Posting to mozilla-dev-tech-crypto instead. firefox-dev to bcc.
> On Apr 27, 2015, at 2:03 PM, Michael Peterson <michaelpeterson...@gmail.com> > wrote: > > Firefox does not like our internal certificates. I'm trying to figure out > why... > > tl;dr - Our internal IIS servers, signed with our internal CA, present a > "Secure Connection Failed" page, with technical details that say "Connection > Not Encrypted". The certificate is installed in Firefox's internal > certificate store. > > Here are our certificates > https://www.highlands.edu/site/is-certification-authority > Unfortunately, we can't expose said internal servers for you to see the exact > error page. Here are screenshots though. https://imgur.com/a/dmMdG > > The weird part of all this is that our internal certificates work fine on > Apache (suggesting that the problem is IIS). However, our IIS servers work > fine with any other certificates, such as third party (GeoTrust) or self > signed (suggesting that the problem is the cert). > > If I add an exception, such as someinternal.highlands.edu under the > about:config page to the "security.tls.insecure_fallback_hosts" then the site > works. > > If I look at IIS error logs I see the following two errors over and over when > I hit it with FireFox (but not Chrome, IE, Safari, etc) > >> An TLS 1.2 connection request was received from a remote client >> application, but none of the cipher suites supported by the client >> application are supported by the server. The SSL connection request has >> failed. > >> A fatal alert was generated and sent to the remote endpoint. This may >> result in termination of the connection. The TLS protocol defined fatal >> error code is 40. The Windows SChannel error state is 1205. > > Now, in the album I posted above (https://imgur.com/a/dmMdG), the last two > screenshots show a packet capture from Wireshark. It appears that Firefox > does not support SHA512, which is kind of supported by this article > (http://blogs.technet.com/b/silvana/archive/2014/03/14/schannel-errors-on-scom-agent.aspx). > I'm not exactly sure this is true, and it seems like a silly thing for > Firefox to drop support though (this previously worked), especially if every > other browser in the world supports this. > > So there's everything we've found, and some of my assumptions. Does anyone > know what is actually going on with Firefox. Is this a bug? Are we doing > something wrong? How do we fix this? > > _______________________________________________ > firefox-dev mailing list > firefox-...@mozilla.org > https://mail.mozilla.org/listinfo/firefox-dev -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
