Menu
Firefox upgraded to version 33.0 this morning. Since then, I cannot load a specific local application over HTTPS -- note that it uses a self-signed certificate. It displays the following error message:
The key does not support the requested operation. (Error code: sec_error_invalid_key)
I cannot see anything in Firebug. I restarted Firefox in safe mode, to make sure no add-on was the problem. I also cleaned my cache and cookies. The same application opens fine with Chrome, and Firefox can open other applications that use HTTPS with a self-signed certificate.
Any idea how I could troubleshoot this issue?
Edit: Mozilla has made several important changes to security in Firefox 33.0. Details can be found here.
In my particular situation, the self-signed certificate was blocked because it was deemed too weak:
RSA 512, 1000 and 1023-bit certificates are now blocked by Firefox since they are not sufficient for security. Most certificates currently being issued should have a 2048-bit key length.
747
But if the SEC_ERROR_UNKNOWN_ISSUER error occurs, it means that the user's web browser has failed to trust the available SSL certificate together with issuing certificate authority. It would not be safe for a user to continue browsing through such a website.
If you receive the error message, "Security error: bad record message authentication code (MAC)," while trying to livestream, it means a secure connection could not be established. There are a few possible causes: Incorrect Date / Time: If the date and/or time on your device isn't set properly, it can cause this error.
I have encountered the same problem after upgrading to Firefox 33 with Tomato router. The key length is a problem here.
Tomato generates 512 bit long RSA key by default. However, Firefox 33 requires minimum 1024 bit key.
I had to manually generate a longer key in Tomato.
I did that following way:
cd /tmpcp /usr/sbin/gencert.sh .chmod +w gencert.shEdit the gencert.sh file you copied and change the following line:
openssl req -new -out /tmp/cert.csr -config openssl.config -keyout /tmp/privkey.pem -newkey rsa:512 -passout pass:password
into:
openssl req -new -out /tmp/cert.csr -config openssl.config -keyout /tmp/privkey.pem -newkey rsa:1024 -passout pass:password
./gencert.sh $(date +%s)nvram unset https_crt_filenvram commitservice httpd restartNow httpd will use the new certificate. If you have "Save in NVRAM" checkbox enabled it will be saved in NVRAM and survive router reboot.
Do not check "Regenerate" checkbox, because automatically regenerated certificates are still 512 bit long.
If you remove your certificate from NVRAM, you must repeat procedure described above.
Starting from Firefox 34 you need to additionally enable SSL 3.0 support in Firefox configuration:
about:config address in the URL bar.Set the following options to 0:
security.tls.version.fallback-limit
security.tls.version.min
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
