You are not logged in.
I updated today firefox to 48.0.2 and I'm not able to reach anymore goolge, youtube, bbs.archlinux.org (the main domain is ok) and other wellknown webpage.
Your connection is not secure
The website tried to negotiate an inadequate level of security.
bbs.archlinux.org uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site.
Error code: NS_ERROR_NET_INADEQUATE_SECURITY
With what I understand they restricted the SSL cypher combination with the update and now only the not-known-vulnerable are allowed. Which is a good decision, but at least can they allow the user to choose and why bbs.archlinux.org uses an un-secure cipher?
To be more precise, why all of the supported ciphers (as Firefox normally uses the stronger cipher available supported between the client and the host) are deemed as not secure?
Among the supported by bbs for example are :
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLSv1 112 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 112 bits DES-CBC3-SHA
Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS11 256 bits DHE-RSA-AES256-SHA
Accepted TLS11 256 bits AES256-SHA
Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA
Accepted TLS11 128 bits DHE-RSA-AES128-SHA
Accepted TLS11 128 bits AES128-SHA
Accepted TLS11 112 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLS11 112 bits EDH-RSA-DES-CBC3-SHA
Accepted TLS11 112 bits DES-CBC3-SHA
Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS12 256 bits DHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits DHE-RSA-AES256-SHA256
Accepted TLS12 256 bits DHE-RSA-AES256-SHA
Accepted TLS12 256 bits AES256-GCM-SHA384
Accepted TLS12 256 bits AES256-SHA256
Accepted TLS12 256 bits AES256-SHA
Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA
Accepted TLS12 128 bits DHE-RSA-AES128-GCM-SHA256
Accepted TLS12 128 bits DHE-RSA-AES128-SHA256
Am I the only experiencing this? What's going wrong with firefox?
NOTE: I updated only firefox as currently in another country with limited bandwidth, however I don't see any openssl / certificate package on the update list.
Last edited by r0b0t (2016-09-02 10:26:11)
Offline
If I connect with Opera to bbs TLS 1.2 AES-128-GCM-ECDHE-RSA is used, what's wrong with that, is it because of the RSA? they maybe want SHA256 instead?
Oh and it get's even weirder while allowing connection to archlinux.org or startpage.com saying it's secure but when you click o the details it says :
Last edited by jasonwryan (2016-08-30 19:09:56)
Offline
Are you in a country that insists in inspecting packets and runs some sort MITM nonsense?
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Online
So it seems I'm the only one having the problem
Maldives may do that but the same's happening also from other countries (via OpenVPN) with different IP's.
While tracking with wireshark (connection to startpage.com / archlinux.org) although firefox says the website doesn't support encryption the traffic is indeed encrypted , and except some negotiation between client and server to find the right cipher which may seem like an attack to downgrade to some weak cipher but it seems also normal and I didn't wen't so deep. I don't find anything else, yet, if someone was trying to tamper why is firefox (after the update) the only browser detecting it, chrome isn't showing the cipher used but Opera is using a pretty strong one not known to have vulnerabilities.
So except there is some crazy alien-NSA association after my free ebooks and arch configuration I'd say it's the rest of the packages which need to be updated (maybe)...
If not, probably some nasty rootkit is installed in the graphic card memory or somewhere I can't remove
Offline
I was having this problem after I did an upgrade of firefox only. Running a full system upgrade fixed the problem for me. Perhaps the same might help for you?
Offline
Yes I believe to that's the most logical conclusion, I'm going to run the update as soon as I have my connection. In the mean time I can say after testing bbs.archlinux.org that firefox drops it because the combinations offered are either SHA or RSA which are considered buggy by firefox. And by comparing an Opera VS Firefox TLS Client Hello the ciphers offered by Opera are 17 VS 13 by firefox:
Opera combinations :
Cipher Suites (17 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: Unknown (0xcca9)
Cipher Suite: Unknown (0xcca8)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Firefox combinations :
Cipher Suites (13 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: Unknown (0xcca9)
Cipher Suite: Unknown (0xcca8)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
By comparing the combinations offered by the client (firefox) with those accepted by the server none of them is supported by the server those resulting in the connection failure.
I'll check after the update (hope will fix it) if firefox will offer more combinations, if yes would be a good question to ask what's the reason of this limitation?
Last edited by r0b0t (2016-08-30 19:17:40)
Offline
Read the Code of Conduct and only post thumbnails http://wiki.archlinux.org/index.php/Cod … s_and_code
...and don't post screenshots of text, paste the actual text.
Offline
Ok, changed it to text, it was quite some work...
Offline
Solved after upgrading everything else, which doesn't make much sense , would be great to understand the reason of it...
Offline
Look in the pacman log and find out what packages were updated, and see if any packages might have been related (ca-certificate, ssh, etc.).
Also, partial upgrades are not supported on Arch, so always update the entire system.
Last edited by mrunion (2016-09-02 17:10:57)
Matt
"It is very difficult to educate the educated."
Offline
Probably : [ALPM] upgraded ca-certificates-mozilla (3.25-1 -> 3.26-1)
Thank you for pointing it out, actually it's usually what I'd do but as I said the internet volume was limited so I didn't want to spent all the traffic on an upgrade.
Offline
i had the same problem, solved it by updating the nss package
Offline
Glad I found this thread! I just updated firefox without doing a full system update (for that I need a weekend to back up the entire system onto external media and fix any glitches that inevitably come up with changes in the boot process).
Any reason not to tie ca-certificates-mozilla and nss to firefox as dependencies that must be updated in sync?
Peter B. Steiger
Cheyenne, WY
Offline
Any reason not to tie ca-certificates-mozilla and nss to firefox as dependencies that must be updated in sync?
Offline