FF 78.6.0 ESR SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
hey all,
I get the following error ONLY for internal websites (we have our own Windows CA): SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED Yes, I could "ignore" the error, however this is not desired. I compared already the algorithm with some external certs (like Let's Encrypt). Same algorithm, no error....
Have already tried with several internal websites, but without success. Some information about the certificate: Algorithm: RSA 2048 key length Sign. Algorithm: SHA-256 with RSA Encryption V3
What is wrong? I have already tried a lot of things without success. Unfortunately, I no longer know what to do.We deploy the certificates (root+intermediate) via GPO (this works so far). We have the above mentioned problems only after switching from 68ESR to 78ESR.
Thanks in advance.
Wót mostRecentlyA
Wubrane rozwězanje
Mike Kaply said
So you're running into this problem because all DHE cipher suites were disabled in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 We have a new policy - DisabledCiphers - that will allow you to reenable it. https://github.com/mozilla/policy-templates/blob/master/README.md The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA
my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine.
Toś to wótegrono w konteksće cytaś 👍 0Wšykne wótegrona (14)
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED is associated with a recent wave of changes in major browsers. Specifically, they are starting to treat certificates signed with the SHA-1 algorithm as insecure. This being phased in over time so it affects users unevenly.
If you want to revert to the default setting for this feature, you can make the following change temporarily (until Firefox 52, I believe):
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste pki and pause while the list is filtered
(3) If the security.pki.sha1_enforcement_level preference is bolded and "user set" to a value other than 4, right-click it and choose Reset to restore the value to 4, or double-click the preference, replace the current value with 4, and click OK
FredMcD said
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED is associated with a recent wave of changes in major browsers. Specifically, they are starting to treat certificates signed with the SHA-1 algorithm as insecure. This being phased in over time so it affects users unevenly. If you want to revert to the default setting for this feature, you can make the following change temporarily (until Firefox 52, I believe): (1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste pki and pause while the list is filtered (3) If the security.pki.sha1_enforcement_level preference is bolded and "user set" to a value other than 4, right-click it and choose Reset to restore the value to 4, or double-click the preference, replace the current value with 4, and click OK
Hey thanks. Tried this already, no success.
I called for more help.
There is security software like Avast, Kaspersky,
BitDefender and ESET that intercept secure
connection certificates and send their own.
https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can
https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites
https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message
https://support.mozilla.org/en-US/kb/connection-untrusted-error-message
Websites don't load - troubleshoot and fix error messages
http://kb.mozillazine.org/Error_loading_websites
In what year was this certificate issued ? Does Firefox has a builtin root certificate for this certificate ?
You can try security.pki.sha1_enforcement_level = 0
cor-el said
In what year was this certificate issued ? Does Firefox has a builtin root certificate for this certificate ? You can try security.pki.sha1_enforcement_level = 0
security.pki.sha1_enforcement_level = 0 => no success, same problem.
- cert issued 12/2019 (valid for 2 years). - yes, intermediate and root cert are in firefox (and also Windows) cert store. I double checked this already.
FredMcD said
I called for more help. There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own. https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message https://support.mozilla.org/en-US/kb/connection-untrusted-error-message Websites don't load - troubleshoot and fix error messages http://kb.mozillazine.org/Error_loading_websites What do the security warning codes mean
Hey thanks. I already removed the AV Client -> no success. All other Links didnt help me, thanks anyway..
As said before, I had no problems with previous version of Firefox (68ESR). Anything should be new ...
Btw, are there any solution to edit trusted Server (section certificates) from GPO? I dont want to edit the exception for xxxx Clients^^
Wót mostRecentlyA
For GPO you can check the certificates section on this page.
I will move this thread to Firefox for Enterprise.
Any other suggestions how to solve this problem?
So you're running into this problem because all DHE cipher suites were disabled in Firefox.
https://bugzilla.mozilla.org/show_bug.cgi?id=1496639
We have a new policy - DisabledCiphers - that will allow you to reenable it.
https://github.com/mozilla/policy-templates/blob/master/README.md
The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Mike Kaply said
So you're running into this problem because all DHE cipher suites were disabled in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 We have a new policy - DisabledCiphers - that will allow you to reenable it. https://github.com/mozilla/policy-templates/blob/master/README.md The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA
my solution was to disable the setting "security.enterprise_roots.enabled", after this all internal websites are working. I deploy via Firefox-GPO the root and intermediate cert, install them in local Firefox certstore.. But I dont know, why this setting was the problem
Wubrane rozwězanje
Mike Kaply said
So you're running into this problem because all DHE cipher suites were disabled in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 We have a new policy - DisabledCiphers - that will allow you to reenable it. https://github.com/mozilla/policy-templates/blob/master/README.md The particular cipher you need to enable is TLS_DHE_RSA_WITH_AES_256_CBC_SHA
my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine.
> my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine.
Interesting. That means that there was a problem with your Windows certs. Glad it's working.
Mike Kaply said
> my solution was to disable security.enterprise_roots.enabled (set auf false). I install the certs via GPO into the firefox cert store. now, everything is fine. Interesting. That means that there was a problem with your Windows certs. Glad it's working.
But Idk what exactly was wrong? As mentioned, the sign algorithm etc. seems ok.
my current setting is: - install root and intermediate certs via gpo into firefox certstore - tell firefox dont to use the windows cert store (REG Key ImportEnterpriseRoots (which equals security.enterprise_roots.enabled) set this to FALSE)
So far, everything is ok.
If you recreate the problem and then get the certificate contents, we could debug.
Best to open a bug in bugzilla.mozilla.org