Google sites broken on 28(fix - limit TLS to 1.2)

[moonbat]

Tried Gmail and the main Google page, what I get is

An error occurred during a connection to mail.google.com.

security library failure.

(Error code: SEC_ERROR_LIBRARY_FAILURE)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Is there a workaround - maybe changing SSL/TLS or allowed ciphers in the advanced settings?

Update: Set security.tls.version.max=3 in about:config, or if you have the Palemoon Commander addon, go to Tools->Advanced preferences->Security->SSL tab and set Highest supported protocol to TLS 1.2.

[Moonchild]

"Library failure" is a fault I have not seen before -- it suggests something is very wrong with NSS. Potentially something interfered with your update (antivirus perhaps) leaving old libraries in place.

I suggest trying to reinstall the browser.

[moonbat]

Uninstalled, reinstalled, same problem.

Edit: Happens with Facebook as well.
Edit 2:The sites work in safe mode. Both Google and Facebook show encryption information as AES-GCM, 128 bits and TLS 1.3. The other https sites that work, including this one, all use TLS 1.2. So could be a problem with TLS 1.3, unless someone can point to another TLS 1.3 site that works.

[Moonchild]

Okay, you may have something interfering with your secure connections (probably TLS 1.3 not being understood by whatever is interfering).

Two things to try:
1. preferred: check and disable any https filtering that might be going on in your firewall, antivirus, or whatnot.
2. limit TLS to v1.2 in the browser by setting security.tls.version.max to "3"

[moonbat]

Okay, you may have something interfering with your secure connections (probably TLS 1.3 not being understood by whatever is interfering).
2. limit TLS to v1.2 in the browser by setting security.tls.version.max to "3"

Thanks, that fixed it. Was able to set it using the advanced preferences addon instead of going to about-config, since it's all the same. So is this a regression with PM 28's TLS support?

[Moonchild]

No, it's not a regression.
TLS 1.3 is still not completely finalized so interop issues may occur.

[New Tobin Paradigm]

Hopefully, they are done changing the specification so that a future update will resolve the TLS 1.3 issues.

[Moonchild]

As an aside I have no problems using TLS 1.3 on either Google or Facebook with Pale Moon 28.0.0, so I do think it must be something specific to your setup, software running on your system, router or O.S. that interferes.

[moonbat]

Your screenshot looks like Windows 7, judging from the title bar. I'm on Windows 10 x64, so could be something there.

[Goodydino]

Can the browser not fall back to TLS 1.2 if there are problems with 1.3?

[Moonchild]

Can the browser not fall back to TLS 1.2 if there are problems with 1.3?

It can and it does, but not all problems are recoverable.

[moonbat]

Observation - I have a much older desktop, a Core 2 Duo with 2 GB RAM running 32-bit Windows 10 - and yesterday I booted it up after ages and upgraded PM to 28. This problem wasn't there with TLS max version set to 1.3, Google and Facebook loaded normally.

[tenseys]

I'm on Windows 10, and i don't have any problems with any sites.