Sites like www.orangecountyscu.org fail to connect with no bypass, without RC4 settings not required by Firefox

Users and developers helping users with generic and technical Pale Moon issues on all operating systems.

Moderator: trava90

Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
Dan Harkless

Sites like www.orangecountyscu.org fail to connect with no bypass, without RC4 settings not required by Firefox

Unread post by Dan Harkless » 2017-05-16, 01:45

As of Pale Moon 27.3.0, connection to sites such as https://www.orangecountyscu.org/ fail with:
Secure Connection Failed

The connection to www.orangecountyscu.org was interrupted while the page was loading.

• The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
• Please contact the website owners to inform them of this problem.
There is no "I Understand the Risks": "Add Exception" button, just a useless "Try Again" button. After reading the ssl error & TLS 1.2 thread and https://bugzilla.mozilla.org/show_bug.cgi?id=937555, I was able to get Pale Moon to connect to the site by setting security.tls.unrestricted_rc4_fallback and security.ssl3.rsa_rc4_128_sha to true. (No other workarounds worked.) These options no longer exist on Firefox 53.0.2, yet it successfully connects to the site without making any special settings, using "TLS_RSA_WITH_3DES_EDE_CBC_SHA, 112 bit keys, TLS 1.0".

Bug 937555 was fixed by changing server settings on addons.mozilla.org, but obviously I can't get this bank and other sites to reconfigure their servers to allow Pale Moon to successfully connect with secure TLS algorithms. Is there a timeline to merge in whatever Firefox code fixed TLS errors like this one?

--
Dan Harkless
http://harkless.org/dan/

GMforker

Re: Sites like www.orangecountyscu.org fail to connect with no bypass, without RC4 settings not required by Firefox

Unread post by GMforker » 2017-05-16, 05:50

AFAIK

See:
https://github.com/MoonchildProductions ... 22ecf8b025
(even if "security.ssl3.rsa_des_ede3_sha" == true, also "weak" == true)

See also:
https://www.ssllabs.com/ssltest/viewMyClient.html
For Firefox:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK
For Pale Moon 27.3.0+:
[nothing]

I suppose it's deliberate.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Sites like www.orangecountyscu.org fail to connect with no bypass, without RC4 settings not required by Firefox

Unread post by Moonchild » 2017-05-16, 11:23

triple-des is disabled by default in Pale Moon because it is a weak cipher. Even if you enable it, you still have to add the host to the list of insecure fallback hosts (recommended to use the whitelist instead of allowing unrestricted fallback for all sites).

See also the faq "Secure connection errors? read this first!" on this forum.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked