Cerca nel supporto

Attenzione alle mail truffa. Mozilla non chiederà mai di chiamare o mandare messaggi a un numero di telefono o di inviare dati personali. Segnalare qualsiasi attività sospetta utilizzando l'opzione “Segnala abuso”.

Ulteriori informazioni

Questa discussione è archiviata. Inserire una nuova richiesta se occorre aiuto.

Firefox 35.0 is reporting SSLV3 security errors on site not using SSLV3 when will you fix this

  • 6 risposte
  • 14 hanno questo problema
  • 13 visualizzazioni
  • Ultima risposta di nukemjoe

more options

I was right in the middle of a transaction on chaseonline when firefox kicked me out and showed a page regarding SSLV3 security issues. When I booted this morning the firefox version was 34.0.5 after this happened the firefox version was 35.0. I did SSL site testing and that site is not using the SSLv3 protocol. See link below:

https://www.ssllabs.com/ssltest/analyze.html?d=chaseonline.chase.com

I have been using version 34 and higher for quite a while and have not had any problems accessing the chaseonline website until version 35 was installed.

I have not restarted the browser since this happened but my guess is the problem will continue. When will this be addressed?

I was right in the middle of a transaction on chaseonline when firefox kicked me out and showed a page regarding SSLV3 security issues. When I booted this morning the firefox version was 34.0.5 after this happened the firefox version was 35.0. I did SSL site testing and that site is not using the SSLv3 protocol. See link below: https://www.ssllabs.com/ssltest/analyze.html?d=chaseonline.chase.com I have been using version 34 and higher for quite a while and have not had any problems accessing the chaseonline website until version 35 was installed. I have not restarted the browser since this happened but my guess is the problem will continue. When will this be addressed?

Soluzione scelta

Thanks for the quick reply.

The website was not trying to redirect, I was typing in a secure mail message at the time.

I tried several times to relogin to my account and only got the generic message page about firefox not being able to securely access the site because of SSLv3 issues. During this time I never got past this point trying to login to the site.

During this time I now realize the browser was stuck between versions (34.0.5 and 35). Although I still don't know why 34.0.5 thru up this error when I had been using it for quite a while I was able to resolve the problem by closing and restarting my browser.

In other words I am now able to access the chase website without errors.

This is reason I rarely, if ever, allow software to auto-magically update itself in the background. I will be turning this off and installing updates manually.

Thanks for you comments and feedback!

Sa

Leggere questa risposta nel contesto 👍 0

Tutte le risposte (6)

more options

hi safoxusr, it is rather unlikely that firefox will show this alert in error. maybe chaseonline.chase.com was redirecting you to another domain during the transaction - can you note the exact domain the next time this happens? also, which security program are you using?

more options

Soluzione scelta

Thanks for the quick reply.

The website was not trying to redirect, I was typing in a secure mail message at the time.

I tried several times to relogin to my account and only got the generic message page about firefox not being able to securely access the site because of SSLv3 issues. During this time I never got past this point trying to login to the site.

During this time I now realize the browser was stuck between versions (34.0.5 and 35). Although I still don't know why 34.0.5 thru up this error when I had been using it for quite a while I was able to resolve the problem by closing and restarting my browser.

In other words I am now able to access the chase website without errors.

This is reason I rarely, if ever, allow software to auto-magically update itself in the background. I will be turning this off and installing updates manually.

Thanks for you comments and feedback!

Sa

more options

Starting Firefox 34.0 the vulnerable SSL 3.0 has been disable and TLS 1.0 is the minimum used by default. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

Do you have Avast? as the https-scanning in Avast can actually make your connection less secure in some case and cause problems like this. So if you have Avast disable the https-scanning in Avast.

Modificato da James il

more options

I have also been seeing this issue on several sites as well. One was Facebook. After getting the message screen , a refresh took me to the site without further issues. I am using Firefox 35.0.1 and the security software is McAfee. This only started after upgrading to the latest Flash Player release , if that helps.

more options

Deleted - accidental dupe.

Modificato da rivulus il

more options

Confirmed this is a bug - kind of. Firefox is displaying a misleading error message.

If SSLv3 Protocol support is disabled on the server commonly the SSLv3 cipher suite is removed as well. The SSLv3 cipher suite also happens to be the TLSv1 cipher suite.

I encountered this bug on a web server that was configured to only use TLSv1.2, with no SSLv3 ciphers supported.

The cipherlist on the server at the time of the error:


openssl ciphers -v 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-SHA:RC4-MD5:RC4+RSA:RC4:+HIGH:!MD5:!aNULL:!EDH:!MEDIUM:!EXP:!LOW:!eNULL:!ADH:!SSLv2'

ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD

The protocol list at the time of the error:

SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 +TLSv1.2

ssllabs also confirmed the only offered protocol was TLSv1.2 - and this stopped Firefox in its tracks.

This is fine, Firefox couldn't fall back to a TLSv1/1.1 cipher, but the error message claiming that it was the servers fault and that the server was configured to provide SSLv3 was extremely... annoying.

The fix for this was to alter the cipher suite in use on the server to include the SSLv3 ciphers. SSLv3 the protocol is still disabled, but at least now Firefox 35 can successfully fall back to a TLSv1/1.1 cipher.

Cipher suite for those google wanderers looking for a fix for this:

ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4-SHA:RC4-MD5:RC4+RSA:RC4:SSLv3:+HIGH:!MD5:!aNULL:!EDH:!MEDIUM:!EXP:!LOW:!eNULL:!ADH:!SSLv2

So it was an error, but the bug is the fact that Firefox is displaying the wrong error message.

Modificato da nukemjoe il