Firefox 3 OpenSSL Woes
Friday, May 15th, 2009Well, that was frustrating. I stayed up late last night trying to figure out why my Apache 2.2 server was misbehaving, and it ended up being a Firefox 3 bug. Or more specifically, a bug in the old OpenSSL library that Firefox 3 is statically linked to.
I tried to view our cgit page, and only got this:
And if I refreshed a few times, I got this ‘ssl_error_rx_unexpected_change_cipher’ error:
But strangely, if I used Safari, I got exactly what I should have:
I finally figured out that Firefox was screwing up when using the TLS 1.0 protocol. So all I had to do was edit my Apache 2.2 httpd.conf to have this line:
SSLProtocol -SSLv2 +SSLv3 -TLSv1
I don’t like this solution though. The Mozilla Firefox team should release a build of Firefox that is statically linked to a newer version of the OpenSSL library which doesn’t suffer from this bug. I much prefer TLS because of the added security it provides, so I ended up with a line that opted for security over broken SSL library compatibility:
SSLProtocol -SSLv2 -SSLv3 +TLSv1
Also note that I disable SSL v2 as well bacause it’s widely known to be inherently flawed.