Firefox 38 and older TLS

There is a new version of firefox for all CentOS 5, 6, and 7: Firefox 38

Firefox 38 has some features to change the way it connects to versions of TLS older than 1.2

This is documented in many places, one of them is this Red Hat Article:

https://access.redhat.com/node/1422403

The solution linked in that article (https://access.redhat.com/solutions/1423443) is not available for people who do not have an RHN subscription, so I will document how to connect to older sites here as well.

If you need to connect to a server with an older TLS version, you can do so with Firefox 38 in a couple of ways using configuration settings to override the default behavior. Remember, connecting to older TLS sites is insecure, so any of these solutions should be deployed on a limited basis.

Mozilla introduced an option called security.tls.insecure_fallback_hosts, which is a whitelist of sites that Firefox will try to negotiate with:

https://bugzilla.mozilla.org/show_bug.cgi?id=1128227

This should only be deployed with sites you trust, as a Man In the Middle (MITM) attack can be used with older TLS versions (as discussed in the Red Hat article above).

If you search the web for security.tls.insecure_fallback_hosts, you will see many website owners telling people how to manually add their sites to the Firefox whitelist .. here is one example:

https://blogs.rhsmith.umd.edu/smithitnews/alerts/firefox-issue-with-some-services-at-ares/

The Mozilla support site is also exploding with questions like these:

https://support.mozilla.org/en-US/questions/1058856 https://support.mozilla.org/en-US/questions/1056008

All of these have you add sites to the whitelist.

So how do you add sites to the whitelist?

  1. Enter this line in the Firefox address bar:

    about:config
    
  2. Agree to the warning that is displayed, if you agree.
  3. Look for the Search box at the top of the list and search for fallback

  4. You should be able to find security.tls.insecure_fallback_hosts in the first column now, double click it and then you can add hosts in the string value box.

  5. The hosts you enter are domain names only, so NO full URLs. Separate the list by commas. So, for example, you can enter:

    redhat.com, centos.org
    
  6. Then press the OK button.
  7. You need to close your browser and restart it for the changes to take effect.
  8. Repeat this process as desired for other sites.


I know, this really sucks .. one might be tempted to try to recreate the old behavior of auto fallback. You can do this if you want. However, please remember the warning about Man in the Middle attacks that could be possible in that mode and ONLY do it if you are willing to open your self up to that .. I DO NOT recommend it.

If you don't care what I recommend, then here is how to do it anyway:

  1. Enter this line in the Firefox address bar:

    about:config
    
  2. Agree to the warning that is displayed, if you agree.
  3. Look for the Search box at the top of the list and search for fallback

  4. Click on security.tls.version.fallback-limit and you can change the value from 3 to 1

  5. Remember, I told you NOT to do it :)


One thing to possibly consider is multiple profiles .. see this mozilla link:

http://mzl.la/1BAQGnB

You can create a profile with less secure settings and only use that profile when you want to access a site with this TLS issue, etc.

TipsAndTricks/Firefox38onCentOS (last edited 2015-05-14 03:38:49 by TimothyLee)