Firefox v27 SSL decryption error accessing 88xx EDM

[imorris]

My Firefox auto-updated itself to the latest version (27) which broke my access
to EDM on my 88xx cores.  According to Firefox there are significant improvements
to the SSL ... but it didn't help me at all. 

When I tried EDM access I received a rather unhelpful error frame citing ...

  Secure Connection Failed. 
  An error occurred during a connection to 10.x.x.254. 
  Peer was unable to decrypt an SSL record it received.
  (Error code: ssl_error_decryption_failed_alert)

My 88xx are running 7.1.5.3 and I plan to upgrade to 7.2.11 which might change the
situation but in the mean time I had to disable one of the SSL encryptions in Firefox.

In the URL bar type about:config.  Scroll down near the bottom and double-click "security.ssl3.rsa_des_ede3_sha" to disable it.

It should be noted that I was able to EDM to all my 45xx/48xx/56xx without a problem. 
It only affected 88xx.  I knew it had to be Firefox because IE and Chrome worked OK.

Cheers.

[Paul L]

IE v11 works fine with v7211.

[imorris]

Thanks Paul,

if you have Firefox v27 available, would you mind checking if it works on 7.2.11 EDM?  I would like to know if the problem lies in 7.1.5.3 or in Firefox itself.

Thanks

[Paul L]

I can tell you that FF v26 didn't work well for me on EDM v7211.  it would load but the objects wouldn't draw properly.

As an Avaya engineer I always keep Firefox, Chrome and IE on my laptop because you never know when you will need one or the other.

[imorris]

Well, that's depressing coz I kinda like Firefox.  Looks like I might have to retire it once I upgrade to 7.2.11.  I am still on IE9 (bloody SOE) and therefore IE/Safari/Chrome all report as unsupported browsers with EDM.  I have varying success with them ... I think that is why I have stuck with Firefox.

I am still interested if someone can check Firefox v27 access to 8800 v 7.2.11.  Without that security.ssl3.rsa_des_ede3_sha being disabled I could not get to the login screen.

Cheers

[Paul L]

i am back in the office on Tuesday.  remind me if I don't reply back...

[bylie]

Since upgrading to Firefox v27 we were also having this problem with the Avaya VSP 9000 running v3.3.4.0.GA. Disabling "security.ssl3.rsa_des_ede3_sha" also did the trick, thanks! I'm not really sure who's actually to blame so we've still created a supportcase for this.

[wood_morris]

Similar problem as above.  SSL webpage worked fine in FireFox version 25, but v27 displays:
.......
Secure Connection Failed

An error occurred during a connection to <website URL>. Peer was unable to decrypt an SSL record it received. (Error code: ssl_error_decryption_failed_alert)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
.......

I searched yesterday for any reports of this bug in FireFox but found nothing.  Today I searched and this is the first report of this problem with FF v27.

Chrome and IE browsers have no problem loading the webpage. 

[imorris]

Hi wood_morris

thanks for the feedback.  I am trying to determine where the issue is so can I ask you to clarify a couple of things please ... was the ssl page you were attempting to connect to on a network device, and did the disabling of the security.ssl3.rsa_des_ede3_sha entry resolve the problem?

Thanks in advance

Ian

[imorris]

Hello again,

to cut a long story short I have determined that the fault lies with the 8800.  In essence I turned off all encryption algorithms except for the rsa_des_ede3_sha and found that I could access the EDMs on 4xxx and 5xxx equipment, and could also https: to other internet sites and internal servers just fine … the only fail was the https: to my 8800s EDM.

Paul L … if you get a chance would you mind cranking up Firefox v27 and trying to access one of your 8800's running 7.2.11?  If it works I'll just drop this whole thing, if it fails I will log it with Avaya.

Observations:
88xx has 5 algorithms to choose from, the rsa_des_ede3_sha is it's FIRST choice when accessed by Firefox and it breaks.
4xxx and 5xxx have 5 algorithms to choose from, the rsa_des_ede3_sha is the LAST choice when accessed by Firefox and still works anyway.
I don't seem to be able to revert to Firefox 26 to see if this algorithm exists and if so, whether it gets selected (and works).
The list (in preference order) for Chrome, shown here - https://code.google.com/p/chromium/issues/detail?id=58833 , puts this algorithm at the bottom so I am surprised that the 88xx selects it first over other stronger candidates.

Cheers

[figunet]

It's the same problem that i had.
The solutions is;
I just disabled the following DES ciphers in Firefox's "about:config":
•   security.ssl3.dhe_rsa_des_ede3_sha
•   security.ssl3.ecdhe_rsa_des_ede3_sha
•   security.ssl3.rsa_des_ede3_sha
Avaya is aware of this and it will probably be fixed in a future release
I don't remenber who send me this but thank again.

[imorris]

Avaya have released 88xx v 7.2.12 which lists that it has fixed this issue.

Readme is here ... https://downloads.avaya.com/css/P8/documents/100179895

Cheers