Firefox 42 'Secure connection failed' on https://start.1password.com/signup

ianchanning

I'm getting the following error message when trying to sign up for 1password using Firefox on Linux Mint. I get it both on the default sign up page (https://start.1password.com/signup) and the 'join' link that I was sent (https://klever.1password.com/join/xxx)

Secure Connection Failed

The connection to start.1password.com was interrupted while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

This is working fine on Chromium on my OS.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Linux Mint 17
Sync Type: Not Provided
Referrer: forum-search:Firefox 42 Secure connection failed on https://start.1password.com/signup

Jacob

Hey @ianchanning! Sorry about that. Is that the only URL you've had trouble with? Do you have any content blockers or browser extensions enabled that might tamper with or force SSL?

ianchanning

Hi @penderworth, thanks for the reply.

There were the two URLs that I mentioned. All the pages on the default site https://1password.com/ work fine. It just seems to be when there is a subdomain involved e.g. https://klever.1password.com or https://start.1password.com.

I've tried disabling all the plugins I've got and it still fails. Also checked on Windows which has the same problem.

ianchanning

Actually I just spotted that I'm getting a different error now:

An error occurred during a connection to start.1password.com. Peer reports it experienced an internal error. (Error code: ssl_error_internal_error_alert)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

AGAlumB

@ianchanning: Are you by any chance using the same 'security' software on both computers? if you're using a supported browser, an SSL error indicates that something on your machine is breaking the chain of trust, likely with a fraudulent certificate. Or you may simply have a discrepancy in your system time. Either way, the site will reject the connect if it can't be secured. Please let me know what you find!

ianchanning

@brenty no, Windows 8 has the default Windows Defender and Linux Mint is a fairly fresh install with no extra security installed. Both the Firefox browsers are linked via the Firefox Sync so it could be manifesting itself across both browsers. But given that I've disabled all addons in both Windows and Linux it seems unlikely.

I also get a blank screen if I try to view https://start.1password.com/ in IE 11 on Windows 8:

ianchanning

@brenty sorry I should also mention that I get redirected correctly to https://start.1password.com/signup/team which displays correctly on Google Chrome both on Linux and Windows. It's a dual boot if that could cause any problems.

ianchanning

The certificate that works fine for https://www.1password.com and https://1password.com is clearly a wildcard certificate. But if I try it for any other subdomain except for www then I get the 'Secure connection failed' error.

roustem

I wonder if you could try a workaround suggested here:

https://minidoka.zendesk.com/entries/20472633-TLS-security-prevents-Firefox-users-from-Logging-Into-Powerschool

ianchanning

Ok found the problem. I had forced the TLS max level to 1 a year or so ago possibly with the BEAST / POODLE / CRIME problems. It's possibly just set to 1 because I've been using FF forever and it got stuck at 1 at some point.

about:config screenshot:

For anyone who hits the same problem here's the route i went through to find it:

1. tracert shows you're using a cloudfront server
2. google "ssl_error_internal_error_alert"+firefox+cloudfront
   
3. Points to this work around (https://d1mj3xqaoh14j0.cloudfront.net/public/documents/vom/3.1/windowsandunix/productguides/html/vom_notes/ch04s10s02s01.htm) which talks about the security.enable_ssl2 about:config setting (which doesn't exist in FF 42)
4. This bugzilla bug (https://bugzilla.mozilla.org/show_bug.cgi?id=978107)
5. The bugzilla page suggests using (https://globalsign.ssllabs.com/analyze.html?d=start.1password.com&s=104.16.101.48&hideResults=on) to check the 1password certificate (A+ you goody-two-shoes :))
6. In the 'Handshake Simulation' section it points to your certificate using TLS 1.2 for Firefox
7. At this point I spotted the security.tls.version.max setting in about:config
8. Reset the option which is now 3

https://globalsign.ssllabs.com screenshot:

There's probably a similar problem with IE 11 but I can't be bothered to fix that.

ianchanning

As a final comment - the reason that I could view https://www.1password.com and not https://start.1password.com is that your certificate for www allows TLS 1.0:

whilst start subdomain does not:

ianchanning

@roustem cheers - I only just saw your comment!

ianchanning

Also if anyone else hits this problem a quick trip to https://www.howsmyssl.com/ would have pointed out my bad use of TLS 1.0

ianchanning

Ah it was the POODLE issue that got me update it (http://security.stackexchange.com/a/70942/35764):

In FireFox, you can set the security.tls.version.max and security.tls.version.min FireFox preferences to select a specific version.

Jacob

@ianchanning Glad you got everything sorted out! Lots of good details here for reference. :) We really appreciate you letting us know what ended up happening. If you ever need anything else, feel free to say hi.

AGAlumB

Oh wow. No wonder you had trouble tracking that down. Firefox was updated with a fix for POODLE over a year ago, but you still had that preference set. Thanks so much for the update! I'm not sure I would have come up with that on my own. :lol:

roustem

Thank you for the link, @ianchanning !

pkuruvil

I have the same issue -
Secure Connection Failed

An error occurred during a connection to 10.78.0.215:8443. Peer reports it experienced an internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Learn more…

The above is happening when I enable debug mode by setting -Djavax.net.debug=ssl:handshake on linux environment.
If I do not enable debugging it works fine.

Any thoughts from your side let me know. Thanks in advance.

Jacob

Hey @pkuruvil! Sorry about that. Could you head to https://www.ssllabs.com/ssltest/viewMyClient.html, let the test run, and let us know what TLS version your browser supports? You'll need TLS 1.2, and support for at least one of our supported ciphers to sign in to 1Password.com. Let me know what you find out. :)