We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

ძიება მხარდაჭერაში

ნუ გაებმებით თაღლითების მახეში მხარდაჭერის საიტზე. აქ არასდროს მოგთხოვენ სატელეფონო ნომერზე დარეკვას, შეტყობინების გამოგზავნას ან პირადი მონაცემების გაზიარებას. გთხოვთ, გვაცნობოთ რამე საეჭვოს შემჩნევისას „დარღვევაზე მოხსენების“ მეშვეობით.

ვრცლად

Why does Firefox get "SecureConnectionFailed - PR_CONNECT_ABORTED_ERROR" when connecting to website that has the SHA1 hash disabled?

  • 1 პასუხი
  • 1 მომხმარებელი წააწყდა მსგავს სიძნელეს
  • 11 ნახვა
  • ბოლოს გამოეხმაურა jscher2000 - Support Volunteer

Security consultants have advised that cipher suites using the SHA1 hash are no longer considered secure and should not be enabled.

Using the nmap tool we can identify which cipher suites use the SHA1 hash.

On our webserver, (IIS version 8.5 on Windows 2012 R2 ) if we eliminate cipher suites that contain the SHA1 hash, the Firefox browser cannot browse the site. Error displayed = Secure Connection Failed - PR_CONNECT_ABORTED_ERROR We tested versions up to Firefox ( v75.0 ).

Other browsers such as Chrome and IE have no issues browsing our site with the SHA1 hash disabled.

Once the SHA1 hash is enabled, Firefox works fine. Seeking a solution that will satisfy the security folks and our Firefox users.

Security consultants have advised that cipher suites using the SHA1 hash are no longer considered secure and should not be enabled. Using the nmap tool we can identify which cipher suites use the SHA1 hash. On our webserver, (IIS version 8.5 on Windows 2012 R2 ) if we eliminate cipher suites that contain the SHA1 hash, the Firefox browser cannot browse the site. Error displayed = Secure Connection Failed - PR_CONNECT_ABORTED_ERROR We tested versions up to Firefox ( v75.0 ). Other browsers such as Chrome and IE have no issues browsing our site with the SHA1 hash disabled. Once the SHA1 hash is enabled, Firefox works fine. Seeking a solution that will satisfy the security folks and our Firefox users.
მიმაგრებული ეკრანის სურათები

ყველა პასუხი (1)

You can see the ones supported by Firefox by visiting this page in Firefox:

https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

The ones in green text do not use SHA1. You'll notice 3 ciphers for TLS 1.3, then 3 ciphers for RSA (TLS_ECDHE_RSA) and 3 ciphers for ECDSA (TLS_ECDHE_ECDSA) certificates.

According to https://docs.microsoft.com/en-us/wind.../tls-cipher-suites-in-windows-8-1, you might not be able to connect using an RSA certificate: Windows Server 2012 R2 appears only to have "CBC" ciphers for SHA256 and SHA384, and Firefox only has "CBC" ciphers below that level. However, with an ECDSA certificate, there appears to be an overlap:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256