Secure Connection Failed…interrupted while the page was loading Topic is solved

[Agent Orange]

Trying to load any page at info.aiaa.org results in this:

(Pale Moon 27.1.1 x64 @ Mint 18)

The website loads fine in Firefox (51.0.1 x64 @ Mint 18):


…and in curl:

Code: Select all

$ curl -sLv https://info.aiaa.org/Regions/SE/HSV_AIAA/default.aspx > /dev/null
*   Trying 205.175.216.202...
* Connected to info.aiaa.org (205.175.216.202) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 704 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.0 / RSA_3DES_EDE_CBC_SHA1
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: www.aiaa.org (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=VA,L=Reston,O=American Institute of Aeronautics and Astronautics\, Inc.,CN=www.aiaa.org
* 	 start date: Wed, 09 Sep 2015 00:00:00 GMT
* 	 expire date: Thu, 13 Sep 2018 12:00:00 GMT
* 	 issuer: C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA
* 	 compression: NULL
* ALPN, server did not agree to a protocol
> GET /Regions/SE/HSV_AIAA/default.aspx HTTP/1.1
> Host: info.aiaa.org
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 24 Feb 2017 21:32:15 GMT
< Server: Microsoft-IIS/6.0
< X-Powered-By: ASP.NET
< X-AspNet-Version: 2.0.50727
< Cache-Control: private, max-age=0
< Expires: Thu, 09 Feb 2017 21:32:14 GMT
< Last-Modified: Fri, 24 Feb 2017 21:32:14 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 244676
< 
{ [16064 bytes data]

I've seen this problem on several other websites, as well.

[dark_moon]

The connection failed because the website have a very bad SSL/ TLS security.
And firefox opens site at any costs, even if that compromise the user security.

See also viewtopic.php?f=24&t=6262 & https://www.ssllabs.com/ssltest/analyze ... o.aiaa.org

The server supports only older protocols, but not the current best TLS 1.2.
The server does not support Forward Secrecy with the reference browsers.

[Moonchild]

Most importantly, the server only supports ONE cipher suite, and that is one that is disabled in Pale Moon for being unacceptably weak:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112-bits

This cipher is vulnerable to the SWEET32 attack.

[dapgo]

I think i have the same problem or similar, loading a web from my company. Monitoring with developer tools/Network there is only a GET 200 packet of 0kb

However, Chrome and my old Swiss knife; Firefox v12 loads this webs perfectly.

Chrome
TLS 1.2
AES_128_GCM DHW_RSA
Verified by: COMODO RSA

and FF 12
AES-256 256bits keys
Verified by: COMODO CA Limited

and PM 27.1
Secure Connection Failed
The connection to the server was reset while the page was loading
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Is possible to force Palemoon to work in these webs even having insecure communication?
I understand that if the user receives a warning and decide to proceed it is not fault of FF/PM.

Otherwise many people will move to insecure browsers but working for them.

Most importantly, the server only supports ONE cipher suite, and that is one that is disabled in Pale Moon for being unacceptably weak:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112-bits

This cipher is vulnerable to the SWEET32 attack.

[coffeebreak]

I think i have the same problem or similar, loading a web from my company.

Is the problem with https://www.scribus.net mentioned in this post? If so, I can access it without trouble. And ssllabs rates it an 'A'.

If it's another site please provide a link. And please also post a copy of the warning message (between hide or code tags) so others can read it.

[coffeebreak]

and PM 27.1
Secure Connection Failed
The connection to the server was reset while the page was loading
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Sorry, was lost in a fog. :) But please do give a link or confirm the one I posted above.

[dapgo]

My post was referring to a internal web from my company, so there is no way to check from outside.

Regarding this internal web, FF12 can load it with success.
However i couldn't load https://www.scribus.net/ , neither FF12 or PM27 can load it

BTW, I am using foxyproxy addin with same configuration in PM27 and FF12 and Symantec EndPoint Protection is enabled in all computers

I think i have the same problem or similar, loading a web from my company.

Is the problem with https://www.scribus.net mentioned in this post? If so, I can access it without trouble. And ssllabs rates it an 'A'.

If it's another site please provide a link. And please also post a copy of the warning message (between hide or code tags) so others can read it.

[Agent Orange]

Why can I not say "Yes, continue to <site> (Unsecure)"?

I mean, not only is HTTP-over-plaintext still supported, but I can even click through to a straight-up MITM'd connection presenting an invalid (but fully "secure") certificate…why am I forced not to load a site because the SSL isn't airtight?

I mean, no matter what, TLS 1.0 is still as secure as HTTP. And I can load pages over HTTP.
If this were a page controlled by a literal attacker, even, I could still say "Yes, continue" (so long as the attacker provided the appropriate amount of "security").

So what's the deal with this? Why can I click through invalid certificates but not insecure ones? Why can I load insecure websites but not "improperly secured" ones?

[Moonchild]

The deal with this is that if a server operator sets up a secure server, they are making the commitment to have their server connection be, you know, secure. if the server operator doesn't commit to a current-standard level of security then they risk having their connections being refused by clients who do (and the other way around).

If there is no cipher overlap because there is no agreed cipher (client and server cannot agree on something that is acceptable by both) then there simply is no way to continue.

Also, invalid certificates you can only "click through" by adding a security exception where the page clearly states that you should know the implications of what you are doing. This is relatively low-threshold (assuming you understand what you are doing) because of the common-practice of self-signed certificates where encryption takes precedence over authentication for devices you are connecting to (e.g. on a LAN). There is, of course, no defense against PEBCAK in that situation, so yes, someone ignoring all the warnings can end up connecting to an attacker-controlled server, but only if they manually add an exception and take responsibility for doing so.

That aside, there is no problem with Scribus. Pale Moon 27.1.1 can connect to it just fine with definitely adequate security (TLS 1.2, AES-GCM, 128-bits encryption)

In fact, they don't accept TLS 1.1 or 1.0.
This can cause problems:

1. If you have previously changed the max-accepted TLS version to work around renegotiation problems.
2. If you are using a proxy that doesn't do TLS 1.2.
3. If your endpoint "security" intercepts your https traffic and it in itself for outbound connections doesn't support TLS 1.2

[dapgo]

New feedback, trying from a direct internet connectionm, then https://www.scribus.net/ works on Palemoon 27.1, even with the default parameters (TLS, cypher...)
However the computer is the same so, the Symantec suite cannot be the problem
So I understand that the problem can be the proxy, or some other networking hardware, which works in a different way for new Firefox browser and other browsers.