We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

API GET call from mozilla invalid security certificate looks like cipher suite from certificate is not in the preference list

more options

I have to a make a API GET call from a website.. only from mozilla browser I get following error "uses invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported”

When I tested the VIP thru SLLLABS.com found out that cipher suite returned from my certificate from server is not in the preference list of mozilla - https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=47&platform=Win%207&key=132

Is this could be the issue ? How to add the required cipher suite in the certificate, what steps to follow.

I have to a make a API GET call from a website.. only from mozilla browser I get following error "uses invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported” When I tested the VIP thru SLLLABS.com found out that cipher suite returned from my certificate from server is not in the preference list of mozilla - https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=47&platform=Win%207&key=132 Is this could be the issue ? How to add the required cipher suite in the certificate, what steps to follow.

All Replies (3)

more options

Are you sure it's a cipher problem? The message doesn't mention ciphers. It is more characteristic of an incomplete chain problem (server not sending intermediate certificates). The SSLLabs diagnostic for the server should indicate whether the chain is complete or incomplete.

As for ciphers, Firefox may gradually add more cipher suites, but not quickly. I'm not aware of any way to inject your own ciphers into Firefox. It's much easier to change the ciphers on the server, assuming you control the server.

I saw a post the other day about the most common cipher suites selected by clients on one or more Mozilla servers. Might be interesting if you are looking at what has wide browser support: https://jve.linuxwall.info/blog/index.php?post/2016/08/04/TLS-stats-from-1.6-billion-connections-to-mozilla.org

more options

Thanks for your response. I am not sure if its cipher problem but from SSLLABS test its understood that the cipher suite returned from server is not in the preference list of firefox. I need help on what steps need to take to inject required cipher suite on the server for the certificate? Report also indicated there is no forward secrecy and session cahcing, not sure if this causes this issue?!

SSL Lab report. Firefox 31.3.0 ESR / Win 7 Server closed connection Firefox 46 / Win 7 R Server closed connection Firefox 47 / Win 7 R Server closed connection Forward Secrecy No WEAK (more info) Session resumption (caching) No (IDs assigned but not accepted)

Modified by itsdineshm

more options

There are different methods for different servers. You might want to check the forum associated with the server software to see if they have suggestions or solutions on this.