Litmus: Painless web site and email testing

davidSmalley

FireFox 3 triggers an OpenSSL bug

June 22nd, 2008 Secure Connection Failed An error occurred during a connection to xyz-abe.com SSL received an unexpected Change Cipher Spec record. (Error code: ssl_error_rx_unexpected_change_cipher)

I’ve been seeing more and more customers report this in the lead up to FireFox 3 going live…now the release has come I think the only thing you can do is try and get your production servers upgraded to the latest OpenSSL (0.9.8h) as soon as possible. Unfortunately the only other work around involve users disabling something in about:config or disabling SSLv3 on your server.

Some background reading on the bug:

Original report

Mozilla bug report

OpenSSL fix

Additionally I’ve seen FireFox 3 introduce another bug related to incorrectly signed HMAC codes in SSL transactions. After some digging around I noticed that FireFox 3 supports the Camellia cipher which AFAIK isn’t widely supported amongst other browers yet. During SSL negotiation the browser seems to end up using Camellia even though it could have negotiated the more familiar AES cipher. I hacked around this in one clients nginx configuration by adding the following to their http block:

ssl_ciphers ALL:!CAMELLIA;

Tags:

• openssl
• firefox3
• nginx

3 comments »

---

Meta

• Make Contact
• My Tumblr
• Flickr
• Twitter

I'm a Ruby hacker working for Engine Yard, as well as co-owning and running Litmus

Search

Latest Tumblr

Feed me
North West Ruby User Group

© 2007 David Smalley | Design by Andreas Viklund Adapted by David Smalley Ported by RailsGrunt Powered by Mephisto