Hi, I have a problem with firefox trying to connect to a page of my university (address below). This is the error message: Secure Connection Failed
An error occurred during a connection to rrhh.unizar.es. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
It also occurs with seamonkey but it works without problems with chrome and chromium. Other colleagues with other linux systems do not have this issue. Other colleague installed fedora in a virtual machine and had the same problem. Best, Enrique.
On Wed, 27 Mar 2019 14:47:41 -0000 "Enrique Artal" enriqueartal@gmail.com wrote:
Hi, I have a problem with firefox trying to connect to a page of my university (address below). This is the error message: Secure Connection Failed
An error occurred during a connection to rrhh.unizar.es. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
The page you are trying to view cannot be shown because theauthenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
It also occurs with seamonkey but it works without problems with chrome and chromium. Other colleagues with other linux systems do not have this issue. Other colleague installed fedora in a virtual machine and had the same problem. Best, Enrique.
There has been a discussion on the devel list about making obsolete compromised algorithms in libssl2(?). IIRC, it was agreed to do this, but only using a switch that would default to off, and only in rawhide. What version of Fedora are you using? It seems that you have this switch set to on, and your university is using an insecure encryption algorithm. The people for whom login works have set their machines to allow the insecure algorithm.
Since it is only occurring with mozilla products, it is possible that mozilla unilaterally disabled these insecure protocols in their latest offerings. Alternatively, Fedora might have enabled it for the version you are using, either because I was wrong in my recollection, or in error.
Here's a page that explains how to make your firefox browser less secure, so you can log in. It is old, but should still work if it is the browser causing the problem, rather than Fedora. https://www.ryananddebi.com/2014/12/10/bypassing-the-ssl_error_no_cypher_ove...
For what it is worth, I can get to the login page at that address using nightly, the development version of firefox. I must be allowing insecure protocols on my system (Fedora 28). The first three settings on the about:config page in nightly for security.tls.version are 4, 4, 1.
Thanks for the answer. I am using Fedora 29, firefox-66.0-9.fc29; my settings are also 4,4,1 and changing as suggested in the link do not work. Other people in my University can get in with firefox using gentoo or ubuntu. Something strange just happen. I have an account in an ubuntu machine. I made ssh -CX4 to this machine and open firefox; same issue. I tried again with x2go, no problem. Maybe it helps.
Hi Enrique,
An error occurred during a connection to rrhh.unizar.es. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
If you want to know what's going on: "man crypto-policies".
A ¿workaround? for firefox is execute firefox with "NSS_IGNORE_SYSTEM_POLICY=1" in the environment. You can achieve this creating a bash script named "firefox" in the ~/bin directory.
You can create the file easily if copy&paste all-in-one this text in a terminal window:
#====8<----- copy from here...
mkdir ~/bin
cat > ~/bin/firefox <<EOF #!/bin/bash
env NSS_IGNORE_SYSTEM_POLICY=1 /usr/bin/firefox "$@"
EOF
chmod +x ~/bin/firefox
#====8<----- to here...
Regards, Fernando.
Thanks, Fernando! It has worked. The man page is too technical to me. Is it a risk to use firefox like that? Regards, Enrique.
On Thu, 2019-03-28 at 23:16 +0000, Enrique Artal wrote:
Thanks, Fernando! It has worked. The man page is too technical to me. Is it a risk to use firefox like that? Regards, Enrique.
AFAIK the problem is not with Firefox, it's with your university's website. They should update their security policies and/or certificates.
poc
I think so, but I was apparently the only affected person (and not completely since I coud use chrome). Anyway I transmitted the information to IT people.
On 3/29/19 3:28 PM, Enrique Artal wrote:
I think so, but I was apparently the only affected person (and not completely since I coud use chrome). Anyway I transmitted the information to IT people.
Point them to:
https://www.ssllabs.com/ssltest/analyze.html?d=rrhh.unizar.es
On Sat, 2019-03-30 at 23:46 +0000, Enrique Artal wrote:
Done!
When replying via HyperKitty, please remember to quote some of the context. HK doesn't do this by default, leading to posts which are meaningless without looking back in the thread.
Better still, use a real mail client instead of HK.
poc
-
Enrique Artal -
Fernando Gozalo -
Patrick O'Callaghan -
Roberto Ragusa -
stan