bug-gnuzilla
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-gnuzilla] Icecat SSL warning/error pages; what settings affect

From: List Master
Subject: Re: [Bug-gnuzilla] Icecat SSL warning/error pages; what settings affect the production of these 'error' pages?
Date: Mon, 27 Feb 2017 12:09:01 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.5.1

This is interesting.  I've been getting these same errors for a short while now, but ONLY when I'm on a poor Wi-Fi connection.  Here are a few things I've noticed:

1)  Sites that work well on a fast connection suddenly start to give me this error when I'm on a poor connection - seems like a time-out of some sort.  It gets worse if I try to load several such sites at once.

2)  If I toggle "Query OCSP responder servers to confirm validity of certificates" in Preferences -> Advanced -> Certificates  off and then back on quickly (meaning, the box starts out checked, I uncheck it and then re-check it before doing anything else), then "Try Again" or a refresh brings up the site without any issues.

3)  I am totally unable to reproduce this error in Iceweasel or any other Mozilla-based browsers, even while on a poor connection, so it's an Icecat-specific phenomenon.

Essentially, the "unsafe" sites load fine if the query doesn't time-out first.  I've found that if I only load one site at a time, the errors are minimized, and if I move to a better Wi-Fi area (or hook up to Ethernet), then the problem goes away entirely. 

My short-term workaround is to only load one SSL site at a time when I'm on a weak signal, or to toggle that OCSP setting quickly if it ever gives me an issue.  I never have to leave the setting off, just a quick toggle seems to be enough to reset the cache (or whatever is happening).

thanks,

- KRT

On 02/27/2017 07:32 AM, address@hidden wrote:
Thank you for the reply - most helpful.

Regards
Habs

On 27 February 2017 at 11:24, jc_gargma <address@hidden> wrote:
> Error code: SSL_ERROR_UNSAFE_NEGOTIATION
This error is due to the site not supporting RFC 5746.
Without it the browser has no way of knowing whether the site is vulnerable to
a potential MITM attack, and therefore assumes the connection is unsafe.

Contacting the site owners might help in the long run, though not all sites
are receptive to unsolicited security advice.

In the meantime, if you really need to access those sites, you can toggle
security.ssl.require_safe_negotiation
to false in about:config

> I did notice during one of these scenarios, that Firefox was reporting
> TLS1.0.  It led me wonder if it is a settings issue on what level of ssl
> components are acceptable.
IceCat used to require at least TLS 1.2 by default.
It no longer does, but it's possible your settings are inherited from a
previous version.
In such a case, you may also need to set
security.tls.version.min
to 1

> In some cases, Icecat reports an unsafe/unencrypted session and no valid or
> invalid certificate is available, when Firefox states for the same page it
> is ok (and I can browse the certificate details etc).
>
> Is Icecat setup by default to be less forgiving towards what it receives
> SSL wise, bearing in mind I have not changed any ssl related settings in
> either  browser?
Yes, but TLS 1.2 and cipher settings have been relaxed in recent versions due
to how many sites were broken by default.


-jc

--
http://gnuzilla.gnu.org




--
http://gnuzilla.gnu.org

reply via email to
[Prev in Thread] Current Thread [Next in Thread]