We have difficulty trying to connect to our server using a browser. Google Chrome can connect, but Mozilla Firefox cannot.
- Problem: #
We have difficulty trying to connect to our server using a browser. Google Chrome can connect, but Mozilla Firefox cannot. This problem is related to the "Weak Diffie-Hellman and the Logjam Attack" (https://weakdh.org/)
- Activity log, sequence of actions we have conducted to try and fix the problem, and things we already know: #
1. Everything was fine 2. Firefox complained about the Weak Diffie-Hellman ephemeral key 3. Firefox can no longer access our server 4. But, Google Chrome CAN STILL access 5. Found out about "Weak Diffie-Hellman and the Logjam Attack" (https://weakdh.org/) 6. Tested Firefox using their website, and responded "Good News! Your browser is safe against the Logjam attack." 7. Tested Chrome using their website, and it responded that Chrome was vulnerable. 8. This explained why we could still access our server using Chrome 9. Updated Chrome to the latest version. 10. Tested Chrome using weakdh.org, and responded "Good News! Your browser is safe against the Logjam attack." 11. Tried accessing our site using Chrome, and it has the same error with Firefox. 12. Both Chrome and Firefox can no longer access the site at this point. 13. We followed the instruction located at https://weakdh.org/sysadmin.html for Apache Tomcat servers.
`ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA"`
14. Fix did not work both for Chrome and Firefox, still the same error. 15. We followed the instruction at http://stackoverflow.com/questions/30931692/diffie-hellman-public-key-error-with-tomcat-7
`ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"`
16. Fix WORKED for Chrome BUT NOT for Firefox. 17. Firefox has error code: ssl_error_bad_cert_alert 18. We experimented on lesser number of ciphers but none worked 19. `ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"` 20. Same error for Firefox, still OK for Chrome.
- **TECHNICAL DETAILS** #
- Certificate: ##
Signature algorithm: sha256RSA Signature hash algorithm: sha256 Public key: RSA (2048 Bits) Thumbprint algorithm: sha1
- Environment: ##
Apache Tomcat 6.0 Java 1.6.0_34
- Current server configuration: ##
<Connector port="443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="********.pfx" keystoreType="PKCS12" keystorePass="********" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"/>
Opaite Mbohovái (4)
You may have ad / mal-ware. Further information can be found in the Troubleshoot Firefox issues caused by malware article.
Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.
Type about:preferences#advanced<Enter> in the address bar.
Under Advanced, Select Network. Look for Configure How Firefox Connects and press the Settings button. If you are using a proxy, make sure those settings are correct. If there is no proxy, first use No Proxy. If there is a problem, then try System Proxy.
Some problems occurs when your Internet security program was set to trust the previous version of Firefox, but no longer recognizes your updated version as trusted. Now how to fix the problem: To allow Firefox to connect to the Internet again;
- Make sure your Internet security software is up-to-date (i.e. you are running the latest version).
- Remove Firefox from your program's list of trusted or recognized programs. For detailed instructions, see
Configure firewalls so that Firefox can access the Internet. {web link}
As a test, disable your protection programs.
Start Firefox in Safe Mode {web Link} by holding down the <Shift>
(Mac Options) key, and then starting Firefox. Is the problem still there?
Can you post a link to your website so we can check what is happening?
Does it work if you add the domain to the whitelist pref?
- security.tls.insecure_fallback_hosts
You can double-click the line to modify the pref and add the full domain (TEXT) to the value of this pref. If there are already websites (domains) in this list then add a comma and the new domain (no spaces). There should only be domains separated by a comma in the Value column (example.com,www.example.com).
You can toggle these prefs to false on the about:config page to disable the cipher suites that are involved with the Logjam vulnerability in case they are currently enabled.
- security.ssl3.dhe_rsa_aes_128_sha
- security.ssl3.dhe_rsa_aes_256_sha
FredMcD said
You may have ad / mal-ware. Further information can be found in the Troubleshoot Firefox issues caused by malware article. Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.
Type about:preferences#advanced<Enter> in the address bar.
Under Advanced, Select Network. Look for Configure How Firefox Connects and press the Settings button. If you are using a proxy, make sure those settings are correct. If there is no proxy, first use No Proxy. If there is a problem, then try System Proxy.
Some problems occurs when your Internet security program was set to trust the previous version of Firefox, but no longer recognizes your updated version as trusted. Now how to fix the problem: To allow Firefox to connect to the Internet again;
- Make sure your Internet security software is up-to-date (i.e. you are running the latest version).
- Remove Firefox from your program's list of trusted or recognized programs. For detailed instructions, see
Configure firewalls so that Firefox can access the Internet. {web link}
As a test, disable your protection programs.
Start Firefox in Safe Mode {web Link} by holding down the <Shift>
(Mac Options) key, and then starting Firefox. Is the problem still there?
1.) Malwares may not be the cause since this problem is affecting all our clients. 2.) We do not have a proxy. However, I've tried some proxy settings and all attempts did not work. 3.) I'm running the latest firefox. 4.) I think this would not be an issue regarding firewalls since I can access other websites. 5.) I tried also running in Safe Mode and the issue is still there.
So just to summarize, the current situation is:
(1) Server passes logjam tests (2) Chrome connects (3) Firefox gives ssl_error_bad_cert_alert error
That's actually a very rare error on this forum and most of the posts relate to an issue with a client certificate accessing AKO mail, so that may not be relevant to your situation: https://support.mozilla.org/search/advanced?a=1&q=ssl_error_bad_cert_alert&sortby=1&w=2