
17483 izisombululo 158000 izimpendulo
Kuphostiwe
See also: *SSleuth: https://addons.mozilla.org/firefox/addon/ssleuth/

Umnikazi wombuzo

I think that SSLeuth would give me exactly what I need but unfortunately the page never loads because of the SSL Error. I am looking to see if there is a similar add-on for Chrome.

Using the SSL Labs browser test [1] though, it looks like the only version supported is TLS 1.2 Could firefox not be falling back to SSL3? I've set the security.tls.version. min & fallback to 0 so would expect it to.fall back to these but now I'm not sure if it is.

@mimi89999, I don't have open SSL installed but will do so and give connecting with that a try and report back.

Thanks to everyone for their suggestions, they are greatly appreciated!

Slowly getting there!

-Beaty

1: https://www.ssllabs.com/ssltest/viewMyClient.html

I think that SSLeuth would give me exactly what I need but unfortunately the page never loads because of the SSL Error. I am looking to see if there is a similar add-on for Chrome. Using the SSL Labs browser test [1] though, it looks like the only version supported is TLS 1.2 Could firefox not be falling back to SSL3? I've set the security.tls.version. min & fallback to 0 so would expect it to.fall back to these but now I'm not sure if it is. @mimi89999, I don't have open SSL installed but will do so and give connecting with that a try and report back. Thanks to everyone for their suggestions, they are greatly appreciated! Slowly getting there! -Beaty 1: https://www.ssllabs.com/ssltest/viewMyClient.html
cor-el
  • Top 10 Contributor
  • Moderator
17483 izisombululo 158000 izimpendulo
Kuphostiwe

You could try to set security.tls.version.max to a lower value to see what happens.

0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, 3 means TLS 1.2 etc.

You could try to set security.tls.version.max to a lower value to see what happens. * http://kb.mozillazine.org/security.tls.version.* 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, 3 means TLS 1.2 etc.
guigs 1072 izisombululo 11697 izimpendulo
Kuphostiwe

Check to make sure the cypher is allowed as well: https://wiki.mozilla.org/Security/Server_Side_TLS

Check to make sure the cypher is allowed as well: [https://wiki.mozilla.org/Security/Server_Side_TLS]

Umnikazi wombuzo

First, sorry for the delay in responding, things have been crazy here lately.

Secondly, here is the output from openSSL for connecting to the server:

OpenSSL> s_client -connect qrsa01.qnao.net:443 Loading 'screen' into random state - done CONNECTED(00000180) depth=1 CN = RSA root CA for qrsa01.qnao.net, serialNumber = 15702a01a563d5b8f2b a65250ad81947eef537554eae2320efed2159a8193bd5 verify error:num=19:self signed certificate in certificate chain --- Certificate chain

0 s:/CN=qrsa01.qnao.net/serialNumber=3b444eeb8355fb2b5b686d03ce1c0a61cd3552a184

001b9564700f7cebcbe9f0

  i:/CN=RSA root CA for qrsa01.qnao.net/serialNumber=15702a01a563d5b8f2ba65250a

d81947eef537554eae2320efed2159a8193bd5

1 s:/CN=RSA root CA for qrsa01.qnao.net/serialNumber=15702a01a563d5b8f2ba65250a

d81947eef537554eae2320efed2159a8193bd5

  i:/CN=RSA root CA for qrsa01.qnao.net/serialNumber=15702a01a563d5b8f2ba65250a

d81947eef537554eae2320efed2159a8193bd5 --- Server certificate


BEGIN CERTIFICATE-----

MIIDdDCCAlygAwIBAgIQYNRTnyH83tfcpTKMxP2kbTANBgkqhkiG9w0BAQUFADB1 MSgwJgYDVQQDDB9SU0Egcm9vdCBDQSBmb3IgcXJzYTAxLnFuYW8ubmV0MUkwRwYD VQQFE0AxNTcwMmEwMWE1NjNkNWI4ZjJiYTY1MjUwYWQ4MTk0N2VlZjUzNzU1NGVh ZTIzMjBlZmVkMjE1OWE4MTkzYmQ1MB4XDTEzMTExMTIxMTcwMloXDTMzMTExMjIx MTcwMlowZTEYMBYGA1UEAwwPcXJzYTAxLnFuYW8ubmV0MUkwRwYDVQQFE0AzYjQ0 NGVlYjgzNTVmYjJiNWI2ODZkMDNjZTFjMGE2MWNkMzU1MmExODQwMDFiOTU2NDcw MGY3Y2ViY2JlOWYwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwgkK Lx1fAgNJsejbev9HP/j6I1quZH3oH4mQ5sy/Hx/F2yWXnf0vUFjclP8swte3OFA+ +okNqESCUDTZYHA4b3GCJDbzLKTWXOZ9GuZ8f2xAGbTYNEVdzTD2io0HBVwvd0O/ XGYn1vF1J+PghKJq40fQgdvVSJ2ZKeFc8U1yBRrEbL7/9XG7cgQxMkyzwdaWUg8k 9aGWn7ajSduJqYAb0NFbycZyY9JqKLRaI+L4bUyZZSUiDNV08dzPca7zDlA/G26K mVfxdnQDp5sX6x7LMUDfo25gJVHOB7bp25/XCSASWBKG0BQx+Snl/mPmiY+00B6l PTjyV4h3j2e4o255rQIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEB BQUAA4IBAQCdUBdHPPmMzArZ8w5+FLoOo6VFA1gNDtOa+YDpt1H5K/ki0lO49W2v vKDPC6J60gTnvwtNe7zT2l6QIEf/k1Ene+ZvWFmOW1Eco2cWnXaxEmbb3L1uxvid 6vMCWscKvbo0LRLrskAWhzionoziGazkt8XqM7prmlroH7n9keLyIFRFhbzSYKhp q3Zd2Ys/7AFzwIGymTe8MncU1bYw5vYl5hvy8KR8t+qqz/DNBXDCQ2FPpEK9SWrT 7LF7iPrrCi0Zd8gSFkcCWWojCcOpk+FKU3Lo3geURvNypNZMihenuWPoTSn+PCE/ vJZCWnp7n2DDeDOBmNvaV2K2R5w81+xN


END CERTIFICATE-----

subject=/CN=qrsa01.qnao.net/serialNumber=3b444eeb8355fb2b5b686d03ce1c0a61cd3552a 184001b9564700f7cebcbe9f0 issuer=/CN=RSA root CA for qrsa01.qnao.net/serialNumber=15702a01a563d5b8f2ba6525 0ad81947eef537554eae2320efed2159a8193bd5 --- No client certificate CA names sent --- SSL handshake has read 1948 bytes and written 675 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:

   Protocol  : TLSv1.2
   Cipher    : RC4-SHA
   Session-ID: 550194FCFA9BE4A1060430A13EBA67B9EBD793485253412053534C4A20202020
   Session-ID-ctx:
   Master-Key: F1FD3AB4846FBC14D35EB7BBAFF8704821940DDE5A0549519A0AFF2EC8CAF245

08DCAA6D4F9FB1D125664FC7BFE87E95

   Key-Arg   : None
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1426167036
   Timeout   : 300 (sec)
   Verify return code: 19 (self signed certificate in certificate chain)

--- read:errno=0 OpenSSL>


I had already set the tls.security.version.min to 0, so would have expected to be able to connect.

At this point it seems like the problem is that we are using an internal CA to sign the cert for this server, but Firefox won't allow me to proceed despite this. Is there an option that I can set to have firefox prompt on all certificate issues and give me the option to proceed anyways?

Any other thoughts/suggestions?

First, sorry for the delay in responding, things have been crazy here lately. Secondly, here is the output from openSSL for connecting to the server: OpenSSL> s_client -connect qrsa01.qnao.net:443 Loading 'screen' into random state - done CONNECTED(00000180) depth=1 CN = RSA root CA for qrsa01.qnao.net, serialNumber = 15702a01a563d5b8f2b a65250ad81947eef537554eae2320efed2159a8193bd5 verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/CN=qrsa01.qnao.net/serialNumber=3b444eeb8355fb2b5b686d03ce1c0a61cd3552a184 001b9564700f7cebcbe9f0 i:/CN=RSA root CA for qrsa01.qnao.net/serialNumber=15702a01a563d5b8f2ba65250a d81947eef537554eae2320efed2159a8193bd5 1 s:/CN=RSA root CA for qrsa01.qnao.net/serialNumber=15702a01a563d5b8f2ba65250a d81947eef537554eae2320efed2159a8193bd5 i:/CN=RSA root CA for qrsa01.qnao.net/serialNumber=15702a01a563d5b8f2ba65250a d81947eef537554eae2320efed2159a8193bd5 --- Server certificate -----BEGIN CERTIFICATE----- MIIDdDCCAlygAwIBAgIQYNRTnyH83tfcpTKMxP2kbTANBgkqhkiG9w0BAQUFADB1 MSgwJgYDVQQDDB9SU0Egcm9vdCBDQSBmb3IgcXJzYTAxLnFuYW8ubmV0MUkwRwYD VQQFE0AxNTcwMmEwMWE1NjNkNWI4ZjJiYTY1MjUwYWQ4MTk0N2VlZjUzNzU1NGVh ZTIzMjBlZmVkMjE1OWE4MTkzYmQ1MB4XDTEzMTExMTIxMTcwMloXDTMzMTExMjIx MTcwMlowZTEYMBYGA1UEAwwPcXJzYTAxLnFuYW8ubmV0MUkwRwYDVQQFE0AzYjQ0 NGVlYjgzNTVmYjJiNWI2ODZkMDNjZTFjMGE2MWNkMzU1MmExODQwMDFiOTU2NDcw MGY3Y2ViY2JlOWYwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwgkK Lx1fAgNJsejbev9HP/j6I1quZH3oH4mQ5sy/Hx/F2yWXnf0vUFjclP8swte3OFA+ +okNqESCUDTZYHA4b3GCJDbzLKTWXOZ9GuZ8f2xAGbTYNEVdzTD2io0HBVwvd0O/ XGYn1vF1J+PghKJq40fQgdvVSJ2ZKeFc8U1yBRrEbL7/9XG7cgQxMkyzwdaWUg8k 9aGWn7ajSduJqYAb0NFbycZyY9JqKLRaI+L4bUyZZSUiDNV08dzPca7zDlA/G26K mVfxdnQDp5sX6x7LMUDfo25gJVHOB7bp25/XCSASWBKG0BQx+Snl/mPmiY+00B6l PTjyV4h3j2e4o255rQIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEB BQUAA4IBAQCdUBdHPPmMzArZ8w5+FLoOo6VFA1gNDtOa+YDpt1H5K/ki0lO49W2v vKDPC6J60gTnvwtNe7zT2l6QIEf/k1Ene+ZvWFmOW1Eco2cWnXaxEmbb3L1uxvid 6vMCWscKvbo0LRLrskAWhzionoziGazkt8XqM7prmlroH7n9keLyIFRFhbzSYKhp q3Zd2Ys/7AFzwIGymTe8MncU1bYw5vYl5hvy8KR8t+qqz/DNBXDCQ2FPpEK9SWrT 7LF7iPrrCi0Zd8gSFkcCWWojCcOpk+FKU3Lo3geURvNypNZMihenuWPoTSn+PCE/ vJZCWnp7n2DDeDOBmNvaV2K2R5w81+xN -----END CERTIFICATE----- subject=/CN=qrsa01.qnao.net/serialNumber=3b444eeb8355fb2b5b686d03ce1c0a61cd3552a 184001b9564700f7cebcbe9f0 issuer=/CN=RSA root CA for qrsa01.qnao.net/serialNumber=15702a01a563d5b8f2ba6525 0ad81947eef537554eae2320efed2159a8193bd5 --- No client certificate CA names sent --- SSL handshake has read 1948 bytes and written 675 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : RC4-SHA Session-ID: 550194FCFA9BE4A1060430A13EBA67B9EBD793485253412053534C4A20202020 Session-ID-ctx: Master-Key: F1FD3AB4846FBC14D35EB7BBAFF8704821940DDE5A0549519A0AFF2EC8CAF245 08DCAA6D4F9FB1D125664FC7BFE87E95 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1426167036 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- read:errno=0 OpenSSL> I had already set the tls.security.version.min to 0, so would have expected to be able to connect. At this point it seems like the problem is that we are using an internal CA to sign the cert for this server, but Firefox won't allow me to proceed despite this. Is there an option that I can set to have firefox prompt on all certificate issues and give me the option to proceed anyways? Any other thoughts/suggestions?