74
18
Since installing Firefox 33 a "Secure Connection Failed" error is no longer bypassable using the
"I Understand the Risks" button - it's gone!
Is it still somehow possible to ignore certificate errors? (e.g. for lazy use in local environments)
Error code: sec_error_invalid_key
RienNeVaPlu͢s
Posted 2014-10-14T17:37:29.993
Reputation: 913
35
Open Firefox's about:config
Set security.tls.insecure_fallback_hosts = www.domain.com (substitute the domain you're having the problem with)
Reload the page
wisbucky
Posted 2014-10-14T17:37:29.993
Reputation: 1 522
In which firefox version was security.tls.insecure_fallback_hosts added? – MattBianco – 2015-12-16T09:21:41.610
12This did not work for me in Firefox 48.0 (GNU/Linux OS, if it makes a difference). – code_dredd – 2016-08-25T13:34:23.027
2Not working in Firefox 53.0 Mac. Maybe has to do with me trying to whitelist an IP address, 192.168.1.219, and not a domain name. – sudo – 2017-05-08T17:58:06.830
2So what version of FF is this answer applicable to? And how are you meant to add more than one website? Concatenate with commas, semi-colons? Surprising number of up-votes for a weak answer. – Adam – 2017-06-14T09:06:20.010
What if it's every host? – einpoklum – 2019-12-04T09:58:05.410
Works for me on MacOS Firefox 72 (64-bit) – Sahil Sharma – 2020-02-10T06:35:06.933
14
This problem has been reported to Mozilla in their support forum.
The reason is that Firefox 33 has fully switched to the more strict libPKIX and you can no longer disable this library and fall back to the previous NSS code.
See related Mozilla blog post and bug:
Bug 975229 - Remove NSS-based certificate verification
It appears that they will not change this behavior.
If your problem is like mine, on a webmin site, try recreating the certificate from inside webmin. It helped me get back the "make security exception" in FF 33.0!
MattBianco
Posted 2014-10-14T17:37:29.993
Reputation: 1 763
2
I can confirm, that the recreation of the certificate brought back the old dialog as known from FF32 and below. Thank you Matt! For everybody else affected by this, here's a nice guide on how to recreate your certificate.
– RienNeVaPlu͢s – 2014-10-15T16:17:35.97310
I had the same issue with Webmin and firefox 33. When I looked at the SSL certificate that Webmin was using, I found that it was using a 512 bit key! This must have been the default key size when I installed Webmin a couple of years ago.
Firefox 33 no longer supports keys less than 1024 bits (with good reason). See site compatibility
You can fix this right from Webmin if you use another browser that lets you bypass this type of error or if you temporarily disable SSL in webmin by setting ssl=0 in /etc/webmin/miniserv.conf and restart webmin with "/etc/init.d/webmin restart". Just login to the Webmin web UI and select: Webmin -> Webmin Configuration -> SSL Encryption -> Self Signed Certificate. Fill in the form (or leave the defaults) and then click the Create Now button. If you temporarily disabled ssl enable it with ssl=1 in /etc/webmin/miniserv.conf and restart webmin with "/etc/init.d/webmin restart". This will update your self-signed certificate for Webmin and you will now be able to access the page from Firefox 33 (With the usual browser warning about an untrusted connection).
Aner
Posted 2014-10-14T17:37:29.993
Reputation: 271
6
Tried suggestion by @wisbucky but needed browser restart to bypass "Secure Connection Failed" error.
Steps followed were -
Open Firefox's config by typing following in address bar -
about:config
Search for security.tls.insecure_fallback_hosts and set it to
security.tls.insecure_fallback_hosts = hostname of site throwing error
aix
Posted 2014-10-14T17:37:29.993
Reputation: 181
4
For messages about a weak DH key, try toggling the following preferences (in Firefox's about:config):
This solved a "Secure Connection Failed" error I was seeing:
SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
palswim
Posted 2014-10-14T17:37:29.993
Reputation: 2 793
0
The webmin initial self ssl key is 512 byte
Solutions: using chrome or firefox , login in webmin , in webmin configuration ->SSL Encryption->Self-Signed Certificate
create a new SSL key and certificate for your Webmin server , the RSA key select default (2048), and make sue 'Use new key immediately'
then you can using IE access Webmin
zer0
Posted 2014-10-14T17:37:29.993
Reputation: 11
0
Another potential fix worth noting: In your about:config, your user profile may have some settings that have been corrupted.
One in particular that was noted here: security.tls.version.max
In particular, the discussion at the linked site points out that somehow the security.tls.version.max setting had been changed from its original value (3) to the new value of 1, and after that change, the user was not able to connect to certain sites that needed the newer Transport Layer Security.
One easy way to check if this is happening without first mucking around with your about:config is to try creating a fresh profile, by running firefox -P and then creating a new profile, and see if you can successfully visit the site.
pnkfelix
Posted 2014-10-14T17:37:29.993
Reputation: 176
7Are you 100% the two error messages are the same, because in my experience, they are not. – Ramhound – 2014-10-14T18:26:23.580
I'm leaning towards "different error" also. Just updated to Firefox 33 and the "Connection is Untrusted" dialog is unchanged for me. A change like you're suggesting (removal of user choice for invalid certificates) would break so much on web interfaces across corporate intranets, many parts on the Internet, and especially SOHO devices like cable modems and WiFi routers. It's more likely that there's an actual problem connecting to the server or something. Have you tried other HTTPS sites which have known-invalid certificates? – Iszi – 2014-10-15T07:04:22.213
It's also possible you're encountering a known bug which appears to have been around since FF 31.
– Iszi – 2014-10-15T07:09:38.6874I can confirm that FF33.0 fails with (Error code: sec_error_invalid_key) on the same site that 32.0 worked on prior to upgrade, on the same client computer. It also still works on Ubuntu/Canonical FF30.0 as always. (same as the screenshots). – MattBianco – 2014-10-15T15:04:21.757
In my experience, the two are not the same. In the right image the connection failed and the server didn't respond at all, or was unreachable. – A.Grandt – 2015-11-25T08:29:34.000