You are here: Home User Information Facility Services Web Services Firefox and Certificate Warnings

Firefox and Certificate Warnings

by John S. De Stefano Jr. last modified Mar 09, 2015 09:13 AM
Information on SSL site certificates and the way Firefox informs you of possible problems.

While browsing the information on the RACF site with Firefox versions 3 and later, you may come across a somewhat intimidating warning message, much like the following:

rt-firefox3-secure-connection-failed.png

In this message, Firefox warns you that the site "uses an invalid security certificate".  This is not entirely true: the certificates used on the RACF are indeed valid, though they are sometimes generated via different methods and using different certificate authorities.  However, due to the behavior of firewalls and proxies, certificates and the web servers that present them to clients sometimes appear to browsers in different ways.  For instance: you are much less likely to see these warnings when browsing from outside the BNL network than if you're visiting the site from within the BNL campus.

Adding an Exception

If you encounter such a warning and wish to continue viewing the content:

  1. Click Add Exception...
  2. In the ensuing dialog, click Get Certificate.
    rt-firefox3-certificate-exception.png
    Once the certificate has been obtained by your browser, you have a choice of whether to enable Permanently store this exception, which would prevent this dialog to be displayed again, and alleviate the need to follow these steps in subsequent visits.
  3. Click Confirm Security Exception.

Editing Security Settings

In version 4 and later, the Firefox web browser has disabled SSL renegotiation to minimize and combat man-in-the-middle attacks. While this has positive security implications, it can also cause problems with some web sites and applications known to work properly in earlier versions, including CERN-hosted certificate and VO service pages, which may now result in Firefox errors like the following:

Secure Connection Failed
An error occurred during a connection to pki1.doegrids.org.
Renegotiation is not allowed on this SSL socket

To work around this issue:

  • In the Firefox URL/address/"awesome" bar, enter the following and accept the subsequent warning:
    about:config
  • In the Filter box, enter (or copy and paste) the following:
    security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref
  • Double-click the filtered entry for this preference in order to enable it and change its value to true, as shown in the following example image
    Firefox 4 SSL Renegotiation Override Setting

See this blog post for additional information.

Warnings in Firefox 2

When visiting similar sites with Firefox 2, users will see a pop-up dialog warning: "Website Certified by an Unknown Authority", which allows one to examine the site's certificate, and to choose whether to accept the certificate (temporarily or permanently) or reject it and not connect to the site.

Valid Security Concerns

If, instead, you feel that a warning is valid and brings the security or identity of a RACF site into question, please let us know by creating a trouble ticket in the WWW ticket queue for RACF facility web issues, or the Grid ticket queue for certificate issues.

Document Actions
Filed under: ,