Secure connection errors? **READ THIS FIRST!**

Frequently Asked Questions about the Pale Moon browser and their answers.

Moderators: Indalecio, satrow

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19452
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Secure connection errors? **READ THIS FIRST!**

Postby Moonchild » Fri Oct 24, 2014 7:45 pm

Why do some secure connections fail in recent versions?

Since some people run into issues with secure servers in 25.0.2 and later, this FAQ entry provides an answer for three important issues with websites and Pale Moon's security preventing connections from being established. To see what applies to you, please check the specific error on the connection failure screen. Also, before writing to us for a support request if it is covered by this FAQ, take a moment to do what the error screen says: Contact the website owners and inform them of this problem. Secure connection errors are almost always an issue that has to be solved by the server operators and is not an issue in the browser.

  1. Connections to secure servers (https) that might have worked prior to 25.0.2 may stop working in 25.0.2 and later.
    You may get errors like "Connection interrupted while the page was loading" or "ssl_error_bad_mac_read" and similar.
    This is caused by 25.0.2 disabling the SSL 3.0 protocol for secure connections.
  2. Connections to secure servers that might have worked prior to 25.3 may stop working in 25.3 and later.
    You are getting an error indicating "ssl_error_no_cypher_overlap" or "Connection interrupted while the page was loading".
    This is caused by 25.3 disabling the RC4 encryption ciphers for secure connections.
  3. Connections to secure servers that might have worked prior to 25.5 may stop working in 25.5 and later.
    You are getting an error indicating "ssl_error_weak_server_ephemeral_dh_key".
    This is caused by 25.5 no longer accepting export-grade DH keys and fixing the Logjam vulnerability.
  4. Connections to secure servers that might have worked prior to 26.4.1 may stop working in 26.4.1 and later.
    You are getting an error indicating "ssl_error_no_cypher_overlap" or "Connection interrupted while the page was loading".
    This is caused by 26.4.1 disabling the 3DES encryption ciphers for secure connections.

Please see below for more detailed explanations and workarounds.




For point 1: SSL 3.0

Why was SSL 3.0 disabled?

To be brief: because it is no longer secure and can be abused for Man-in-the-Middle attacks.
By its popular acronym it's known as POODLE, and you can find information about it on the web:
Article about POODLE on Wikipedia
Google announcement
and many others (do a search)

Why is this a problem on some servers?

Some https servers will no longer work for Pale Moon as a result of disabling SSL 3.0.
This can happen in 2 situations, both need to be addressed by the server operators.
  1. The server only supports the SSL 3.0 protocol. This is pretty bad, but can happen with misconfigured or particularly old servers. TLS has been around for a long time, and should have been enabled a long time ago.
  2. The server does support TLS, but doesn't support TLS 1.2 and has secure renegotiation disabled.
    Once again, not supporting TLS 1.2 means that the server software should be upgraded to a recent version (any modern version of web server software will support TLS 1.2 and its more secure ciphers).
    The other problem, the lack of secure renegotiation, is something that is likely left over from the SSL/TLS gap a long time ago, where, for a time, it was recommended to disable this as a temporary workaround while software was updated. It seems that server operators have never disabled this workaround that is, at most, a crutch and not a solution for a now no longer applicable problem. See, e.g.: https://community.qualys.com/blogs/securitylabs/2010/10/06/disabling-ssl-renegotiation-is-a-crutch-not-a-fix
    The reason this fails is because Pale Moon tries TLS 1.2 first, and if it cannot renegotiate a different TLS protocol in a secure way, will discard the TLS protocol as a valid option, and would previously fall back to SSL 3.0 - with SSL 3.0 disabled now, there are no methods left to create a secure connection.

I absolutely MUST connect to this broken secure server RIGHT NOW. Help?!

If you absolutely have to connect to a server that will only negotiate SSL 3.0 or doesn't support secure renegotiation for TLS, you can re-enable SSL 3.0 in Pale Moon. Please try to work out the issue with the operator of the server you are connecting to, and disable SSL 3.0 again the moment you no longer need it, to keep yourself safe from POODLE:

Option 1: use Pale Moon Commander
  1. Install the Pale Moon Commander extension
  2. After restart, go to Pale Moon button -> Options> -> Advanced options... (In the classic menu: Tools -> Advanced options...)
  3. Go to Security, SSL, and set "Lowest supported protocol" to "SSL 3.0"
pmc-ssl30.png


Option 2: manually through the advanced preferences editor
  1. In the address bar, type about:config and press enter
  2. In the preferences list, find security.tls.version.min
  3. Double-click this value to edit it, and enter 0 as the new value




For point 2: RC4

Why was RC4 disabled?

RC4 is a stream cipher that has had known weaknesses for over a decade. Thus far, it's been secure enough for most purposes because of lack of practical exploits of those weaknesses, and for a time it was a temporary workaround for some attacks against block ciphers (which may have prompted server operators to explicitly only support RC4). These block cipher issues have long since been resolved (Apple, that last one to mitigate BEAST, did so in October 2013), so there is no reason to not use AES and similar block ciphers again, especially if you use the stronger GCM ciphers as offered by TLS 1.2. This relative safety of RC4 is no longer the case, though, and it should be considered obsolete.

With the emergence of RFC 7465, Cloudflare disabling RC4 permanently on all of its (millions) of SSL websites, and there being whispers in the academic circles of a different, much easier attack on RC4 to break its encryption, it was time to switch off RC4 in Pale Moon 25.3.
As a result, servers that are still using the (just as obsolete) workaround for the past block cipher issues and restricting connections solely to RC4 will cause connection issues in Pale Moon now.

You should immediately contact the server operators and inform them of this issue. All main, current browsers will drop support for RC4 in early 2016.

I absolutely MUST connect to this broken secure server RIGHT NOW. Help?!

If you absolutely have to connect to a server that will only use RC4, you can re-enable RC4 ciphers in Pale Moon. Please try to work out the issue with the operator of the server you are connecting to, and disable RC4 again the moment you no longer need it, to keep yourself safe from decryption exploits:

Option 1: use Pale Moon Commander
  1. Install the Pale Moon Commander extension
  2. After restart, go to Pale Moon button -> Options> -> Advanced options... (In the classic menu: Tools -> Advanced options...)
  3. Go to Security, Ciphers1, and check the box alongside "RSA-RC4-SHA" (and if that doesn't help, also try "RSA-RC4-MD5" which is even weaker)
  4. IMPORTANT for Pale Moon 27.2 and later: You must also allow unrestricted fallback to weak ciphers for the site: find security.tls.insecure_fallback_hosts and double-click it, then add the hostname of the site you want to connect to (e.g. www.insecurebank.com) to that preference. You can add multiple sites if needed, separated by a comma (e.g. www.insecurebank.com,www.anotherbadsite.com)
pmc-RC4.png


Option 2: manually through the advanced preferences editor
  1. In the address bar, type about:config and press enter
  2. In the preferences list, find security.ssl3.rsa_rc4_128_sha
  3. Double-click this value to set it to true
  4. Repeat if needed for security.ssl3.rsa_rc4_128_md5
  5. IMPORTANT for Pale Moon 27.2 and later: You must also allow unrestricted fallback to weak ciphers for the site: find security.tls.insecure_fallback_hosts and double-click it, then add the hostname of the site you want to connect to (e.g. www.insecurebank.com) to that preference. You can add multiple sites if needed, separated by a comma (e.g. www.insecurebank.com,www.anotherbadsite.com)




For point 3: Weak DH keys

Why are these keys disabled?

They were disabled to mitigate the Logjam attack against the TLS protocol. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, and attacks a Diffie-Hellman (DH) key exchange. Through this attack, anyone with the proper position and gear can snoop on your secure connections (and retroactively decrypt them) in as little as 90 seconds from when you first make the connection. Any DH keys less than 1024-bits are therefore rejected (as an absolute minimum) in Pale Moon 25.5 and later.

More (and very detailed) information at https://weakdh.org

If you run into connection errors with this issue, it means that the server you connect to:
  • Offers and potentially prefers the DHE key exchange, AND
  • Uses a (static) DH key that is less than 1024-bits
This is a problem because DH keys are not generated per connection (unlike other key exchanges that offer forward secrecy) and as such have a fixed component that can be swiftly broken, resulting in communication that can be decrypted in real-time by an attacker. Since these keys are usually never changed once the web server is installed, repeat breaches are easy for the attacker.

Since key sizes cannot be determined before an encryption method is agreed upon, the only way to deal with it is to refuse the connection on the browser side if it is unacceptably weak; as a result, Pale Moon refuses to let you communicate in an unsafe way and closes the connection.

I absolutely MUST connect to this broken secure server RIGHT NOW. Help?!

If you absolutely have to connect to a server that has this combination of settings, you can disable DHE cipher suites in Pale Moon, forcing the server to use a different cipher suite that is not vulnerable. The drawback of this is that potentially good encryption elsewhere is also disabled (because DHE is a good key exchange method, as long as the keys are sufficiently strong) and may fall back to something weaker - so it is recommended to re-enable these cipher suites once the problem with the server has been solved by the server operators:

Option 1: use Pale Moon Commander
  1. Install the Pale Moon Commander extension
  2. After restart, go to Pale Moon button -> Options> -> Advanced options... (In the classic menu: Tools -> Advanced options...)
  3. Go to Security, Ciphers1, and clear the boxes alongside all "DHE-DSS" and "DHE-RSA" cipher suites (the entire left column)

Option 2: manually through the advanced preferences editor
  1. In the address bar, type about:config and press enter
  2. In the preferences list, find all preferences that start with security.ssl3.dhe_
  3. Double-click these values until all of them are set to "false"

Please do not disable other cipher suites than specifically the ones indicated, only the ones with "DHE" as a separate acronym at the start. (specifically, ECDHE cipher suites should not be disabled since they are not vulnerable)




For point 4: 3DES

Why was 3DES (Triple-DES) disabled?

3DES is a block cipher that has been marked as potentially weak for some time. Thus far, it's been secure enough for most purposes because of lack of practical exploits of those weaknesses, but with the advent of the so-called "SWEET32" attack that exploits its relatively small block size, attacks against it have become feasible, putting it in a similar position to RC4 as far as vulnerability is concerned.

You should immediately contact the server operators and inform them of this issue. If their only available cipher is 3DES, then something is considerably misconfigured or very old server software is in use.

I absolutely MUST connect to this broken secure server RIGHT NOW. Help?!

If you absolutely have to connect to a server that will only use 3DES, you can re-enable the ciphers in Pale Moon. Please try to work out the issue with the operator of the server you are connecting to, and disable 3DES again the moment you no longer need it, to keep yourself safe from decryption exploits:

Option 1: use Pale Moon Commander
  1. Install the Pale Moon Commander extension
  2. After restart, go to Pale Moon button -> Options> -> Advanced options... (In the classic menu: Tools -> Advanced options...)
  3. Go to Security, Ciphers1/2, and check the box alongside "RSA-DES-EDE3-SHA", "ECDHE-RSA-DES-EDE3-SHA" and "ECDHE-ECDSA-DES-EDE3-SHA"
  4. IMPORTANT for Pale Moon 27.2 and later: You must also allow unrestricted fallback to weak ciphers for the site: find security.tls.insecure_fallback_hosts and double-click it, then add the hostname of the site you want to connect to (e.g. www.insecurebank.com) to that preference. You can add multiple sites if needed, separated by a comma (e.g. www.insecurebank.com,www.anotherbadsite.com)

Option 2: manually through the advanced preferences editor
  1. In the address bar, type about:config and press enter
  2. In the preferences list, find security.ssl3.ecdh_ecdsa_des_ede3_sha
  3. Double-click this value to set it to true
  4. Repeat for security.ssl3.ecdhe_rsa_des_ede3_sha and security.ssl3.rsa_des_ede3_sha
  5. IMPORTANT for Pale Moon 27.2 and later: You must also allow unrestricted fallback to weak ciphers for the site: find security.tls.insecure_fallback_hosts and double-click it, then add the hostname of the site you want to connect to (e.g. www.insecurebank.com) to that preference. You can add multiple sites if needed, separated by a comma (e.g. www.insecurebank.com,www.anotherbadsite.com)
Last edited by Moonchild on Tue Mar 21, 2017 11:02 pm, edited 2 times in total.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.
Image

anixosees

Re: Why do some secure connections fail in v25.0.2?

Postby anixosees » Mon Oct 27, 2014 6:15 am

Thanks for diabling this by default and giving us the lowdown jic. Keep up the good work!

odrse

Re: Why do some secure connections fail in v25.0.2?

Postby odrse » Tue Oct 28, 2014 10:17 pm

Thanks for the reply. You are absolutely correct. Reducing the min security to SSL 3.0 allowed the page to load. This is the site for my banking, so is strange that they are so behind the times. I have IE Tab extension installed, so will just use it for accessing this site and leave the security settings at TLS. I will talk to my bank about it.
Thanks again

User avatar
bawldiggle
Lunatic
Lunatic
Posts: 326
Joined: Fri Feb 22, 2013 9:16 pm
Location: Australia

Re: Why do some secure connections fail in v25.0.2?

Postby bawldiggle » Thu Nov 13, 2014 12:34 pm

Thanks for the link to this FAQ/thread :)

Should resolve trying to contact our state government department to renew vehicle registrations on line.
- they have closed all retail shop fronts in our city and registration renewal can only be done via internet or phone or snail mail.
Palemoon v27.4.2 (32-bit) w. Win-7 PRO x64

Llewelyn
Newbie
Newbie
Posts: 6
Joined: Tue Nov 11, 2014 1:32 pm
Location: Wales, UK

Re: Why do some secure connections fail in v25.0.2?

Postby Llewelyn » Fri Nov 14, 2014 7:26 am

Makes sense. Now the fun starts, trying to persuade government depratments (not a typo) to update their servers... :(

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19452
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Why do some secure connections fail in v25.0.2?

Postby Moonchild » Fri Nov 14, 2014 1:16 pm

Llewelyn wrote:Makes sense. Now the fun starts, trying to persuade government depratments (not a typo) to update their servers... :(

Honestly, if their "secure" servers run into this issue, then they are already a "bit" overdue for updating their web server software/configuration. "Your secure servers aren't secure" should be a compelling argument, even for slow governments, to do something immediately.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.
Image

Llewelyn
Newbie
Newbie
Posts: 6
Joined: Tue Nov 11, 2014 1:32 pm
Location: Wales, UK

Re: Why do some secure connections fail in v25.0.2?

Postby Llewelyn » Sun Nov 16, 2014 8:26 am

I contacted the relevant department, will await a response...

meanwhile I also had a response from Wargaming.net but it's not impressive:

"Unfortunately, we cannot offer support for your browser; if the server is rejecting your connections, your two choices are to either re-enable SSL 3.0 (as the developer explains on that forum post) and try to log in again, or use a different web browser when browsing our premium shop, such as Firefox or Chrome."

in fact, I also hit this issue with another commercial site, i will contact them in due course.

I imagine that eventually, this issue will also arise with more "mainstream" browsers, when they get around to shutting down SSL 3.0, and then something might be done. In the meantime, the web is just less secure :roll:

User avatar
Supernova
Astronaut
Astronaut
Posts: 836
Joined: Sat Mar 29, 2014 5:13 pm
Location: Somewhere

Re: Why do some secure connections fail in v25.0.2?

Postby Supernova » Sun Nov 16, 2014 2:33 pm

Next version of firefox will disable SSL3.0 ; probably the same for the next version of chrome. They would be better to react now instead of waiting their site not working for most of their customers...
Your political power is exactly equal to 0. That is... If you let those who steal it stealing peacefully.

User avatar
chreid
Moonbather
Moonbather
Posts: 67
Joined: Thu May 22, 2014 5:57 pm
Location: London UK

Re: Why do some secure connections fail in v25.0.2?

Postby chreid » Thu Nov 27, 2014 2:11 pm

I have identical config settings [security.tls.version min 1 & max 3] in both PM 25.1.0 and FF 33.1.1. The min value in FF is user set [so not default, it seems].
A site which works in FF is rejected in PM [till I reset to max 2, which breaks another site!]. Even tried safe mode.
"The connection was interrupted" .

This has got me stumped :?
How can it work in FF and not PM with identical config?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19452
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Why do some secure connections fail in v25.0.2?

Postby Moonchild » Fri Nov 28, 2014 10:03 am

chreid wrote:This has got me stumped :?
How can it work in FF and not PM with identical config?


Because Pale Moon is not Firefox.

What Firefox does is a rather crude "try, try again" with lower reported maximum supported TLS settings in this situation where secure renegotiation is not supported. This (unsafe) fallback allows Firefox to "connect at all costs" (the cost measured in terms of security, in this case) although it's not part of normal protocol negotiation or any standard. It's a "last ditch" effort to make the client connect to the server, regardless of repercussions if the server is misconfigured and unsafe. Pale Moon doesn't use this crude fallback method and requires a safe way of negotiating the protocol in accordance with the spec, and will throw a connection error if it can't be negotiated safely.
Because this is an unsafe workaround which can potentially be abused, people are now looking into creating "a workaround for the workaround" in SCSV (which is moot, see other threads on this forum about this) to try and make the unsafe workaround safer -- instead of requiring a safe method in the first place.

I've contacted the IETF about this, related to SCSV specifically, but they in general are unresponsive on this matter.

EDIT: As an aside, this kind of crude fallback makes server operators unaware of the problem on their server, so it is in fact promoting the continued use of unsafe server configurations, especially if the server operators say "it works in mainstream browsers, so it's not our fault" and don't do anything about it (or even investigate, for that matter).
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.
Image

ShalaMala
Newbie
Newbie
Posts: 5
Joined: Wed Jan 28, 2015 9:53 pm
Location: Slovenia

Re: Why do some secure connections fail in v25.0.2?

Postby ShalaMala » Mon Feb 02, 2015 5:17 pm

Is this Firefox's fallback mode something that can be switched on/off in about:config?
For example, can I switch it off also in Firefox, so it will behave the same way as Pale Moon - strictly rejecting unsafe connections, not "trying, trying again" as it does now?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19452
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Why do some secure connections fail in v25.0.2?

Postby Moonchild » Tue Feb 03, 2015 12:04 am

ShalaMala wrote:Is this Firefox's fallback mode something that can be switched on/off in about:config?
For example, can I switch it off also in Firefox, so it will behave the same way as Pale Moon - strictly rejecting unsafe connections, not "trying, trying again" as it does now?

Nope. It's hard-coded into Firefox and cannot be switched off.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.
Image

ShalaMala
Newbie
Newbie
Posts: 5
Joined: Wed Jan 28, 2015 9:53 pm
Location: Slovenia

Re: Why do some secure connections fail in v25.0.2?

Postby ShalaMala » Tue Feb 03, 2015 8:50 pm

What a shame! I'm not sorry for Firefox, but for Tor Browser. Those privacy concerned guys use a modified Firefox version for their project and apparently it allows insecure connections...
I was planning to propose them to build their project on top of Pale Moon base instead of Firefox, but saw that somebody already proposed it here https://blog.torproject.org/blog/tor-browser-402-released even if for reasons other than secure connection issue. Hope they ditch that buggy & bloated FF soon :wave:

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19452
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Why do some secure connections fail in v25.0.2 and later

Postby Moonchild » Sat Mar 14, 2015 9:58 am

Updated the FAQ for the RC4 disabled issue people might run into in 25.3.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.
Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19452
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Secure connection errors? **READ THIS FIRST!**

Postby Moonchild » Wed Sep 21, 2016 3:13 pm

Updated the FAQ for the Triple-DES disabled issue that people might run into starting 26.4.1
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.
Image


Return to “Frequently Asked Questions (F.A.Q.)”

Who is online

Users browsing this forum: No registered users and 2 guests