ძიება მხარდაჭერაში

ნუ გაებმებით თაღლითების მახეში მხარდაჭერის საიტზე. აქ არასდროს მოგთხოვენ სატელეფონო ნომერზე დარეკვას, შეტყობინების გამოგზავნას ან პირადი მონაცემების გაზიარებას. გთხოვთ, გვაცნობოთ რამე საეჭვოს შემჩნევისას „დარღვევაზე მოხსენების“ მეშვეობით.

ვრცლად

FF 78.6.0 ESR SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED

  • 14 პასუხი
  • 1 მომხმარებელი წააწყდა მსგავს სიძნელეს
  • 390 ნახვა
  • ბოლოს გამოეხმაურა Mike Kaply

hey all,

I get the following error ONLY for internal websites (we have our own Windows CA): SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED Yes, I could "ignore" the error, however this is not desired. I compared already the algorithm with some external certs (like Let's Encrypt). Same algorithm, no error....

Have already tried with several internal websites, but without success. Some information about the certificate: Algorithm: RSA 2048 key length Sign. Algorithm: SHA-256 with RSA Encryption V3

What is wrong? I have already tried a lot of things without success. Unfortunately, I no longer know what to do.We deploy the certificates (root+intermediate) via GPO (this works so far). We have the above mentioned problems only after switching from 68ESR to 78ESR.

Thanks in advance.

hey all, I get the following error ONLY for internal websites (we have our own Windows CA): '''SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED''' Yes, I could "ignore" the error, however this is not desired. I compared already the algorithm with some external certs (like Let's Encrypt). Same algorithm, no error.... Have already tried with several internal websites, but without success. Some information about the certificate: ''Algorithm: RSA 2048 key length Sign. Algorithm: SHA-256 with RSA Encryption V3'' What is wrong? I have already tried a lot of things without success. Unfortunately, I no longer know what to do.We deploy the certificates (root+intermediate) via GPO (this works so far). We have the above mentioned problems only after switching from 68ESR to 78ESR. Thanks in advance.

ჩასწორების თარიღი: , ავტორი: mostRecentlyA

გადაწყვეტა შერჩეულია

Mike Kaply said

So you're running into this problem because all DHE cipher suites were disabled in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 We have a new policy - DisabledCiphers - that will allow you to reenable it. https://github.com/mozilla/policy-templates/blob/master/README.md The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine.

პასუხის ნახვა სრულად 👍 0

ყველა პასუხი (14)

SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED is associated with a recent wave of changes in major browsers. Specifically, they are starting to treat certificates signed with the SHA-1 algorithm as insecure. This being phased in over time so it affects users unevenly.

If you want to revert to the default setting for this feature, you can make the following change temporarily (until Firefox 52, I believe):

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste pki and pause while the list is filtered

(3) If the security.pki.sha1_enforcement_level preference is bolded and "user set" to a value other than 4, right-click it and choose Reset to restore the value to 4, or double-click the preference, replace the current value with 4, and click OK

FredMcD said

SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED is associated with a recent wave of changes in major browsers. Specifically, they are starting to treat certificates signed with the SHA-1 algorithm as insecure. This being phased in over time so it affects users unevenly. If you want to revert to the default setting for this feature, you can make the following change temporarily (until Firefox 52, I believe): (1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste pki and pause while the list is filtered (3) If the security.pki.sha1_enforcement_level preference is bolded and "user set" to a value other than 4, right-click it and choose Reset to restore the value to 4, or double-click the preference, replace the current value with 4, and click OK

Hey thanks. Tried this already, no success.

I called for more help.


There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own.

https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can

https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites

https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message

https://support.mozilla.org/en-US/kb/connection-untrusted-error-message

Websites don't load - troubleshoot and fix error messages

http://kb.mozillazine.org/Error_loading_websites

What do the security warning codes mean

In what year was this certificate issued ? Does Firefox has a builtin root certificate for this certificate ?

You can try security.pki.sha1_enforcement_level = 0

cor-el said

In what year was this certificate issued ? Does Firefox has a builtin root certificate for this certificate ? You can try security.pki.sha1_enforcement_level = 0

security.pki.sha1_enforcement_level = 0 => no success, same problem.

- cert issued 12/2019 (valid for 2 years). - yes, intermediate and root cert are in firefox (and also Windows) cert store. I double checked this already.

FredMcD said

I called for more help. There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own. https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message https://support.mozilla.org/en-US/kb/connection-untrusted-error-message Websites don't load - troubleshoot and fix error messages http://kb.mozillazine.org/Error_loading_websites What do the security warning codes mean

Hey thanks. I already removed the AV Client -> no success. All other Links didnt help me, thanks anyway..

As said before, I had no problems with previous version of Firefox (68ESR). Anything should be new ...

Btw, are there any solution to edit trusted Server (section certificates) from GPO? I dont want to edit the exception for xxxx Clients^^

ჩასწორების თარიღი: , ავტორი: mostRecentlyA

For GPO you can check the certificates section on this page.

I will move this thread to Firefox for Enterprise.

Any other suggestions how to solve this problem?

So you're running into this problem because all DHE cipher suites were disabled in Firefox.

https://bugzilla.mozilla.org/show_bug.cgi?id=1496639

We have a new policy - DisabledCiphers - that will allow you to reenable it.

https://github.com/mozilla/policy-templates/blob/master/README.md

The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Mike Kaply said

So you're running into this problem because all DHE cipher suites were disabled in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 We have a new policy - DisabledCiphers - that will allow you to reenable it. https://github.com/mozilla/policy-templates/blob/master/README.md The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

my solution was to disable the setting "security.enterprise_roots.enabled", after this all internal websites are working. I deploy via Firefox-GPO the root and intermediate cert, install them in local Firefox certstore.. But I dont know, why this setting was the problem

შერჩეული გადაწყვეტა

Mike Kaply said

So you're running into this problem because all DHE cipher suites were disabled in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 We have a new policy - DisabledCiphers - that will allow you to reenable it. https://github.com/mozilla/policy-templates/blob/master/README.md The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA

my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine.

> my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine.

Interesting. That means that there was a problem with your Windows certs. Glad it's working.

Mike Kaply said

> my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine. Interesting. That means that there was a problem with your Windows certs. Glad it's working.

But Idk what exactly was wrong? As mentioned, the sign algorithm etc. seems ok.

my current setting is: - install root and intermediate certs via gpo into firefox certstore - tell firefox dont to use the windows cert store (REG Key ImportEnterpriseRoots (which equals security.enterprise_roots.enabled) set this to FALSE)

So far, everything is ok.

If you recreate the problem and then get the certificate contents, we could debug.

Best to open a bug in bugzilla.mozilla.org