Firefox users unable to connect to Domino-based certificate or self-signed secured Web sites after updating Firefox to version 31
After updating Firefox to version 31 (or later), when Firefox browser users attempt to access a MD5-based SSL certificate, generated by a Domino Web server, the connection attempt will fail with the following error: "Secure Connection Failed. An error occurred during a connection to <server name>. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)"
Firefox 31 introduces a new security library named security.use_mozillapkix_verification for strict enforcement for SSL certificate verification (see this MozillaWiki article for details). After updating Firefox to version 31 (or later), when Firefox browser users attempt to access a MD5-based SSL certificate, generated by a Domino Web server, the connection attempt will fail with the error shown below. This includes Domino self-signed testing certificates generated from the Server Certificate Admin database or server SSL certificates generated from the Domino Certificate Authority.
- This error will occur only if you are using either a Domino-based self-signed or a Domino-based Certificate Authority for your server's SSL certificate (as they are based on MD5).
- This can error can occur even if you have previously installed a security exception to trust the Domino SSL certificate in Mozilla Firefox
- This issue could potentially impact any HTTPS traffic that you host on your Domino Web server, including, for example, the following: iNotes, Quickr for Domino, XPages, and custom Domino-based Web applications.
- It is possible that other (i.e. non-Domino) Web servers could be affected if you have installed Domino signed SSL certificate installed on them.
|Resolving the issue|
You can perform the following steps on local Firefox browsers to restore the older SSL libraries for Firefox, which will allow HTTPS connections to your server.
Step 1. Type about: config in the Firefox address bar to access Advance settings. Read the warning presented, and then click the "I'll be careful, I promise" prompt to accept and proceed.
Step 2. Scroll down to security.use_mozillapkix_verification and double-click to toggle its value (or, right-click on it and select Toggle)
- Option 1: If using 901FP2IF1+ with the POODLE fixes, then create a SHA-2 based SSL certificate for Domino. See Wiki article: Generating a SHA-2 Keyring file
- Option 2: Purchase and use a SHA-1 based third-party SSL certificate from a Certificate Authority that Firefox already trusts. See technote 1268695 - How to set up SSL using a third-party Certificate Authority
- Option 3: Use a Firefox Extended Support Release. Previous Firefox ESR version was based off of Firefox 24.8, which uses the 'classic' verification, however future ESRs will also be based off Firefox 31
- Option 4: Connect with one of the other Web browsers supported by Domino. See the wiki article titled, "Supported Browsers in IBM (Lotus) iNotes by Domino Release"
- Option 5: If you are using Domino 8.5.x, you can install Notes or Domino 901FP2IF1+ with the POODLE fixes, then create a SHA-1 based SSL certificate for Domino.