Sites like www.orangecountyscu.org fail to connect with no bypass, without RC4 settings not required by Firefox

Users and developers helping users with technical Pale Moon issues (Windows and other non-Linux O.S.). Please direct questions about the Linux version to the appropriate Linux board.

Moderators: Indalecio, satrow

Forum rules
This board is for technical/usage questions and troubleshooting for the Pale Moon browser only. The main focus here is on Pale Moon on Windows. Please direct your questions for Linux, Android and Mac to the dedicated boards.
Technical issues and questions not related to the Pale Moon browser should be posted in "technical chat"
Please keep off-topic and general discussion out of this board, thank you!
User avatar
Dan Harkless
New to the forum
New to the forum
Posts: 1
Joined: Tue May 16, 2017 1:16 am
Contact:

Sites like www.orangecountyscu.org fail to connect with no bypass, without RC4 settings not required by Firefox

Postby Dan Harkless » Tue May 16, 2017 1:45 am

As of Pale Moon 27.3.0, connection to sites such as https://www.orangecountyscu.org/ fail with:

Secure Connection Failed

The connection to www.orangecountyscu.org was interrupted while the page was loading.

• The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
• Please contact the website owners to inform them of this problem.


There is no "I Understand the Risks": "Add Exception" button, just a useless "Try Again" button. After reading the ssl error & TLS 1.2 thread and https://bugzilla.mozilla.org/show_bug.cgi?id=937555, I was able to get Pale Moon to connect to the site by setting security.tls.unrestricted_rc4_fallback and security.ssl3.rsa_rc4_128_sha to true. (No other workarounds worked.) These options no longer exist on Firefox 53.0.2, yet it successfully connects to the site without making any special settings, using "TLS_RSA_WITH_3DES_EDE_CBC_SHA, 112 bit keys, TLS 1.0".

Bug 937555 was fixed by changing server settings on addons.mozilla.org, but obviously I can't get this bank and other sites to reconfigure their servers to allow Pale Moon to successfully connect with secure TLS algorithms. Is there a timeline to merge in whatever Firefox code fixed TLS errors like this one?

--
Dan Harkless
http://harkless.org/dan/

GMforker
Lunatic
Lunatic
Posts: 364
Joined: Thu Aug 27, 2015 6:29 am
Location: Czech Republic

Re: Sites like www.orangecountyscu.org fail to connect with no bypass, without RC4 settings not required by Firefox

Postby GMforker » Tue May 16, 2017 5:50 am

AFAIK

See:
https://github.com/MoonchildProductions ... 22ecf8b025
(even if "security.ssl3.rsa_des_ede3_sha" == true, also "weak" == true)

See also:
https://www.ssllabs.com/ssltest/viewMyClient.html
For Firefox:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK
For Pale Moon 27.3.0+:
[nothing]

I suppose it's deliberate.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19679
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Sites like www.orangecountyscu.org fail to connect with no bypass, without RC4 settings not required by Firefox

Postby Moonchild » Tue May 16, 2017 11:23 am

triple-des is disabled by default in Pale Moon because it is a weak cipher. Even if you enable it, you still have to add the host to the list of insecure fallback hosts (recommended to use the whitelist instead of allowing unrestricted fallback for all sites).

See also the faq "Secure connection errors? read this first!" on this forum.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.
Image


Return to “General support”

Who is online

Users browsing this forum: Yandex [Bot] and 15 guests