We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox updates (in this case Version 28) cause ciphers mismatch

  • 3 replies
  • 2 have this problem
  • 4 views
  • Last reply by cor-el

more options

Hi , I am using Solaris 10 above Tomcat 6 I installed the latest version of Firefox – version 28. In addition, I installed the ECC Cipher suite regarding to https://bugzilla.mozilla.org/show_bug.cgi?id=235773

I had a problem that causes a cipher mismatch whenever an update of Firefox is released and installed. This problem repeats itself and the solution was to remove the cipher that is not supported. Firefox update number 28 caused a mismatch. In order for the website to load and function properly I had to remove the TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher.

The following ciphers are in use:

TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA

Currently, the site is not loaded via Firefox (Error_Code: ssl_error_internal_error_alert) however, it works perfectly under chrome and IE.
Only after TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher removal, the site returns to function.

This scenario also happened on firefox build 26 (a month ago) and the solution was to remove TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA cipher.

1.	Does Firefox support SSL Certificates for the ECC algorithm?   
2.	Do I need to remove all ECC ciphers in order for the websites to work properly? 
3.	Is there a recommended ciphers suite that I could use so I won't encounter these problems?

Thanks. Liran

Hi , I am using Solaris 10 above Tomcat 6 I installed the latest version of Firefox – version 28. In addition, I installed the ECC Cipher suite regarding to https://bugzilla.mozilla.org/show_bug.cgi?id=235773 I had a problem that causes a cipher mismatch whenever an update of Firefox is released and installed. This problem repeats itself and the solution was to remove the cipher that is not supported. Firefox update number 28 caused a mismatch. In order for the website to load and function properly I had to remove the TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher. The following ciphers are in use: <pre><nowiki>TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA</nowiki></pre> Currently, the site is not loaded via Firefox (Error_Code: ssl_error_internal_error_alert) however, it works perfectly under chrome and IE.<br /> Only after TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher removal, the site returns to function. This scenario also happened on firefox build 26 (a month ago) and the solution was to remove TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA cipher. <pre><nowiki>1. Does Firefox support SSL Certificates for the ECC algorithm? 2. Do I need to remove all ECC ciphers in order for the websites to work properly? 3. Is there a recommended ciphers suite that I could use so I won't encounter these problems?</nowiki></pre> Thanks. Liran

Modified by cor-el

All Replies (3)

more options

There have been more reports about this:

Possibly a consequence of this bug fix:

  • bug 936828 - Change order of cipher suites offered in client hello to match modern best practices

Please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

more options

Hi cor-el, thank you for the detailed solution.

I change the security.tls.version.max on about.config from "3" to "0" and it solves the problem but it seams the solution is not the recommended one.

You recommended to change SSL cipher priority on mozilla manually, or otherwise install the patch that will update the entire workstations.

Can you please provide some information on : 1.How to change manually the priority of the ciphers on about:config ? (I found the article http://kb.mozillazine.org/About:config but I did not find how to do the change).

2. I'm not familiar of the way I should install the patches. (change-cipher-order-v2.patch, fix-comment.patch). As I know, the scripts should run under linux machine, but what if the workstation run under windows, I should write powershell script ?

Thanks again.

more options

You can't use the about:config page to change the order of cipher suits.
You can only enable and disable cipher suits by toggling the pref.
I don't know that much about in what order Firefox will try to connect to a server after analyzing the server response, so I'm afraid that I can't help you.

You can try to ask in the crypto newsgroup.