Firefox Secure Connection Failed

Home
Leave a comment

If you open a website that uses an deprecated TLS encryption, you may get the Firefox error page “Secure Connection Failed”.

An error occurred during a connection to [host] Cannot communicate securely with peer: no common encryption algorithm(s).

Secure Connection Failed with Firefox

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

The story behind

Sometimes administrators have to be able to access devices that are operated with older operating systems they uses deprecated TLS versions, this can be network devices, servers and routers for which updates are no longer available, but are still required in a transitional period. Nevertheless older equipment usually still works fine, have they reached the status end of live and should be replaced in the near future.

TLS 1.0 and TLS 1.1 have been deprecated since Firefox 78 Release and should not be used nowadays.

Firefox supports the deprecated protocols (if you absolutely need it) via “security.tls.version.enable-deprecated” in about:config . This should only be enabled temporarily to access your device.

How to enable TLS 1.0 and TLS 1.1 in Firefox

Open Firefox and hitabout:configin the search bar and press Enter. In the caution screen, select “Accept the Risk and Continue”.

Firefox about:config

Now search for security.tls.version.enable-deprecated and set it to true at the switch on the right.

security.tls.version.enable-deprecated = true

Next search for security.ssl3.dhe_rsa_aes_128_sha and set it to true, do the same for security.ssl3.dhe_rsa_aes_256_sha.

Last search for security.tls.version.min in the search bar above and set it to “1” then click save on the right. After a Firefox restart, the connection using weak encryption is established.

  In the Warning screen, Potential Security Risk Ahead, select “Advanced” and choose “Accept the Risk and Continue”.

weak encrypted connection to iLO - Lights-Out-Management.
In this result an weak encrypted connection to an older iLO – Lights-Out-Management.

The values for the TLS security.tls.version.min and security.tls.version.max preferences mean:

1 = TLS 1.0
2 = TLS 1.1
3 = TLS 1.2
4 = TLS 1.3

no success yet! the next hint might help

Search for security.ssl.enable_ocsp_stapling in the search bar and set it to false, then restart Firefox and try again.

  OCSP is a method to check whether a site’s SSL certificate has been revoked by its issuer. “Stapling” is a method for the site to deliver proof of validity along with its own certificate. This improves privacy for the user because you don’t need to reveal to a third party (the issuer) that you need to know about the site you’re trying to use.

OpenVPN Client renegotiation after 60 min

Home
Leave a comment

Using OpenVPN + 2FA with Google Authenticator

OpenVPN + 2FA with Google Authenticator

OpenVPN will attempt to have a client renegotiation every 60 minutes (3600 sec) by default, which will prompt the user to enter their 2FA pin to continue the connection.

Renegotiate time

Renegotiate data channel key after n seconds (default=3600). When using a (OTP) one time password, be advised that your connection will automatically drop because your password is not valid anymore. Set to 0 to disable, remember to change on server and client as well.

If you want unlimited connection without these interruptions, update the /etc/openvpn/client-template.txt file and add reneg-sec 0 parameter, this file can look like this:

dev tun
persist-tun
persist-key
data-ciphers-fallback AES-256-CBC
auth SHA512
client
resolv-retry infinite
reneg-sec 0
remote 203.0.113.1 1194 udp
lport 0
verify-x509-name "C=IT, ST=IT, L=example, O=Azienda, emailAddress=hostmaster@example.tld, CN=OPN.example.tld" subject
remote-cert-tls server
auth-user-pass
auth-nocache
compress

Community Edition

The OpenVPN Community Edition is an open source Virtual Private Network (VPN) project. It creates secure connections over the Internet using a custom security protocol that utilizes SSL/TLS. This community-supported OSS (Open Source Software) project, using a GPL license. developers and contributors as well as the extended community. CE is free to deploy, but it does require a strong understanding of Linux and using the command line interface.

OpenVPN Tunneling Protocol

The OpenVPN tunneling protocol uses the Secure Socket Layer (SSL) encryption protocol to ensure data shared via the Internet remains private using AES-256 encryption. Because the code is available for audits, anyone can find — and fix — vulnerabilities. It’s not only considered the most secure VPN tunneling protocol, it also delivers faster connections and can bypass most firewalls.