FireFox 3 triggers an OpenSSL bug
22 June 2008
Secure Connection Failed
An error occurred during a connection to xyz-abe.com
SSL received an unexpected Change Cipher Spec record.
(Error code: ssl_error_rx_unexpected_change_cipher)
I’ve been seeing more and more customers report this in the lead up to FireFox 3 going live…now the release has come I think the only thing you can do is try and get your production servers upgraded to the latest OpenSSL (0.9.8h) as soon as possible. Unfortunately the only other work around involve users disabling something in about:config or disabling SSLv3 on your server.
Some background reading on the bug:
Additionally I’ve seen FireFox 3 introduce another bug related to incorrectly signed HMAC codes in SSL transactions. After some digging around I noticed that FireFox 3 supports the Camellia cipher which AFAIK isn’t widely supported amongst other browers yet. During SSL negotiation the browser seems to end up using Camellia even though it could have negotiated the more familiar AES cipher. I hacked around this in one clients nginx configuration by adding the following to their http block:
ssl_ciphers ALL:!CAMELLIA;
Comments
Sorry, comments are closed for this article.
Feed me
June 26, 2008 at 05:24 PM
The 0.9.8h upgrade made this error pop up much less frequently, but we do still see it from time to time. Does the Camellia cipher fix address the rest of the problem?
June 26, 2008 at 10:29 PM
Ali.
The Camellia fix wasn’t related to that bug. If you still see it after the upgrade then it’s probably worth reporting it to the OpenSSL project as that fix was supposed to stop this issue.
Have you definitely upgraded OpenSSL on all your servers and restarted your webserver on all of them?
June 27, 2008 at 12:03 AM
Yeah, we’ve definitely upgraded to 0.9.8h, and everything’s been restarted. We see the error a lot less frequently than we used to, so there was definitely a fix. Just not a total fix. Thanks for the reply!