FirefoxWhile attempting to set up a PCI compliance scan for a customer, I fired up Firefox and headed over to the vendor's website: https://pcicompliance.merchant-info.com/pci_ipmt_login.aspx And I was surprised to see the following error message:
Secure Connection Failed
An error occurred during a connection to pcicompliance.merchant-info.com. Peer reports incompatible or unsupported protocol version. (Error code: ssl_error_protocol_version_alert)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.Further, there was no, "click to ignore this message"-type button or link. Firefox was completely blocking my entrance to the site. Stranger still, Chrome displayed no error and happily allowed me access to the website. Weird.
Solution for FirefoxThe problem above was due to the vendor's website using an out-of-date and insecure encryption protocol, TLS 1.0 and/or not supporting TLS 1.2. It also was using RC4 as a cipher suite, which is also considered weak (though I don't think Firefox cared). I find it quite telling that a PCI compliance vendor is asking me to stay secure, but can't seem to do so themselves. If you have this problem, you need to harden your server to support only strong encryption protocols. At the time of this writing, something like this would work: Apache
SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSSNginx
ssl_prefer_server_ciphers On; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
Google ChromeEven though Chrome allowed me access to the above website, when visiting other sites I would sometimes see a strikethrough on the "https:" part of the URL and view the following error when I clicked on it:
The site's security certificate is signed using a weak signature algorithm...I eventually stumbled upon this message on one of my own websites, which was good, because now I could test.
Solution for ChromeThe above error was due to my SSL certificate being issued using the SHA1 encryption algorithm. Reissuing the certificate fixed the issue (I use namecheap.com for my certificates). Note that I used the following command to recreate the certificate
openssl req -sha256 -new -newkey rsa:2048 -nodes -keyout ssl.key -out ssl.csr