IBM Support

Firefox users unable to connect to Domino-based certificate or self-signed secured Web sites after updating Firefox to version 31

Flash (Alert)


Abstract

After updating Firefox to version 31 (or later), when Firefox browser users attempt to access a MD5-based SSL certificate, generated by a Domino Web server, the connection attempt will fail with the following error: "Secure Connection Failed. An error occurred during a connection to <server name>. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid)"

Content

Firefox 31 introduces a new security library named security.use_mozillapkix_verification for strict enforcement for SSL certificate verification (see this MozillaWiki article for details). After updating Firefox to version 31 (or later), when Firefox browser users attempt to access a MD5-based SSL certificate, generated by a Domino Web server, the connection attempt will fail with the error shown below. This includes Domino self-signed testing certificates generated from the Server Certificate Admin database or server SSL certificates generated from the Domino Certificate Authority.



    IMPORTANT NOTES
    • This error will occur only if you are using either a Domino-based self-signed or a Domino-based Certificate Authority for your server's SSL certificate (as they are based on MD5).
    • This can error can occur even if you have previously installed a security exception to trust the Domino SSL certificate in Mozilla Firefox
    • This issue could potentially impact any HTTPS traffic that you host on your Domino Web server, including, for example, the following: iNotes, Quickr for Domino, XPages, and custom Domino-based Web applications.
    • It is possible that other (i.e. non-Domino) Web servers could be affected if you have installed Domino signed SSL certificate installed on them.




Resolving the issue
Note: If the solution described in this section is not an option for your version of Firefox, then consider using one of the options listed below in the "Alternative Workarounds" section.

You can perform the following steps on local Firefox browsers to restore the older SSL libraries for Firefox, which will allow HTTPS connections to your server.

Step 1. Type about: config in the Firefox address bar to access Advance settings. Read the warning presented, and then click the "I'll be careful, I promise" prompt to accept and proceed.



Step 2. Scroll down to security.use_mozillapkix_verification and double-click to toggle its value (or, right-click on it and select Toggle)



Alternative Workarounds

  • Option 3: Use a Firefox Extended Support Release. Previous Firefox ESR version was based off of Firefox 24.8, which uses the 'classic' verification, however future ESRs will also be based off Firefox 31

Related information

Mozilla wiki
3rd party Domino SSL setup
iNotes supported browser by version
Generating a SHA-2 Keyring
901 fixpack2 interimfix for POODLE

Document information

More support for: IBM Domino
Security

Software version: 8.0, 8.5, 9.0

Operating system(s): AIX, IBM i, Linux, Solaris, Windows

Reference #: 1680147

Modified date: 30 June 2015