ssl_error_rx_malformed_server_hello
Moderator: trava90
Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
Re: ssl_error_rx_malformed_server_hello
When the 32.1.1 TLS 1.3 protocol downgrade sentinel is invoked, it would be helpful to have an optional log to record instances of the malformed server hellos. Each instance recorded could have enough detail such that an automated script could then send information to a website administrator (email address obtained via a DNS inquiry) requesting that they fix the TLS 1.3 protocol downgrade errors.
I have talked with a CIO for a fix on their web site, but there are too many other web sites with a malformed hello response to follow up on with either a personal discussion or a manual email preparation process. For this website, I have suggested that the CIO validate the corrected malformed hello response by usage of the Pale Moon 32.1.1 release or later.
This is a wishlist item for sure.
I have talked with a CIO for a fix on their web site, but there are too many other web sites with a malformed hello response to follow up on with either a personal discussion or a manual email preparation process. For this website, I have suggested that the CIO validate the corrected malformed hello response by usage of the Pale Moon 32.1.1 release or later.
This is a wishlist item for sure.
Re: ssl_error_rx_malformed_server_hello
This falls squarely outside of the browser scope.Nun2Swoon wrote: ↑2023-05-31, 00:13When the 32.1.1 TLS 1.3 protocol downgrade sentinel is invoked, it would be helpful to have an optional log to record instances of the malformed server hellos. Each instance recorded could have enough detail such that an automated script could then send information to a website administrator (email address obtained via a DNS inquiry) requesting that they fix the TLS 1.3 protocol downgrade errors.
(One could, however, write an extension that does exactly that)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: ssl_error_rx_malformed_server_hello
I get the same issue trying to log into my modem admin page. I try to connect with http://192.168.100.1 and PM changes it to https: then get the server error. Likely because Motorola(Zoom) has poor firmware. I can connect with Brave after accepting the warning about unsafe.
Re: ssl_error_rx_malformed_server_hello
You can use the workaround as posted in this thread and release notes.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: ssl_error_rx_malformed_server_hello
Thanks for the response. I'm unclear why I cannot connect without any security - http: vs https:. PM forces use and replaces http with https. I suppose I could use the changes described earlier about allowing a lower TLS level. With Brave or Vivaldi both allow the http:/192,168.100.1 by noting the router has a security exception and prompting me to connect anyway. Why can't that work on a per site basis rather than use the TLS workaround for all sites? Will the change be potentially harmful?
Re: ssl_error_rx_malformed_server_hello
No, that would be your router doing this.
That means Brave and Vivaldi are not displaying the URL correctly, since security exceptions are not a thing for http:// addresses.
So you're actually connecting through https but those browsers don't show you.
This can't work because the error occurs at protocol negotiation time which is before the browser knows which hostname it is connected to. Protocol negotiation is the first thing that happens after establishing the network connection at the low level. Only after that is done, data like host name, certificates and encryption details are negotiated.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: ssl_error_rx_malformed_server_hello
Determined that almost every site I access which uses Let' s Encrypt as its SSL Certificate issuer and is still using a prematurely {https://cloudraya.com/knowledge-base/fi ... rtificate/} expiring intermediate root certificate is always generating a "ssl_error_rx_malformed_server_hello" error in the latest Pale Moon browser (32.2.0).
Setting the security.tls.hello_downgrade_check to false allows me to get a more accurate message that Pale Moon is not happy with the "expired" Let's Encrypt certificate ("This Connection is Untrusted") and that an "exception" is needed to use this expired certificate.
Setting the security.tls.hello_downgrade_check to false allows me to get a more accurate message that Pale Moon is not happy with the "expired" Let's Encrypt certificate ("This Connection is Untrusted") and that an "exception" is needed to use this expired certificate.
Re: ssl_error_rx_malformed_server_hello
I had to alter security.tls.hello_downgrade_check to false because the browser won't otherwise let me visit a site with expired (abandoned) cert: https://helpin.red/
Re: ssl_error_rx_malformed_server_hello
In all recent PM versions I never had this issue, but now i tried accessing a site where it happens, using 32.4.1.linux-x86_64-gtk2:
Site https://ugetdm.com/features
https://ugetdm.com/screenshots
https://ugetdm.com/qa/faq
Got these URLs from here: https://sourceforge.net/projects/urlget/
security.tls.version.max was set to 4. Setting it to 3 gets me this
Update
When creating an exemption for accessing https://ugetdm.com/ - is it the best (most secure) to re-set security.tls.version.max back to 4 after I am finished with ugetdm.com ?
Site https://ugetdm.com/features
Same with other pages, likeSecure Connection Failed
An error occurred during a connection to ugetdm.com.
SSL received a malformed Server Hello handshake message.
(Error code: SSL_ERROR_RX_MALFORMED_SERVER_HELLO)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
https://ugetdm.com/screenshots
https://ugetdm.com/qa/faq
Got these URLs from here: https://sourceforge.net/projects/urlget/
───────────────────────────────────────────────────────- Quick Links -
Features: https://ugetdm.com/features
Screenshots: https://ugetdm.com/screenshots
Blog: https://ugetdm.com/blog
Support: https://ugetdm.com/qa
Frequently Asked Questions (FAQs): https://ugetdm.com/qa/faq
RSS Feed: https://ugetdm.com/rss
GitHub: https://github.com/chhuang-one
Set security.ssl.enable_tls13_compat_mode to true - same error.
security.tls.version.max was set to 4. Setting it to 3 gets me this
Is it really an insecure connection? Is it safe to create an exemption? Did ugetdm.com not manage to renew its certificate in time?This Connection is Untrusted
You have asked Pale Moon to connect securely to ugetdm.com, but we can't confirm that your connection is secure.
Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.
Technical details
ugetdm.com uses an invalid security certificate.
The certificate expired on 09/15/2023 01:59 AM. The current time is 10/14/2023 12:29 AM.
(Error code: SEC_ERROR_EXPIRED_CERTIFICATE)
Update
When creating an exemption for accessing https://ugetdm.com/ - is it the best (most secure) to re-set security.tls.version.max back to 4 after I am finished with ugetdm.com ?
yours truly, Rava
Re: ssl_error_rx_malformed_server_hello
Strictly speaking: Yes, because it's an expired certificate that isn't valid (and could have been taken from an old install or somesuch), and you're on a lower TLS version than you should be. Practically speaking if it's still TLS 1.2 you're probably OK (if the cert expiration date is very recent) but the webmasters do need to fix this asap.
That usually doesn't help here. It's outdated info.
The issue is that there seems to be a fairly common misconfiguration that forces TLS downgrades on cert errors, which runs into the downgrade sentinel in our current NSS library.
What will help is setting security.tls.hello_downgrade_check to false to disable the downgrade sentinel, if you absolutely must connect to a server configured that way. Your TLS will still be downgraded to a potentially less secure protocol version, but it would allow you to connect without compromising TLS 1.3 on all other sites as well which the alternative setting does.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: ssl_error_rx_malformed_server_hello
Anyhow, I accepted the exemption for https://ugetdm.com but now I want to remove it.
But I do not see it anywhere using "Preferences / Tab security"
Is there a file in my profiles folder that I need to delete? Or do I first have to stop Palemoon and then delete a certain file?
But that site also says the site is made possible via https://tuxdigital.com so I sent a message about the cert issue on ugetdm via https://tuxdigital.com/contact/ … Maybe that gets a result.
But I do not see it anywhere using "Preferences / Tab security"
Is there a file in my profiles folder that I need to delete? Or do I first have to stop Palemoon and then delete a certain file?
Tried sending ugetdm.com a message but that fails. On the form page it only says [recaptcha] (as in: plain text) instead of displaying a real recaptcha. And when trying to sent the message it statesMoonchild wrote: ↑2023-10-13, 23:39Strictly speaking: Yes, because it's an expired certificate that isn't valid (and could have been taken from an old install or somesuch), and you're on a lower TLS version than you should be. Practically speaking if it's still TLS 1.2 you're probably OK (if the cert expiration date is very recent) but the webmasters do need to fix this asap.
Tried again later several times to no avail.There was an error trying to send your message. Please try again later.
But that site also says the site is made possible via https://tuxdigital.com so I sent a message about the cert issue on ugetdm via https://tuxdigital.com/contact/ … Maybe that gets a result.
yours truly, Rava
Re: ssl_error_rx_malformed_server_hello
I have Pale Moon 32.4.1 on 64-bit Windows 8.1. I entered classiccollision.com, which redirects to https://classiccollision.com/ I see:
I set security.tls.hello_downgrade_check to false, allowed the security exception, and then I could access the site.
The certificate is not expired, and the technical details shows it is encrypted with TLS 1.3.
I am willing to contact the web master if the problem is with the site and not Pale Moon. But I would need to give the web master technical info about the problem and solution. I need help from Pale Moon forum users for this because I don't see what the web master did wrong. I would also like to understand this better in case I experience the same problem with other sites.
Code: Select all
Secure Connection Failed
An error occurred during a connection to classiccollision.com.
SSL received a malformed Server Hello handshake message.
(Error code: SSL_ERROR_RX_MALFORMED_SERVER_HELLO)
The certificate is not expired, and the technical details shows it is encrypted with TLS 1.3.
I am willing to contact the web master if the problem is with the site and not Pale Moon. But I would need to give the web master technical info about the problem and solution. I need help from Pale Moon forum users for this because I don't see what the web master did wrong. I would also like to understand this better in case I experience the same problem with other sites.
Re: ssl_error_rx_malformed_server_hello
I am having trouble signing in to my Asus router again. It has been a while since I have done that so I cannot be certain that the update to 32.5.1 is the source of the problem, but when I read in the release notes "Restricted protocol fallback for TLS" I thought, "this sounds familiar, I better check" and sure enough I could not sign in.
I don't get an error, but when I click sign-in it recycles the sign-in page without signing in. I set security.tls.version.max;3 but the problem remains. Is there a new work-around for this issue?
I don't get an error, but when I click sign-in it recycles the sign-in page without signing in. I set security.tls.version.max;3 but the problem remains. Is there a new work-around for this issue?
Re: ssl_error_rx_malformed_server_hello
Maybe try setting security.tls.hello_downgrade_check to false in about:config?
Nichi nichi kore ko jitsu = Every day is a good day.
Re: ssl_error_rx_malformed_server_hello
Then it is most certainly unrelated, since you're forcing TLS 1.2 in that case, completely bypassing the mechanism.
Have you tried clearing your cache and cookies?
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: ssl_error_rx_malformed_server_hello
I did that and now it works! Thank you, and I am sorry I wasted your time by not trying these first. I was convinced it would be a TLS thing again.