FireFox 95.0.2. "Secure Connection Failed" on some sites

[Marzipanogram]

I updated to FF 95.0.2. (Windows 11 PC) and now certain "Jolly Roger" sites just give me a "Secure Connection Failed" message.
It appears to be because of TLS https://support.mozilla.org/en-US/k...fox-did-not-connect?as=u&utm_source=inproduct
I've tried configuration the bottom two "TLS" entries in about:config within FF, but it's not possible to alter the Max. and Min. settings.

It's nothing to do with my firewall, VPN etc. It's a FireFox problem.
I've tried Vivaldi (chrome based browser) and it worked OK.

Anyone else noticed this and maybe have a FF workaround?

Thank you.

 

[RavenLunatic]

I have been getting this for the last couple of weeks. I put it down to me upgrading my home network to 2.5Gbs causing a timming issue. I wasn't aware that it was a FF problem.
My work around is to refresh the page which usually works.

 

[Marzipanogram]

I have been getting this for the last couple of weeks. I put it down to me upgrading my home network to 2.5Gbs causing a timming issue. I wasn't aware that it was a FF problem.
My work around is to refresh the page which usually works.

Refreshing the page doesn't work for me. I originally thought the site(s) had permanently gone until I tested it with my phone.
I've now switched to Vivaldi full time. Over a decade with FireFox, but it's time to move on.

 

[Firegod]

I have HTTPS only mode enabled and use TLS1.3 / TLS1.2 - I've not noticed any problems with sites reporting "secure connection failed". I personally wouldn't say it is a FF "problem" but more perhaps a website specific issue (or perhaps a localised issue to you, as the article does mention security software as a cause). Reading the support article it is pretty detailed as to why you are seeing that message. Having security.tls.version.max = 4 (TLS1.3) and security.tls.version.min = 3 (TLS1.2) seems reasonable and I wouldn't like to alter this to anything lower for safety.

 

[Marzipanogram]

I have HTTPS only mode enabled and use TLS1.3 / TLS1.2 - I've not noticed any problems with sites reporting "secure connection failed". I personally wouldn't say it is a FF "problem" but more perhaps a website specific issue (or perhaps a localised issue to you, as the article does mention security software as a cause). Reading the support article it is pretty detailed as to why you are seeing that message. Having security.tls.version.max = 4 (TLS1.3) and security.tls.version.min = 3 (TLS1.2) seems reasonable and I wouldn't like to alter this to anything lower for safety.

Thanks for the reply.
I was using HTTPS only mode, but nothing worked.
I've given it up as a bad job.

 

[smogsy]

I updated to FF 95.0.2. (Windows 11 PC) and now certain "Jolly Roger" sites just give me a "Secure Connection Failed" message.
It appears to be because of TLS https://support.mozilla.org/en-US/k...fox-did-not-connect?as=u&utm_source=inproduct
I've tried configuration the bottom two "TLS" entries in about:config within FF, but it's not possible to alter the Max. and Min. settings.

It's nothing to do with my firewall, VPN etc. It's a FireFox problem.
I've tried Vivaldi (chrome based browser) and it worked OK.

Anyone else noticed this and maybe have a FF workaround?

Thank you.

Firefox will block HTTPS sites that are using TLS< 1.1 as these are now classed as unsecure connections. Tls 1.1 or lower can be easily broken.

Also to add to this, if the certificate is being signed by untrusted source this will also happen.

What site are you trying to access?

To add to this Chrome,Brave,Vivaldi do simlair things but have different levels of protection.

Firefox now actually scans the certifcate for Extra protection. (which can go wrong sometimes)
see
https://borncity.com/win/2021/12/16/firefox-kann-nicht-auf-microsoft-com-zugreifen-12-dez-2021/

 

[Deleted member 77746]

That certain "Jolly Roger" site needs to update their certificates.

You can test their SSL cer, which will give you a free report without signing up.

https://www.ssllabs.com/ssltest/

Stop using sites that have a handshake failure until the website resolves it with a new certificate. It's a security risk.

Look under "Handshake Simulation" in the link above once you have checked the site to see what browsers is compatible with the website and use the compatible browser.

 

[smogsy]

That certain "Jolly Roger" site needs to update their certificates.

You can test their SSL cer, which will give you a free report without signing up.

https://www.ssllabs.com/ssltest/

Stop using sites that have a handshake failure until the website resolves it with a new certificate. It's a security risk.

Look under "Handshake Simulation" in the link above once you have checked the site to see what browsers is compatible with the website and use the compatible browser.

indeed not firefox fault and if chrome works thats alack of secruity

 

[Deleted member 77746]

indeed not firefox fault and if chrome works thats alack of secruity

It looks like a lot of old operating systems and browsers are now been pulled as unsupported. I have been checking loads of websites recently and a lot of them are failing for anything pre windows 8/old edge and a lot of now unsupported versions of browsers.

Sites are now getting serious about security and compatibility with TLS 1.1 been pulled I bet there will be a TLS 1.4 coming out soon ready to support the next versions of browsers.

 

[smogsy]

It looks like a lot of old operating systems and browsers are now been pulled as unsupported. I have been checking loads of websites recently and a lot of them are failing for anything pre windows 8/old edge and a lot of now unsupported versions of browsers.

Sites are now getting serious about security and compatibility with TLS 1.1 been pulled I bet there will be a TLS 1.4 coming out soon ready to support the next versions of browsers.

tls 1.1 was pulled years ago for being insecure. FF/chrome blocked them 2 years ago from memory

HOWEVER, site generally check browser version (first two digits) for secruity/compatiablity so when we hit 100, most sites will break until they check first 3 digits. trouble is its not just the cer version.

its Ciphers used Key Exchange Algorimthms That all count to twards secruity level

 

[Marzipanogram]

Thank you Smogsy and Bouton Aide, for the help.

I've checked the SLLLabs site out. The site's certificate never ran out. It scored a B rating and failed the handshake test.
I checked the site (and another site I had problems with) out yesterday and they worked fine.
But both were out of action for around 4 days. So I'm not sure what went wrong.

I can't really name the sites here. But one of them has the Spanish translation of "friends" in the title.

 

[smogsy]

Thank you Smogsy and Bouton Aide, for the help.

I've checked the SLLLabs site out. The site's certificate never ran out. It scored a B rating and failed the handshake test.
I checked the site (and another site I had problems with) out yesterday and they worked fine.
But both were out of action for around 4 days. So I'm not sure what went wrong.

I can't really name the sites here. But one of them has the Spanish translation of "friends" in the title.

no worries if it failed the handshake then it didnt pass the secruity test

 

[Deleted member 77746]

Thank you Smogsy and Bouton Aide, for the help.

I've checked the SLLLabs site out. The site's certificate never ran out. It scored a B rating and failed the handshake test.
I checked the site (and another site I had problems with) out yesterday and they worked fine.
But both were out of action for around 4 days. So I'm not sure what went wrong.

I can't really name the sites here. But one of them has the Spanish translation of "friends" in the title.

There's a good chance they might have done something with the certificate. If it didn't work then it worked they may have just renewed it or moved cert providers. It happens.

 

[smogsy]

There's a good chance they might have done something with the certificate. If it didn't work then it worked they may have just renewed it or moved cert providers. It happens.

Indeed its worse now as ff/chrome/safari all force yearly certs.

2 years ago they allowed support for 3 year certs. It made devops job a lot more painful for sure. Imagine hosting thousands of ssl clients that now need yearly updates vs tri yearly...

We automated it on our estate via ansible. Saves but load of work and now lot more secure too

 

[Deleted member 77746]

Indeed its worse now as ff/chrome/safari all force yearly certs.

2 years ago they allowed support for 3 year certs. It made devops job a lot more painful for sure. Imagine hosting thousands of ssl clients that now need yearly updates vs tri yearly...

We automated it on our estate via ansible. Saves but load of work and now lot more secure too

Better to automate it but some people / hosts don't use auto systems lol. Never mind.