Re-enable SSLv3 on Firefox 34

TL;DR: set security.tls.version.fallback-limit and security.tls.version.min to 0.

Firefox 34 takes the strong stance of disabling SSLv3, completely, by default, with no publicized workarounds.  Due to the lack of TLS_RSA in TLS 1.2 support, many sites have become non-operational. Here’s a non-profit’s site I use that has about ten million users:

| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|   TLSv1.2: 
|     ciphers:                                                   
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong                                                     |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors: 
|_  least strength: strong

This is fine from a theoretical information security perspective – SSLv3 is somewhat broken, is more than fifteen years old, and TLS v1.0, at a minimum, is supported everywhere and is better. But the way Mozilla went about this was lazy and stupid, as it hurts security over the long term.

Look at what Microsoft is doing with SHA-1 certificates (announcing deprecation now and full removal of support in 2017) or what Google is doing with SHA-1 and Chrome (nagging users about it starting in 2015). Neither of those two actions break secure sites for users on, with almost not notice, but they do get the point across, and will spur sysadmins to made changes.

Mozilla just decided to break SSLv3 sites (and by extension many TLS sites due to cyphersuite selection), by default, and give users no way of knowing in-browser what happened or what to do about it (yeah, “bug the sysadmin” is so realistic…).

Here’s what they should have done:
1) announced removal of support ~one year in advance.
2) bring up a warning in the browser at that point.
3) offer to create a temporary exception for the site in question for the 1 year period (SSL exceptions are already a feature! Add a time limit and tweak the UI!)

What they did instead was to just break things for everybody. One has to presume they figured this would spur action immediately on the part of administrators. Apparently what they don’t know is that those sysadmins may need to go through change processes, purchase new equipment, wait for a budget cycle, etc. Guess what? Corporate IT people don’t read the Mozilla blog (most security people don’t even read it) and even if they did, two months’ notice is wildly insufficient for most Corporate IT. Let’s play “who would have really been hurt by phasing out over a year?”!

Since people need to operate in the real world, here’s the advice (credit: dave_d) that’s both operationally necessary and repugnant from the stance of the Internet’s security:

1) Type about:config in the location bar.
2) In the search bar that comes up, enter: security.tls.version.min . Double-click on the entry that comes up and change the value to 0.
3) Do the same for security.tls.version.fallback-limit .
4) Test your broken site. It should work now.
6) Laugh at #5 as you know nobody will ever do that, and instead, they’ll accept SSLv3 for as long as they have their profile. Great, job, Mozilla. Thanks for trying so hard.

Bold posturing is no replacement for caring about users, implementing effective transition plans, and putting in the hard work necessary to carry them out.  FWIW, when I was at a meeting last night and we had to access an SSLv3-fronted database, I switched over to Chrome to get the work done. For users afraid of about:config, that’s an easier option.  Most users will never see this post either, and I really wish I didn’t need to write it.

14 thoughts on “Re-enable SSLv3 on Firefox 34”

  1. Bill, thanks for the tip very aggravating. But I have the same issue with all my browers. Have tried to use, Safari for Windows, Opera, Firefox and Chrome all with the same results.

  2. Pingback: Mozilla Firefox: Reaktivierung SSLv3 (ssl_error_unsupported_version) | peinzigartig plog

  3. Thank you Mr. McGonigle! Firefox has been my browser of choice for many years but this and a few other bonehead ideas from the Mozilla decision makers has me looking for an alternative.

    I’m so sick and tired of companies and governments making decisions for us because they think they are smarter then the masses and know what’s best. It’s delusional.

    Keep watching your market share drop, Mozilla.

  4. Thank you very much.

    I confirm that Google Chrome, as of 42.0.2311.90 m does not open SSLv3 sites or appliances. I found two other parameters, “security.tls.insecure_fallback_hosts” (string) and “security.tls.insecure_fallback_hosts.use_static_list” (boolean) that seems to suggest we can create a site white list, but I could’n find an usable combination to that efect.

    I installed some add-on that shows source comments for config parameters, but no success with these. Maybe in a future version of ff they become operational.

    Warm regards,

  5. Thank you for taking the time to post this – this fixed my issue with ‘ssl_error_unsupported_version’ on FIrefox. The lack of an official workaround is baffling.

    Much appreciated.

  6. Finally a solution that works (on FF 38.0)! Various sites and posts have suggested various tips – none that I tried worked for a CA site that ONLY accepts AES256-SHA and denies all other ciphers, some have only suggested to change “min”, unti I found your post and for me it worked when I changed “fallback-limit” too! Thanks a lot!

  7. I have the same problem and have switched to internet explorer for managing network devices…

    And yes. some of us need to use archahic protocols as the manufacturere don’t updatge the firmware to include TLS or newer.
    ex: Storage arrays, network switch just to name a few so im in trouble if microsoft remove the feature completely as i have yet to make it work with firefox and have not found a valid functional workaround


  8. apparently this doesn’t work on FF40.0.2. I set security.tls.version.fallback-limit and security.tls.version.min to 0 but still cannot access my old Dell DRAC 🙁

  9. Above solution does not seem to work in FireFox 47.0.1 on Windows 10 – 64 bit.

    I found two more

    Turning them ‘false’ also did not work i.e., still sslv3 site is giving same error viz.
    Unable to Connect Securely
    Firefox cannot guarantee the safety of your data on because it uses SSLv3, a broken security protocol.

Leave a Reply

Your email address will not be published. Required fields are marked *