X
Thinta lapha ukuze uye kuveshini yamakhalekhukhwini kusayithi.

Isithangami Sabeseki

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

SSL on v.36.0.1 Padlock and Identity Info Missing

Kuphostiwe

When I visit an https:// url on Firefox version 36.0.1 I am getting an exclamation mark instead of a padlock::

SCREENSHOTS:: http://www.silkblooms.co.uk/images/prototypes/ssl3.jpg http://www.silkblooms.co.uk/images/prototypes/ssl2.jpg http://www.silkblooms.co.uk/images/prototypes/ssl1.jpg

The same websites are showing identity information and padlocks when I use other browsers like Chrome or IE so the problem is with FF. I have no proxy in the tools>options>advanced>network>settings (so it's not that).

When I visit an https:// url on Firefox version 36.0.1 I am getting an exclamation mark instead of a padlock:: SCREENSHOTS:: http://www.silkblooms.co.uk/images/prototypes/ssl3.jpg http://www.silkblooms.co.uk/images/prototypes/ssl2.jpg http://www.silkblooms.co.uk/images/prototypes/ssl1.jpg The same websites are showing identity information and padlocks when I use other browsers like Chrome or IE so the problem is with FF. I have no proxy in the tools>options>advanced>network>settings (so it's not that).

Isisombululo esikhethiwe

Our host has fixed this::

They have adjusted the SSLCipherSuites to resolve this as can be verified at:

https://www.ssllabs.com/ssltest/analyze.html?d=silkblooms.co.uk&hideResults=on

Finally!

Thank you everyone for helping me here.

Funda le mpendulo ngokuhambisana nalesi sihloko 0

Eminye Imininingwane Yohlelo

Fakela amapulagi

  • Adobe PDF Plug-In For Firefox and Netscape 11.0.10
  • A plugin to detect whether the Adobe Application Manager is installed on this machine.
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Office Authorization plug-in for NPAPI browsers
  • NVIDIA 3D Vision Streaming plugin for Mozilla browsers
  • NVIDIA 3D Vision plugin for Mozilla browsers
  • Shockwave Flash 16.0 r0
  • 5.1.30514.0

Isisebenziso

  • I-ejenti Engumsebenzisi: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

Eminye Imininingwane

philipp
  • Top 25 Contributor
  • Moderator
5306 izisombululo 23424 izimpendulo
Kuphostiwe

Impendulo Ewusizo

hi MJ_Lind, the site you have mentioned only offers weak TLS_RSA_WITH_RC4_128_SHA encryption making use of the RC4 cipher suite which is considered broken and no longer trustworthy. according to this recent proposal browsers have to stop supporting RC4: https://tools.ietf.org/html/rfc7465

starting with firefox 38, the browser will show an error message and totally block access to affected sites, so please raise this issue with your hoster...

hi MJ_Lind, the site you have mentioned only offers weak TLS_RSA_WITH_RC4_128_SHA encryption making use of the RC4 cipher suite which is considered broken and no longer trustworthy. according to this recent proposal browsers have to stop supporting RC4: https://tools.ietf.org/html/rfc7465 starting with firefox 38, the browser will show an error message and totally block access to affected sites, so please raise this issue with your hoster...

Umnikazi wombuzo

philipp said

hi MJ_Lind, the site you have mentioned only offers weak TLS_RSA_WITH_RC4_128_SHA encryption making use of the RC4 cipher suite which is considered broken and no longer trustworthy. according to this recent proposal browsers have to stop supporting RC4: https://tools.ietf.org/html/rfc7465 starting with firefox 38, the browser will show an error message and totally block access to affected sites, so please raise this issue with your hoster...

Hi Philipp,

Is this on www.silkblooms.co.uk? Where are you getting that info from so I can raise this with the certificate issuing company?


David....

''philipp [[#answer-700930|said]]'' <blockquote> hi MJ_Lind, the site you have mentioned only offers weak TLS_RSA_WITH_RC4_128_SHA encryption making use of the RC4 cipher suite which is considered broken and no longer trustworthy. according to this recent proposal browsers have to stop supporting RC4: https://tools.ietf.org/html/rfc7465 starting with firefox 38, the browser will show an error message and totally block access to affected sites, so please raise this issue with your hoster... </blockquote> Hi Philipp, Is this on www.silkblooms.co.uk? Where are you getting that info from so I can raise this with the certificate issuing company? David....
philipp
  • Top 25 Contributor
  • Moderator
5306 izisombululo 23424 izimpendulo
Kuphostiwe

hi david, you can check this with a tool like https://www.ssllabs.com/ssltest/index.html

and this is the bug that will remove support for rc4 cipher-suites in firefox 38: https://bugzilla.mozilla.org/show_bug.cgi?id=1124039

hi david, you can check this with a tool like https://www.ssllabs.com/ssltest/index.html and this is the bug that will remove support for rc4 cipher-suites in firefox 38: https://bugzilla.mozilla.org/show_bug.cgi?id=1124039

Umnikazi wombuzo

Hi Phillip,

Thank you for this info. I will be able to upgrade the certificate as it would appear this is the problem.


David...

Hi Phillip, Thank you for this info. I will be able to upgrade the certificate as it would appear this is the problem. David...
philipp
  • Top 25 Contributor
  • Moderator
5306 izisombululo 23424 izimpendulo
Kuphostiwe

it will be less about the certificate (yours looks ok), but about the configuration of the web-server where your site is running, so please raise the issue with the hosting provider...

it will be less about the certificate (yours looks ok), but about the configuration of the web-server where your site is running, so please raise the issue with the hosting provider...

Umnikazi wombuzo

I see.... ok I don't really see as I don't know exactly how to advise our hosting provider. Do you know the specific, technical jargon that I should present to the host? If you were contacting your hosting provider about this then exactly what would you say to them?

I see.... ok I don't really see as I don't know exactly how to advise our hosting provider. Do you know the specific, technical jargon that I should present to the host? If you were contacting your hosting provider about this then exactly what would you say to them?
philipp
  • Top 25 Contributor
  • Moderator
5306 izisombululo 23424 izimpendulo
Kuphostiwe

you can tell them that you have learned that the server where your website is hosted only offers a weak RC4 cipher suite for encryption, which most browsers will stop supporting soon & that means that your visitors will only see an error message - as a reference you can give this site: https://developer.mozilla.org/en-US/Firefox/Releases/38/Site_Compatibility#Security

the workaround is to update the server's configuration to make use of more state-of-the art encryption...

you can tell them that you have learned that the server where your website is hosted only offers a weak RC4 cipher suite for encryption, which most browsers will stop supporting soon & that means that your visitors will only see an error message - as a reference you can give this site: https://developer.mozilla.org/en-US/Firefox/Releases/38/Site_Compatibility#Security the workaround is to update the server's configuration to make use of more state-of-the art encryption...

Umnikazi wombuzo

The host is blaming the certificate::

"I believe the issue should be fixed if we reinstall SSL for the domain, is there any chance that you could get in touch with the SSL provider and get a new cert to comply with the new SHA-2 requirement?"

Is this accurate what they're saying?

The host is blaming the certificate:: "I believe the issue should be fixed if we reinstall SSL for the domain, is there any chance that you could get in touch with the SSL provider and get a new cert to comply with the new SHA-2 requirement?" Is this accurate what they're saying?
philipp
  • Top 25 Contributor
  • Moderator
5306 izisombululo 23424 izimpendulo
Kuphostiwe

you'll ultimately have to figure it out together with the support of your hoster... i can only repeat myself though: the error that firefox is showing is due to the server only using a weak TLS_RSA_WITH_RC4_128_SHA cipher suite, which is not related to your certificate but to the server's configuration that should be under the control of the hoster.

you'll ultimately have to figure it out together with the support of your hoster... i can only repeat myself though: the error that firefox is showing is due to the server only using a weak TLS_RSA_WITH_RC4_128_SHA cipher suite, which is not related to your certificate but to the server's configuration that should be under the control of the hoster.
jscher2000
  • Top 10 Contributor
8696 izisombululo 71081 izimpendulo
Kuphostiwe

Your certificate was signed with "SHA256". I think the issue the host is describing with the "SHA1" certificate refers to the bundle of additional certificates your cert issuer gave you along with your own site certificate. Your web server sends the bundle with your certificate as part of the chain showing that a trusted root certificate was used to sign your certificate. (Without this chain, Firefox will display the unknown issuer error page.) Maybe they have an upgrade to the bundle that you can install in place of the one you have?

But I don't think that's the current issue. To prevent your server from using an RC4 Cipher, I believe you need to edit your HTTP configuration file (httpd.conf), which may or may not require intervention from your host. The SSLCipherSuite directive is the setting that restricts cipher suites on Apache.

Mozilla has an article on cipher suites and how restrictions affect different browsers and operating systems: https://wiki.mozilla.org/Security/Server_Side_TLS.

Your certificate was signed with "SHA256". I think the issue the host is describing with the "SHA1" certificate refers to the bundle of additional certificates your cert issuer gave you along with your own site certificate. Your web server sends the bundle with your certificate as part of the chain showing that a trusted root certificate was used to sign your certificate. (Without this chain, Firefox will display the unknown issuer error page.) Maybe they have an upgrade to the bundle that you can install in place of the one you have? But I don't think that's the current issue. To prevent your server from using an RC4 Cipher, I believe you need to edit your HTTP configuration file (httpd.conf), which may or may not require intervention from your host. The [http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite SSLCipherSuite directive] is the setting that restricts cipher suites on Apache. Mozilla has an article on cipher suites and how restrictions affect different browsers and operating systems: [https://wiki.mozilla.org/Security/Server_Side_TLS].

Umnikazi wombuzo

I'm getting nowhere with this. Over a day later an several emails between myself, Trustico and out host. No one knows what's causing it. Here's what's happened so far::

- Trustico have verified that the certificate is installed correctly and they're adamant that the fault lies with insecure items in the source code. They can't list any such item.

- Our host has re-installed the SSL. It is EV SSL CA - G4 so it's a good, up-to-date certificate.

- Trustico and our host are both blaming it on the website having insecure items. None of them can exmplain this empty webpage though. Look at the source code as it knock their arguement on the head:: https://www.silkblooms.co.uk/ssl/ff.html


I'm at a complete loss. This was the last email from Trustico Support::

Dear David,

Thank you for your reply

I am afraid that is what Firefox is telling you about the certificate and why it is not being displayed.

I can't give you anymore information. I have helped you are far as I can now.

I have checked the certificate installation it is working fine. The keys are correct, I have visited our other clients using the same certificate and keys and they have no problems.

I have even checked with our clients that are still using the out of date SHA-1 software and they all still have the green bar.

I have even given you one to compare I am also using 36.0.1 version of Firefox

https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp You can type in your domain name and see the installation

Then you can type in - www.studiocoast.com.au who I helped with a similar issue but it was with Chrome. https://www.studiocoast.com.au/ - now visit Firefox on his web site.

The green bar and his organisation name comes up with no problems. Now referring back to the SSL certificate, except for the domain name you will noticed every single other data is the same in regards to signature strength and root chain that is being used. He is using GeoTrust EV SSL CA - G4 and so are you.

The only difference is that Firefox is telling you, "The connection to this website is not fully secure because it contains unencrypted elements (such as images)." and that is why it is not showing the Green Bar and padlock.

There must be something on your site, that is linking to something that is no secure, I am not 100% sure it is the only possibility after doing all the comparison for all our other EV certificate clients, both SHA-1 and SHA-2 using the exact same Roots CA's as you, or even the old one you had installed.

Kind regards,

Robert Craker Trustico® Online Limited www.trustico.com

I'm getting nowhere with this. Over a day later an several emails between myself, Trustico and out host. No one knows what's causing it. Here's what's happened so far:: - Trustico have verified that the certificate is installed correctly and they're adamant that the fault lies with insecure items in the source code. They can't list any such item. - Our host has re-installed the SSL. It is EV SSL CA - G4 so it's a good, up-to-date certificate. - Trustico and our host are both blaming it on the website having insecure items. None of them can exmplain this empty webpage though. Look at the source code as it knock their arguement on the head:: https://www.silkblooms.co.uk/ssl/ff.html I'm at a complete loss. This was the last email from Trustico Support:: Dear David, Thank you for your reply I am afraid that is what Firefox is telling you about the certificate and why it is not being displayed. I can't give you anymore information. I have helped you are far as I can now. I have checked the certificate installation it is working fine. The keys are correct, I have visited our other clients using the same certificate and keys and they have no problems. I have even checked with our clients that are still using the out of date SHA-1 software and they all still have the green bar. I have even given you one to compare I am also using 36.0.1 version of Firefox https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp You can type in your domain name and see the installation Then you can type in - www.studiocoast.com.au who I helped with a similar issue but it was with Chrome. https://www.studiocoast.com.au/ - now visit Firefox on his web site. The green bar and his organisation name comes up with no problems. Now referring back to the SSL certificate, except for the domain name you will noticed every single other data is the same in regards to signature strength and root chain that is being used. He is using GeoTrust EV SSL CA - G4 and so are you. The only difference is that Firefox is telling you, "The connection to this website is not fully secure because it contains unencrypted elements (such as images)." and that is why it is not showing the Green Bar and padlock. There must be something on your site, that is linking to something that is no secure, I am not 100% sure it is the only possibility after doing all the comparison for all our other EV certificate clients, both SHA-1 and SHA-2 using the exact same Roots CA's as you, or even the old one you had installed. Kind regards, Robert Craker Trustico® Online Limited www.trustico.com
jscher2000
  • Top 10 Contributor
8696 izisombululo 71081 izimpendulo
Kuphostiwe

Impendulo Ewusizo

Yes, this is very frustrating. Did they look at the screenshot from Chrome showing its analysis of the certificate? (New capture attached.) I shouldn't say it's an analysis of the certificate. The certificate is great. It's a comment on the SSL ciphers offered by the server to the browser.

The comparison server they gave you actually is Windows-based and uses Microsoft's IIS webserver software and not the Apache webserver, so it's not apples-to-apples. Or in other words, it doesn't prove they know how to configure Apache.

Yes, this is very frustrating. Did they look at the screenshot from Chrome showing its analysis of the certificate? (New capture attached.) ''I shouldn't say it's an analysis of the certificate. The certificate is great. It's a comment on the SSL ciphers offered by the server to the browser.'' The comparison server they gave you actually is Windows-based and uses Microsoft's IIS webserver software and not the Apache webserver, so it's not apples-to-apples. Or in other words, it doesn't prove they know how to configure Apache.

Okulungisiwe ngu jscher2000

Umnikazi wombuzo

Thank you. I've sent this to the host. Are you saying that the problem is definitely, 100% with the Apache server configuration and not with the certificate?

Thank you. I've sent this to the host. Are you saying that the problem is definitely, 100% with the Apache server configuration and not with the certificate?
wizzardz 0 izisombululo 17 izimpendulo
Kuphostiwe

I see this same issue on this very URL

https://support.mozilla.org/en-US/questions/1051000

I see this same issue on this very URL https://support.mozilla.org/en-US/questions/1051000
James
  • Moderator
1596 izisombululo 11250 izimpendulo
Kuphostiwe

wizzardz said

I see this same issue on this very URL

You should start a new thread as this thread is a still active on a similar yet different thing.

''wizzardz [[#answer-701603|said]]'' <blockquote> I see this same issue on this very URL </blockquote> You should start a new thread as this thread is a still active on a similar yet different thing.

Isisombululo Esikhethiwe

Our host has fixed this::

They have adjusted the SSLCipherSuites to resolve this as can be verified at:

https://www.ssllabs.com/ssltest/analyze.html?d=silkblooms.co.uk&hideResults=on

Finally!

Thank you everyone for helping me here.

Our host has fixed this:: They have adjusted the SSLCipherSuites to resolve this as can be verified at: https://www.ssllabs.com/ssltest/analyze.html?d=silkblooms.co.uk&hideResults=on Finally! Thank you everyone for helping me here.

Okulungisiwe ngu silkblooms

wizzardz 0 izisombululo 17 izimpendulo
Kuphostiwe

Not sure how is different, but I will start a new thread if that's what's needed

Not sure how is different, but I will start a new thread if that's what's needed
cor-el
  • Top 10 Contributor
  • Moderator
17481 izisombululo 157964 izimpendulo
Kuphostiwe

You can also look at this extension:

You can also look at this extension: *SSleuth: https://addons.mozilla.org/firefox/addon/ssleuth

Okulungisiwe ngu cor-el

Moses
  • Moderator
459 izisombululo 3607 izimpendulo
Kuphostiwe

Marking solution as suggested in /flagged

<i>Marking solution as suggested in [/flagged]