Home Server Apache Solution to: Firefox: “Secure Connection Failed” and Chrome: “The site’s security certificate...

Solution to: Firefox: “Secure Connection Failed” and Chrome: “The site’s security certificate is signed using a weak signature algorithm”

by Dave at Xenabeast - Apr 20, 2015

0 7688

The following post is actually solutions to two separate problems. The problems are similar enough that I decided to combine them into one post.

Firefox

While attempting to set up a PCI compliance scan for a customer, I fired up Firefox and headed over to the vendor's website: https://pcicompliance.merchant-info.com/pci_ipmt_login.aspx And I was surprised to see the following error message:

Secure Connection Failed

An error occurred during a connection to pcicompliance.merchant-info.com. Peer reports incompatible or unsupported protocol version. (Error code: ssl_error_protocol_version_alert)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem.

Further, there was no, "click to ignore this message"-type button or link. Firefox was completely blocking my entrance to the site. Stranger still, Chrome displayed no error and happily allowed me access to the website. Weird.

Solution for Firefox

The problem above was due to the vendor's website using an out-of-date and insecure encryption protocol, TLS 1.0 and/or not supporting TLS 1.2. It also was using RC4 as a cipher suite, which is also considered weak (though I don't think Firefox cared). I find it quite telling that a PCI compliance vendor is asking me to stay secure, but can't seem to do so themselves. If you have this problem, you need to harden your server to support only strong encryption protocols. At the time of this writing, something like this would work: Apache

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

SSLProtocol ALL -SSLv2 -SSLv3

SSLHonorCipherOrder On

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

Nginx

ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

ssl_prefer_server_ciphers On;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

Google Chrome

Even though Chrome allowed me access to the above website, when visiting other sites I would sometimes see a strikethrough on the "https:" part of the URL and view the following error when I clicked on it:

The site's security certificate is signed using a weak signature algorithm...

I eventually stumbled upon this message on one of my own websites, which was good, because now I could test.

Solution for Chrome

The above error was due to my SSL certificate being issued using the SHA1 encryption algorithm. Reissuing the certificate fixed the issue (I use namecheap.com for my certificates). Note that I used the following command to recreate the certificate

openssl req -sha256 -new -newkey rsa:2048 -nodes -keyout ssl.key -out ssl.csr

1	openssl req -sha256 -new -newkey rsa:2048 -nodes -keyout ssl.key -out ssl.csr

Caveats

Technically, I don't think I needed the -sha256 to secure the CSR. I believe that even if the CSR is encoded using SHA1, the certificate issued should still be SHA2 (assuming the trust provider is up-to-date). I haven't tested this, however. Eventually, you won't be able to view sites with certificates using the SHA1 algorithm. Heres Google's schedule for phasing out support for SHA1. There used to be a "Use TLS 1.0" checkbox in Firefox. I don't see it any longer, so if you have to get to a site that's using TLS 1.0, try Chrome for now.