Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Firefox 33.0 won't open a specific local application: Error code: sec_error_invalid_key

Tags:

firefox

Firefox upgraded to version 33.0 this morning. Since then, I cannot load a specific local application over HTTPS -- note that it uses a self-signed certificate. It displays the following error message:

The key does not support the requested operation. (Error code: sec_error_invalid_key)

I cannot see anything in Firebug. I restarted Firefox in safe mode, to make sure no add-on was the problem. I also cleaned my cache and cookies. The same application opens fine with Chrome, and Firefox can open other applications that use HTTPS with a self-signed certificate.

Any idea how I could troubleshoot this issue?

Edit: Mozilla has made several important changes to security in Firefox 33.0. Details can be found here.

In my particular situation, the self-signed certificate was blocked because it was deemed too weak:

RSA 512, 1000 and 1023-bit certificates are now blocked by Firefox since they are not sufficient for security. Most certificates currently being issued should have a 2048-bit key length.

like image 747
Phil Avatar asked Oct 15 '14 18:10

Phil


People also ask

What is error code SEC_ERROR_UNKNOWN_ISSUER?

But if the SEC_ERROR_UNKNOWN_ISSUER error occurs, it means that the user's web browser has failed to trust the available SSL certificate together with issuing certificate authority. It would not be safe for a user to continue browsing through such a website.

What does security error mean?

If you receive the error message, "Security error: bad record message authentication code (MAC)," while trying to livestream, it means a secure connection could not be established. There are a few possible causes: Incorrect Date / Time: If the date and/or time on your device isn't set properly, it can cause this error.


1 Answers

I have encountered the same problem after upgrading to Firefox 33 with Tomato router. The key length is a problem here.

Tomato generates 512 bit long RSA key by default. However, Firefox 33 requires minimum 1024 bit key.

I had to manually generate a longer key in Tomato.

I did that following way:

  1. Log in using ssh to the router.
  2. cd /tmp
  3. cp /usr/sbin/gencert.sh .
  4. chmod +w gencert.sh
  5. Edit the gencert.sh file you copied and change the following line:

    openssl req -new -out /tmp/cert.csr -config openssl.config -keyout /tmp/privkey.pem -newkey rsa:512 -passout pass:password

    into:

    openssl req -new -out /tmp/cert.csr -config openssl.config -keyout /tmp/privkey.pem -newkey rsa:1024 -passout pass:password

  6. ./gencert.sh $(date +%s)
  7. nvram unset https_crt_file
  8. nvram commit
  9. service httpd restart

Now httpd will use the new certificate. If you have "Save in NVRAM" checkbox enabled it will be saved in NVRAM and survive router reboot.

Do not check "Regenerate" checkbox, because automatically regenerated certificates are still 512 bit long.

If you remove your certificate from NVRAM, you must repeat procedure described above.

Firefox 34 and newer:

Starting from Firefox 34 you need to additionally enable SSL 3.0 support in Firefox configuration:

  1. Enter about:config address in the URL bar.
  2. Set the following options to 0:

    security.tls.version.fallback-limit
    security.tls.version.min
    
like image 55
Piotr Jurkiewicz Avatar answered Oct 18 '22 02:10

Piotr Jurkiewicz