Connection reset on http sites but not on https
There are several sites, on what seems to be an ever growing list, on multiple computers using Firefox ranging from versions 37.0.2 to the latest version that are getting a "Connection reset". (The different versions were used as part of the tests to find if the problem was related to a specific version of Firefox)
I initially thought the problem was related solely to the http vs https access but, whilst trying to access this support site, I found that both the http and https variants returned the same error.
http://forums.mozillazine.org/viewforum.php?f=38
For example, if I go to http://www.staticice.com.au I will get a Connection reset error. If I go to https://www.staticice.com.au the site loads and works fine. The same for http://www.dvdfab.cn and https://www.dvdfab.cn.
What is even more interesting (at least to me), is that if I connect via my VPN, the http variant will load and work fine.
I've worked though the solutions described in the below post but they have not resolved the issue for me.
https://support.mozilla.org/en-US/questions/1056868
There is nothing in my Windows firewall that I've added. I've tried with an empty hosts file, and I've even uninstalled and reinstalled firefox.
Athraithe ag Yanta ar
Réiteach roghnaithe
SOLUTION: Problem was in the router. Router provides for a keywords function to filter out sites by keyword. Keyword "google-analytics" was present. This caused the problem. More and more people are using that service.
There are other ways to block it, so removed from router firewall and problem solved.
Read this answer in context 👍 2All Replies (19)
I'm not seeing a "Connection reset" situation on any of these domains. Looks like the hosts of the HTTPS websites are playing loose with the rules of HTTPS security from what I am seeing.
No problem here - http://www.staticice.com.au/ - with Firefox 49.
Where - https://www.staticice.com.au/ - gives This Connection is Untrusted or Your connection is not secure message and doesn't allow the website to load. I got two slightly different explanations for that depending upon the version of Firefox I use.
Firefox 49 - www.staticice.com.au uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name www.staticice.com.au. The certificate expired on Sunday, August 25, 2013 2:37 PM. The current time is Saturday, November 26, 2016 6:15 PM. Error code: SEC_ERROR_UNKNOWN_ISSUER
Firefox 38.7.1 - www.staticice.com.au uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for Eric The certificate expired on 8/25/2013 2:37 PM. The current time is 11/26/2016 6:13 PM. (Error code: sec_error_unknown_issuer)
But basically the same cause with slightly different wording; expired certificate that is self-signed.
No problem with - http://www.dvdfab.cn/
https://www.dvdfab.cn/ Same "not secure" message. www.dvdfab.cn uses an invalid security certificate. The certificate is only valid for secure.dvdfab.cn (Error code: ssl_error_bad_cert_domain)
Which security suite are you using? It might be "messing with" certificates before the connections get thru to Firefox.
Thanks for your reply.
I use MalwareBytes. Other measures are taken via Windows Firewall, ACLs in my router and the Windows HOST file, none of which I would expect to cause this error. Also, my sons' PCs don't have the extensive HOSTs file that I have, but they are managed by the routers firewall rules.
Apart from the forums.mozilla.org https error I got, which was the exception to all others, this only happens to http sites. Once I add a security exception for the https sites if it throws an error, it is smooth sailing for those https site from then on.
My sons are telling me they are getting this with other sites too, but they're not here at present to ask exactly which ones. As soon as I can track them down I'll provide the URLs.
Also, as soon as I connect via my VPN client (Using L2TP/IPSec), the http sites are fine.
Athraithe ag Yanta ar
Sorry, your problems are far beyond my level of knowledge.
Hello Yanta, the-edmeister. If you are not connected via VPN client, are you using a proxy ?
thank you
Does it matter. You are able to use the http sites that are not secure. That is suitable if you wish to view the sites.
If you could get the https sites without them resetting they would still not be secure anyhow. Probably not sites that you should trust with payment details. Even if the names matched they do not get the highest of security ratings
- https://www.ssllabs.com/ssltest/analyze.html?d=www.dvdfab.cn
- https://www.ssllabs.com/ssltest/analyze.html?d=www.staticice.com.au
The second one having a certificate that expired more than three years ago.
It appears that the sites you see as reset connections are not safe, so (although only conjecture on my part) maybe you could have security software or hardware that is blocking them.
With all due respect;
Does it matter? Gosh, when the list of sites is growing, yes. I am not the only one having this problem here, I just gave a couple of examples, I wasn't going to post the list of over two dozen sites.
It looks to me as if you have misunderstood. The http sites are being reset. The https versions are NOT.
When you click on a link on a web page that takes you to a http site that then says connection reset you have to then use the https site IF ONE EXISTS for that site and then possibly add a security exception.
That's not how things are supposed to work. You click on a link, assuming the site is still live, it displays the web page.
"connection reset" on an ever growing list of innocuous sites is not something we should say "to hell with. Let's just live with it".
The only software - Malware bytes. There are no ACLS in the router, or rules in the Windows Firewall.
Yes I did misunderstand, but if the issue is you can not connect to http that is even less of a problem.
Can you give a couple of examples each of
- http (none-secure) sites that you are unable to connect to that do NOT have an https alternative.
- https secure sites that you can connect to without problems, and without needing to set exceptions in Firefox. For instance did you need to set an exception for this forum site https://support.mozilla.org in Firefox and for YouTube https://www.youtube.com/
- The question then is why ?
- What happens when you specifically remove those exceptions, in Firefox; exactly what error or error message do you then get ?
You did mention an extensive Hosts file. Is that something you have modified and extended yourself for some reason, or is software modifying that - in which case what is that software ? (I do note you tried with an empty Hosts file - but would it stay empty ? )
What happens when you try Internet Explorer does that behave as expected and not have this sort of problem ?
Terribly sorry for the delay in responding. Other life matters have had to take priority.
Anyway, Obviously sites that auto redirect to https (Like Google and YouTube), do not have a problem.
For the most part https sites (With the exception with the occasional site with certificate errors), do not have a problem
Again, this is the scenario. I do a Google search and click on a result, or I click on a link on a webpage. Those links point to http websites. The website gets the connection reset error. I then have to manually edit the URL and change to https. If a https doesn't exist I'm screwed. I can't look at the site without connecting via a VPN.
Here's a more extensive set of examples....
http://www.staticice.com.au http://www.dvdfab.cn/ http://forums.mozillazine.org/viewforum.php?f=38 http://www.lmc.com.au/ http://readingcinemas.com.au/home http://thetvdb.com/ http://www.gskill.com/en/ http://www.mrexcel.com/forum/ http://au.billion.com/ http://www.adsl2exchanges.com.au/ http://www.gcflearnfree.org/windows10/getting-started-with-windows-10/1/ http://www.yamicsoft.com/windows10manager/product.html
Take a look at http://www.adsl2exchanges.com.au/ and https://www.adsl2exchanges.com.au/
Off the VPN the https Firefox does not load the site properly. There is no formatting. The http version gets the connection reset error. ON VPN both versions work properly.
Landmark Computers (lmc.com.au): OFF VPN the https:// redirects back to http which gets a connection reset error. ON VPN the https site redirects back to http and loads perfectly.
Also, I don't trust chrome browser so I won't ever load it on my PC, but I did load it on my test PC, which is the same configuration as my PC (Albeit with less memory and a smaller SSD), and none of the sites listed had problems of any kind on or off VPN.
John99 said
Yes I did misunderstand, but if the issue is you can not connect to http that is even less of a problem.
How is that less of a problem? Let's say for example, I'm looking for a response to a post on MrExcel.com to an excel issue I was having. Let's assume they had no https version. Attempts to get at the http version all result in connection reset. I cannot access the site. How is that less of a problem?
Hopefully that will give you enough info.
Athraithe ag Yanta ar
I can say that all those links work ok for me and do not redirect. I had initially wondered if the problem links were only sites that somehow seemed incorrectly configured, but that is not the case.
Possibly you have some complicated setup that I will not understand. You did say you are using no proxy. So what is the situation your problem computer is connected directly to a router by ethernet cable or WiFi ?
You do say that it works using your VPN but not otherwise which sounds counter intuitive. I do not think I have sufficient knowledge to help here, but I get a suspicion that your Network|Proxy|VPN setup is involved with this problem or some thirdparty software.
Maybe others can help, but it does not look as if your problem is directly due to any fault with Firefox. You may find those at Mozillazine are better able to sort out this. If you do post on their forum let us have the link I would be interested to follow this problem
A couple of closing thoughts
- What happens when you try the numerical IP Addresses. For instance www.mozillazine.org http://140.211.166.9 or
adsl2exchanges.com.au http://203.29.124.139
Does that sort of address get through ok ? - What about considering Google's (There may be alternatives) free public DNS see
- https://developers.google.com/speed/public-dns/
- I guess you will need to go through your VPN to see those https pages ;-)
So although I may not know how to solve the issue that's a couple of workrounds that may help until you do resolve this, or you may discover a problem in your Network settings whilst looking at the above guide.
Thanks for sticking with this.
John99 said
So what is the situation your problem computer is connected directly to a router by ethernet cable or WiFi ?
This affects most, if not all computers in the house. Problem persists with versions 37.0.2 through to latest version so I'd be inclined to agree with your closing statement "This does not seem to be a FIrefox problem" (Well I guess a problem could persist if not discovered).
As to the configuration; I have fibre to the premises. Connects to a network terminating device, which then connects via ethernet to my ASUS RT-AC87U. That connects to a gigabit switch which provides connectivity via a patch panel and internal house wiring. All cat6. We do use WiFi but only for the cell phones.
The Internet connection is through Optus (Singtel), and connects via IPoE with a DHCP address @ 100d/40u speeds. Each PC has a DCHP IP address reservation and the PCs are set to DHCP. Unless the boys spoof the MAC address they will always get the same IP.
The DNS servers are OpenDNS (208.67.220.220 and 208.67.222.222), and are specified in the router so they cannot be overridden. Google is untrustworthy and is not used. Indeed, the Google's DNS servers are actually blocked in the router.
IPs outside the range used for DHCP reservations are also blocked at the router, and there are no spare DHCP addresses to stop casual people connecting to the network.
You do say that it works using your VPN but not otherwise which sounds counter intuitive.
Indeed! I can access the http pages using the VPN.
However, rather than install 3rd party software for the VPN i've chosen to use L2TP and IPSec for the connections. This is supported natively in Windows 7 and requires no software of any kind to be installed to make it work. I know OpenVPN is more secure, but my VPN provider uses the Ruby Interpreter which my malware and Virus programs detect as a virus (as well they should), and it needs 8 processes just to create a connection. Absurd :)
but I get a suspicion that your Network|Proxy|VPN setup is involved with this problem or some thirdparty software.
That sounds reasonable since there are no issues when connected to the VPN.
What happens when you try the numerical IP Addresses. Does that sort of address get through ok ?
No. Exactly the same problem.
What about considering Google's (There may be alternatives) free public DNS
See earlier in reply.
I guess you will need to go through your VPN to see those https pages ;-)
Lol. Actually. To see the "http pages". They https work fine if there is one for the site.
or you may discover a problem in your Network settings whilst looking at the above guide.
Thanks for the info. I'll do all the things you've suggested.
tanya
You are going to need someone far more knowledgeable than me. No doubt you can think of other fora yourself but in addition to Mozillazine Stack Exchange are usually pretty good at providing answers So maybe consider
- https://superuser.com
- Network Engineering https://networkengineering.stackexchange.com/
Good luck.
I'm not a network engineer by any stretch of the imagination and Network Engineering https://networkengineering.stackexchange.com/ is for Network Engineers. I think I'd be called out pretty quickly.
I have posted on Mozillazine, and again, if this is not a Firefox issue, I think I will make little progress, I posted there but after a considerable amount of time, the post has not been approved, so I'm guessing I won't get any help from there.
I did manage to post on superuser. Link: http://superuser.com/questions/1157016/connection-reset-error-visiting-http-pages-https-work-fine
You should not make multiple posts about the same subject on Mozillazine, but I would have thought this would be on topic in either
- Firefox Support http://forums.mozillazine.org/viewforum.php?f=38
- Web Development / Standards Evangelism Web
- I know the site does sometimes go down, and may take a while to register new posters but it seem to be working ok today. See also
- MozillaZine Site Discussion Moderation / Spam / Login Activation Requests Post in that thread if you are having problems registering.
Update
- Post apparently Connection has been reset on http only
http://forums.mozillazine.org/viewtopic.php?f=38&t=3026019
Sorry not trying to imply you were double posting. Just suggesting two forum sections for you to choose from.
Athraithe ag John99 ar
John99 said
You should not make multiple posts about the same subject on Mozillazine,
??? I don't believe I did. I made one post. It took about 4 or 5 hours to get approved.
I had no problems registering. Took about 10 minutes, but was problem free.
The other post was on Superuser
Athraithe ag Yanta ar
John99 said
You may find those at Mozillazine are better able to sort out this. If you do post on their forum let us have the link I would be interested to follow this problem
This is why I posted there...
Are you using any extension that forces a secure connection?
Note that not all servers have a certificate installed and in such a case the hosting company might send its own certificate instead, which of course didn't match. In such a case you need to enter the website via an open HTTP connection.
Réiteach Roghnaithe
SOLUTION: Problem was in the router. Router provides for a keywords function to filter out sites by keyword. Keyword "google-analytics" was present. This caused the problem. More and more people are using that service.
There are other ways to block it, so removed from router firewall and problem solved.
Great that you solved the issue. Thanks for posting back.