You are not logged in.

Pages: 1

#1 2016-08-30 15:07:57

r0b0t
Member
From: /tmp
Registered: 2009-05-24
Posts: 505

[SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

I updated today firefox to 48.0.2 and I'm not able to reach anymore goolge, youtube, bbs.archlinux.org (the main domain is ok) and other wellknown webpage.


Your connection is not secure

The website tried to negotiate an inadequate level of security.

bbs.archlinux.org uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site.

Error code: NS_ERROR_NET_INADEQUATE_SECURITY

With what I understand they restricted the SSL cypher combination with the update and now only the not-known-vulnerable are allowed. Which is a good decision, but at least can they allow the user to choose and why bbs.archlinux.org uses an un-secure  cipher?
To be more precise, why all of the supported ciphers (as Firefox normally uses the stronger cipher available supported between the client and the host) are deemed as not secure?
Among the supported by bbs for example are :

    Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  112 bits  ECDHE-RSA-DES-CBC3-SHA
    Accepted  TLSv1  112 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  112 bits  DES-CBC3-SHA
    Accepted  TLS11  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLS11  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLS11  256 bits  AES256-SHA
    Accepted  TLS11  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLS11  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLS11  128 bits  AES128-SHA
    Accepted  TLS11  112 bits  ECDHE-RSA-DES-CBC3-SHA
    Accepted  TLS11  112 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLS11  112 bits  DES-CBC3-SHA
    Accepted  TLS12  256 bits  ECDHE-RSA-AES256-GCM-SHA384
    Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA384
    Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLS12  256 bits  DHE-RSA-AES256-GCM-SHA384
    Accepted  TLS12  256 bits  DHE-RSA-AES256-SHA256
    Accepted  TLS12  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLS12  256 bits  AES256-GCM-SHA384
    Accepted  TLS12  256 bits  AES256-SHA256
    Accepted  TLS12  256 bits  AES256-SHA
    Accepted  TLS12  128 bits  ECDHE-RSA-AES128-GCM-SHA256
    Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA256
    Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLS12  128 bits  DHE-RSA-AES128-GCM-SHA256
    Accepted  TLS12  128 bits  DHE-RSA-AES128-SHA256

Am I the only experiencing this? What's going wrong with firefox?
NOTE: I updated only firefox as currently in another country with limited bandwidth, however I don't see any openssl / certificate package on the update list.

Last edited by r0b0t (2016-09-02 10:26:11)

Offline

#2 2016-08-30 15:13:16

r0b0t
Member
From: /tmp
Registered: 2009-05-24
Posts: 505

Re: [SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

If I connect with Opera to bbs TLS 1.2 AES-128-GCM-ECDHE-RSA is used, what's wrong with that, is it because of the RSA? they maybe want SHA256 instead?
Oh and it get's even weirder while allowing connection to archlinux.org or startpage.com saying it's secure but when you click o the details it says :

Last edited by jasonwryan (2016-08-30 19:09:56)

Offline

#3 2016-08-30 16:02:32

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 20,193

Re: [SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

Are you in a country that insists in inspecting packets and runs some sort MITM nonsense?

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#4 2016-08-30 17:57:56

r0b0t
Member
From: /tmp
Registered: 2009-05-24
Posts: 505

Re: [SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

So it seems I'm the only one having the problem neutral
Maldives may do that but the same's happening also from other countries (via OpenVPN) with different IP's.

While tracking with wireshark (connection to startpage.com / archlinux.org) although firefox says the website doesn't support encryption the traffic is indeed encrypted , and except some negotiation between client and server to find the right cipher which may seem like an attack to downgrade to some weak cipher but it seems also normal and I didn't wen't so deep. I don't find anything else, yet, if someone was trying to tamper why is firefox (after the update) the only browser detecting it, chrome isn't showing the cipher used but Opera is using a pretty strong one not known to have vulnerabilities.

So except there is some crazy alien-NSA association after my free ebooks and arch configuration I'd say it's the rest of the packages which need to be updated (maybe)...
If not, probably some nasty rootkit is installed in the graphic card memory or somewhere I can't remove big_smile

Offline

#5 2016-08-30 18:18:22

sediment
Member
Registered: 2012-08-01
Posts: 20

Re: [SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

I was having this problem after I did an upgrade of firefox only. Running a full system upgrade fixed the problem for me. Perhaps the same might help for you?

Offline

#6 2016-08-30 18:47:49

r0b0t
Member
From: /tmp
Registered: 2009-05-24
Posts: 505

Re: [SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

Yes I believe to that's the most logical conclusion, I'm going to run the update as soon as I have my connection. In the mean time I can say after testing bbs.archlinux.org that firefox drops it because the combinations offered are either SHA or RSA which are considered buggy by firefox. And by comparing an Opera VS Firefox TLS Client Hello the ciphers offered by Opera are 17 VS 13 by firefox:

Opera combinations : 

           Cipher Suites (17 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: Unknown (0xcca9)
                Cipher Suite: Unknown (0xcca8)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)
                Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

Firefox combinations : 

            Cipher Suites (13 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: Unknown (0xcca9)
                Cipher Suite: Unknown (0xcca8)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

By comparing the combinations offered by the client (firefox) with those accepted by the server none of them is supported by the server those resulting in the connection failure.

I'll check after the update (hope will fix it) if firefox will offer more combinations, if yes would be a good question to ask what's the reason of this limitation?

Last edited by r0b0t (2016-08-30 19:17:40)

Offline

#7 2016-08-30 19:09:39

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: [SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

Read the Code of Conduct and only post thumbnails http://wiki.archlinux.org/index.php/Cod … s_and_code

...and don't post screenshots of text, paste the actual text.

Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#8 2016-08-30 19:18:18

r0b0t
Member
From: /tmp
Registered: 2009-05-24
Posts: 505

Re: [SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

Ok, changed it to text, it was quite some work...

Offline

#9 2016-09-02 10:27:16

r0b0t
Member
From: /tmp
Registered: 2009-05-24
Posts: 505

Re: [SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

Solved after upgrading everything else, which doesn't make much sense , would be great to understand the reason of it...

Offline

#10 2016-09-02 17:10:23

mrunion
Member
From: Jonesborough, TN
Registered: 2007-01-26
Posts: 1,938
Website

Re: [SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

Look in the pacman log and find out what packages were updated, and see if any packages might have been related (ca-certificate, ssh, etc.).

Also, partial upgrades are not supported on Arch, so always update the entire system.

Last edited by mrunion (2016-09-02 17:10:57)

Matt

"It is very difficult to educate the educated."

Offline

#11 2016-09-04 11:35:44

r0b0t
Member
From: /tmp
Registered: 2009-05-24
Posts: 505

Re: [SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

Probably : [ALPM] upgraded ca-certificates-mozilla (3.25-1 -> 3.26-1)
Thank you for pointing it out, actually it's usually what I'd do but as I said the internet volume was limited so I didn't want to spent all the traffic on an upgrade.

Offline

#12 2016-09-10 11:34:54

reck1610
Member
Registered: 2016-09-10
Posts: 1

Re: [SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

i had the same problem, solved it by updating the nss package

Offline

#13 2016-10-25 16:24:09

WyoPBS
Member
From: Cheyenne, WY
Registered: 2007-10-05
Posts: 101
Website

Re: [SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

Glad I found this thread! I just updated firefox without doing a full system update (for that I need a weekend to back up the entire system onto external media and fix any glitches that inevitably come up with changes in the boot process).

Any reason not to tie ca-certificates-mozilla and nss to firefox as dependencies that must be updated in sync?

Peter B. Steiger
Cheyenne, WY

Offline

#14 2016-10-25 17:33:30

loqs
Member
Registered: 2014-03-06
Posts: 18,037

Re: [SOLVED] Firefox SSL issue with google, youtube, bbs.archlinux.org

WyoPBS wrote:

Any reason not to tie ca-certificates-mozilla and nss to firefox as dependencies that must be updated in sync?

Partial_upgrades_are_unsupported

Offline

Pages: 1

Board footer

Powered by FluxBB