X
Thinta lapha ukuze uye kuveshini yamakhalekhukhwini kusayithi.

Isithangami Sabeseki

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

"Secure Connection Failed" on www.pandora.com

Kuphostiwe

When I browse to https://www.pandora.com/ I get the "Secure Connection Failed" error with exactly the same text as in the screenshot at https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message

This is a really poor error message. It tells me nothing about what's actually wrong and how to fix it. WHY did the secure connection fail? Is there any way to find this out?

The site gets an A- from SSL labs https://www.ssllabs.com/ssltest/analyze.html?d=www.pandora.com&lates... and definitely supports TLS 1.2, so I'm pretty sure the problem is with Firefox and not with Pandora, but the error message is horrible regardless.

When I browse to https://www.pandora.com/ I get the "Secure Connection Failed" error with exactly the same text as in the screenshot at https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message This is a really poor error message. It tells me nothing about what's actually wrong and how to fix it. WHY did the secure connection fail? Is there any way to find this out? The site gets an A- from SSL labs [https://www.ssllabs.com/ssltest/analyze.html?d=www.pandora.com&latest] and definitely supports TLS 1.2, so I'm pretty sure the problem is with Firefox and not with Pandora, but the error message is horrible regardless.

Eminye Imininingwane Yohlelo

Isisebenziso

  • I-ejenti Engumsebenzisi: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

Eminye Imininingwane

FredMcD
  • Top 10 Contributor
4269 izisombululo 59843 izimpendulo
Kuphostiwe

What is your computer system and Firefox?

There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connections and send their own certificate.

http://www.ehow.com/how_11385212_troubleshoot-reset-connection-firefox.html

https://support.mozilla.org/en-US/kb/server-not-found-connection-problem

https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can

What is your computer system and Firefox? There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connections and send their own certificate. http://www.ehow.com/how_11385212_troubleshoot-reset-connection-firefox.html https://support.mozilla.org/en-US/kb/server-not-found-connection-problem https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can

Impendulo Ewusizo

Windows 7, Firefox 49.0.2. It seems to be an extension problem. I use FoxyProxy to access Pandora. If I disable that extension I can connect to the site successfully. If I enable it I get that error message. However, if I clear "Site preferences" under Clear History and the browse to "www.pandora.com" (without "https://") it works once again... for a while. I've tried this several times now. I'll report this to the FoxyProxy team.

Windows 7, Firefox 49.0.2. It seems to be an extension problem. I use FoxyProxy to access Pandora. If I disable that extension I can connect to the site successfully. If I enable it I get that error message. However, if I clear "Site preferences" under Clear History and the browse to "www.pandora.com" (without "https://") it works once again... for a while. I've tried this several times now. I'll report this to the FoxyProxy team.
FredMcD
  • Top 10 Contributor
4269 izisombululo 59843 izimpendulo
Kuphostiwe

Please keep us posted.

Please keep us posted.

Umnikazi wombuzo

Follow-up: this is not related to FoxyProxy at all, but seems to be related to proxy authentication. Here's a better description of the problem.

Firefox 49.0.2 running on Windows 7, all extensions disabled. I've cleared all history (cache, site preferences, etc.) I have an HTTP proxy configured (Manual Proxy Configuration, "Use this proxy server for all protocols" checked).

If I browse to an HTTPS site after starting Firefox before browsing to an HTTP (non-SSL) site the status bar quickly changes between "Looking up (host)...", "Connecting to (host)..." and "Waiting for (host)..." several times and then shows the "Secure Connection Failed" page, as in the screenshot on https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message

This happens on every HTTPS site I try, e.g. https://support.mozilla.org/, https://www.google.com/, https://www.pandora.com/, https://www.ycombinator.com/ (note that this last one does not use HSTS).

My proxy server requires HTTP authentication and Firefox does not even prompt for a username and password at this point. I control the proxy server and can see in its logs that there are no connection attempts yet.

If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal. It doesn't have to be the same site, e.g. I can browse to http://www.yahoo.com/ and then https://www.microsoft.com/ will work. However, if I cancel the proxy credentials prompt the issue continues. It takes a successful HTTP connection to make HTTPS work.

If I turn off authentication on the proxy server the issue does not occur (but I don't want to leave it open to the world permanently).

I've tried setting network.automatic-ntlm-auth.allow-proxies and network.negotiate-auth.allow-proxies to false and that didn't help.

Follow-up: this is not related to FoxyProxy at all, but seems to be related to proxy authentication. Here's a better description of the problem. Firefox 49.0.2 running on Windows 7, all extensions disabled. I've cleared all history (cache, site preferences, etc.) I have an HTTP proxy configured (Manual Proxy Configuration, "Use this proxy server for all protocols" checked). If I browse to an HTTPS site after starting Firefox before browsing to an HTTP (non-SSL) site the status bar quickly changes between "Looking up (host)...", "Connecting to (host)..." and "Waiting for (host)..." several times and then shows the "Secure Connection Failed" page, as in the screenshot on https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message This happens on every HTTPS site I try, e.g. https://support.mozilla.org/, https://www.google.com/, https://www.pandora.com/, https://www.ycombinator.com/ (note that this last one does not use HSTS). My proxy server requires HTTP authentication and Firefox does not even prompt for a username and password at this point. I control the proxy server and can see in its logs that there are no connection attempts yet. If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal. It doesn't have to be the same site, e.g. I can browse to http://www.yahoo.com/ and then https://www.microsoft.com/ will work. However, if I cancel the proxy credentials prompt the issue continues. It takes a successful HTTP connection to make HTTPS work. If I turn off authentication on the proxy server the issue does not occur (but I don't want to leave it open to the world permanently). I've tried setting network.automatic-ntlm-auth.allow-proxies and network.negotiate-auth.allow-proxies to false and that didn't help.
FredMcD
  • Top 10 Contributor
4269 izisombululo 59843 izimpendulo
Kuphostiwe

I called for more help.

FMX1 said

If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal

Can you set such a site as your home page?

I called for more help. ''FMX1 [[#answer-932999|said]]'' <blockquote> If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal </blockquote> Can you set such a site as your home page?
Tonnes
  • Locale Leader
246 izisombululo 1454 izimpendulo
Kuphostiwe

Though this is not my best area of expertise, a few thoughts after reading this and this question and some bugs (1311720, 486508 and 1291700):

- What happens if you uncheck "Use this proxy server for all protocols"? - What happens if you add a boolean pref called network.negotiate-auth.allow-insecure-ntlm-v1 and set it to true? - Do things work as expected without these suggestions and when using a current nightly? - What type of proxy is used (brand / party)?

Though this is not my best area of expertise, a few thoughts after reading [/questions/926378 this] and [/questions/1013449 this] question and some bugs ([https://bugzilla.mozilla.org/show_bug.cgi?id=1311720 1311720], [https://bugzilla.mozilla.org/show_bug.cgi?id=486508 486508] and [https://bugzilla.mozilla.org/show_bug.cgi?id=1291700 1291700]): - What happens if you uncheck "Use this proxy server for all protocols"? - What happens if you add a boolean pref called ''network.negotiate-auth.allow-insecure-ntlm-v1'' and set it to true? - Do things work as expected without these suggestions and when using a current [https://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla-central/firefox-52.0a1.en-US.win32.zip nightly]? - What type of proxy is used (brand / party)?

Umnikazi wombuzo

FredMcD said

FMX1 said
If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal

Can you set such a site as your home page?

I can, but I have to also manually reload it every time, otherwise it's just served from the cache and doesn't work around the problem. Not ideal.


Tonnes said

- What happens if you uncheck "Use this proxy server for all protocols"?

If I manually set the same proxy for HTTP and SSL - the same thing. If I use the proxy for HTTP only then, of course, the problem doesn't occur, but then I can't listen to Pandora, either. :)

- What happens if you add a boolean pref called network.negotiate-auth.allow-insecure-ntlm-v1 and set it to true?

No change - as expected, since the proxy doesn't use NTLM.

- Do things work as expected without these suggestions and when using a current nightly?

The nightly actually works if I have that proxy configured for both HTTP and SSL! But if I configure the proxy for SSL only the issue continues to occur. So I think the only reason it works is that the nightly automatically opens a tab to mozilla.org, which it loads via HTTP, so in effect it automatically applies the workaround I've found, but does not actually fix the problem.

- What type of proxy is used (brand / party)?

It's a Polipo proxy.

''FredMcD [[#answer-933031|said]]'' <blockquote> ''FMX1 [[#answer-932999|said]]'' <blockquote> If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal </blockquote> Can you set such a site as your home page? </blockquote> I can, but I have to also manually reload it every time, otherwise it's just served from the cache and doesn't work around the problem. Not ideal. ''Tonnes [[#answer-933241|said]]'' <blockquote> - What happens if you uncheck "Use this proxy server for all protocols"? </blockquote> If I manually set the same proxy for HTTP and SSL - the same thing. If I use the proxy for HTTP only then, of course, the problem doesn't occur, but then I can't listen to Pandora, either. :) <blockquote> - What happens if you add a boolean pref called ''network.negotiate-auth.allow-insecure-ntlm-v1'' and set it to true? </blockquote> No change - as expected, since the proxy doesn't use NTLM. <blockquote> - Do things work as expected without these suggestions and when using a current [https://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla-central/firefox-52.0a1.en-US.win32.zip nightly]? </blockquote> The nightly actually works if I have that proxy configured for both HTTP and SSL! But if I configure the proxy for SSL only the issue continues to occur. So I think the only reason it works is that the nightly automatically opens a tab to mozilla.org, which it loads via HTTP, so in effect it automatically applies the workaround I've found, but does not actually fix the problem. <blockquote> - What type of proxy is used (brand / party)? </blockquote> It's a Polipo proxy.
Tonnes
  • Locale Leader
246 izisombululo 1454 izimpendulo
Kuphostiwe

Impendulo Ewusizo

FMX1 said

If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal.
It takes a successful HTTP connection to make HTTPS work.

Are you sure HTTPS authentication should be able to work in Polipo? I’m not. :)

I searched for some keywords and found the quote "Polipo currently only implements the most insecure form of authentication, HTTP basic authentication, which sends usernames and passwords in clear over the network." in its manual. This may be no news, but that means HTTP authentication is just a prerequisite for Polipo, not Firefox. In order to meet that, you should tell Firefox to use HTTP even for HTTPS requests (probably explaining why Polipo logs see no requests at all), and then switch back. I think that would be rather special, and not worth the effort investigating.

Polipo is also rather old and no longer maintained, so you might want to switch to some other proxy if HTTPS authentication is important, unless you are able to trick it, but you might run into other limitations when "parent proxies" are involved. Or you could just drop the authentication.

This question on its mailing list archive may also interest you.

''FMX1 [[#answer-932999|said]]'' <blockquote> If I browse to an HTTP site and enter the proxy credential when prompted I can then browse to HTTPS sites as normal. </blockquote> <blockquote> It takes a successful HTTP connection to make HTTPS work. </blockquote> Are you sure HTTPS authentication should be able to work in Polipo? I’m not. :) I [https://www.google.com/search?q=polipo+proxy+configure+accept+https+authentication&ie=utf-8&oe=utf-8&client=firefox-b&gfe_rd=cr&ei=OhcvWPjKF5Lc8Af8ibroCA&gws_rd=cr searched] for some keywords and found the quote ''"Polipo currently only implements the most insecure form of authentication, HTTP basic authentication, which sends usernames and passwords in clear over the network."'' in its [https://www.irif.fr/~jch/software/polipo/polipo.html#Access-control manual]. This may be no news, but that means HTTP authentication is just a prerequisite for Polipo, not Firefox. In order to meet that, you should tell Firefox to use HTTP even for HTTPS requests (probably explaining why Polipo logs see no requests at all), and then switch back. I think that would be rather special, and not worth the effort investigating. Polipo is also rather old and [https://wiki.archlinux.org/index.php/polipo no longer maintained], so you might want to switch to some other proxy if HTTPS authentication is important, unless you are able to trick it, but you might run into other limitations when "parent proxies" are involved. Or you could just drop the authentication. [https://sourceforge.net/p/polipo/mailman/message/6689883/ This] question on its mailing list archive may also interest you.

Umnikazi wombuzo

You could be right, because disabling authentication in Polipo makes the problem disappear, like I said. Something must have changed in Firefox recently, though, because I've been running with the exact same setup for years and it was working fine. Also, Firefox should really handle the failure to connect much better than it does.

Still, this gives me a possible way to fix the issue, so thank you. I'll look around for an alternative to Polipo. Tell me if you have any recommendations.

You could be right, because disabling authentication in Polipo makes the problem disappear, like I said. Something must have changed in Firefox recently, though, because I've been running with the exact same setup for years and it was working fine. Also, Firefox should really handle the failure to connect much better than it does. Still, this gives me a possible way to fix the issue, so thank you. I'll look around for an alternative to Polipo. Tell me if you have any recommendations.

Okulungisiwe ngu FMX1