In this article I will explain how you can troubleshoot the Secure Connection Failed, with the message: “Renegotiation is not allowed on this SSL socket” and the error code: SSL_ERROR_RENEGOTIATION_NOT_ALLOWED.
Mozilla Firefox 4.* and later versions added a new security feature in order to block a TLS and SSL renegotiation vulnerability procedure discovered in 2009. This vulnerability would actually allow an attacker to hijack a HTTPS connection and add their own code into the beginning of the conversion of a client with the web server.
When we talk about SSL the process would go something like this:
The attacker would send the malicious data over the secured line, and then SSL renegotiation would use victim’s credentials in order to forward the original of the victim’s request data. Server would act on the request, thinking it is the whole request that came from the victim.
I have also noticed many publications that presented this situation as a man-in-the-middle attack, but this is not the case, as the attacker can’t actually decrypt or use any of the client-server communication being exchanged between the two computers.
There are multiple ways to bypass or overcome this if you are the administrator of such a server, for example updating the SSL/TLS protocols, new extensions to both of the original protocols being available which would address the security flaws. Another way is to stop allowing renegotiation which should do the trick unless the client authentication is made using a certificate. Since this is not the main purpose of this article and in the next lines I will be trying to cover how to bypass or fix your Mozilla Firefox issue, I will encourage you to find more details on TLS and SSL at this link:
The first thing to understand is that this is not an error in the true sense of the word. It is actually a good thing which protects you from people with bad intentions and that will prevent you from becoming an an Internet victim.
Mozilla Firefox 3.* and any other version of the same Internet Web Browser under Mozilla Firefox 4.*, Firefox 4.* being excluded, hasn’t disabled the renegotiation by default, so you wouldn’t encounter below message:
If you have anything below Mozilla Firefox 4.* (less likely but still important to mention), you should really get an upgrade to a later if not latest Firefox version. As soon as you install the new version, if you will try to login to a website using a certificate or any other webpage with a minimum of security that has a SSL renegotiation policy enabled, you will encounter above message which says that “Renegotiation is not allowed on this SSL socket”. The error code is actually SSL_ERROR_RENEGOTIATION_NOT_ALLOWED – this is to mark this certain security risk.
How to bypass or overcome Secure Connection Failed ?
It actually depends on what you would like to do and how much you are willing to trust the rest of the security available on your computer/network/company, lower layers.
In other words, you have two options: to skip this security error or continue with your work, which actually means accessing the desired website.
This is a more radical approach and it is NOT recommended and it will actually disable the security feature that Mozilla Firefox has as built-in and set up by default to prevent SSL renegotiation. You should actually first start with the second solution available here: link catre SECOND SOLUTION . The reason why I started with this is because in several cases the SECOND SOLUTION might not work as expected and you will have to temporary disable this security measure to access the website.
You will have to change below key’s value from FALSE to TRUE:
1. Type about:config in a new Mozilla Firefox tab and a page similar to below print screen should be displayed.
2. In the “Search” text field type the above key name and press enter. By default, when found, it should have a value of FALSE.
3. Double click it anywhere on the space shown as selected ( blue – focus ) in above print screen, and the value will change from FALSE to TRUE as you can see below.
4. Close Mozilla Firefox and open it again. Try the website that was blocked before and it should work now. If you get the same error, re-check about:config if the TRUE value has been saved.
You will have to manually add the websites you would like to trust for SSL renegotiation.
To do this follow below steps:
1. Open then same about:config menu as above.
2. Search for below key in the about:config menu:
3. Double click it anywhere on the row’s space and a popup input text field will appear, as you can see below.
4. In the above textbox, type in the name of the websites you would like to TRUST for the SSL renegotiation. If you have more than one to add, you can split them with a comma like in below example.
5. Confirm with Ok, and they will be added to the list to be trusted for SSL renegotiation. Now you can close Mozilla Firefox and open it again. Try the website links and it should work.
NOTE: If you decide to try with SECOND SOLUTION, make sure FIRST SOLUTION is back at default values.
No matter which one of the solutions you use, you should report this to the webmaster of the site or admin of the server you were trying to access that gave you the error. He should update the SSL/TLS protocols.
If you would like to dig in a little more than the actual solution and short story presented by me, you are free to read the technical and historic details of the whole process in here: https://wiki.mozilla.org/Security:Renegotiation