I stumbled upon an interesting problem last week with a client. She was a member of Canandaigua National Bank, and was trying to use her Mac to get to her account balances. But no matter what she tried, she received a message about her SSL certificates that were unable to be ‘renegotiated’. I called the bank to ask about the problem.
“Hi there, we’re receiving this error in Firefox.”
Secure Connection Failed – ssl_error_renegotiation_not_allowed – server does not support RFC 5746, see CVE-2009-3555
“Yeah, that’s what happens when you use FireFox.” the customer service representative told me.
I raised an eyebrow.
“She’s been visiting your website using FireFox for years. What changed?” I asked.
“Well, the place who handles our certificates made some changes, and now FireFox doesn’t work right,” he said.
“Any chance you have a workaround, or documentation of the issue?”
“No, all we know is that the only browser that seems to work is Internet Explorer,” he explained.
“Hmm. That’s going to be a problem. Internet Explorer hasn’t been made for the Mac in years. So, Firefox doesn’t seem to work anymore?”
“Right.”
“But it used to work…”
“Right.”
It went on like this for a few minutes. It was clear that I wasn’t getting anywhere, and this fine fellow didn’t have the information that I needed. I asked him to make contact with his IT department to find out more specific information about what broke, and give me a call.
Later that day, I received a call and and email with a workaround for FireFox. So if you’ve got a Mac, and you want to check your account with Canandaigua National Bank, and you want to do it with the more secure ‘certificate’ style of security rather than the ‘cookie’ style, here’s what to do:
1. Launch your Firefox browser, and type in ‘about:config’ into the location bar.
2. Click to acknowledge that you know what you’re doing.
2. Scroll all the way down to ‘security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref’ (that’s a mouthful!)
Double-click the line item to set the Value field from ‘false’ to ‘true’.
After this, you should be able to access their site. I performed this adjustment for my client, and she was thrilled! She was able to get back to work, and check her bank balances.
Please note: this was disabled due to a security flaw which allows atackers to intercept anything sent via an https connection;
https://wiki.mozilla.org/Security:Renegotiation
Also, from the page above: “It’s highly recommended to leave this at the default value “false”, and instead populate preference security.ssl.renego_unrestricted_hosts with a list of hosts that require the exception. ”
It seems that they have fixed the problem now, so I’d suggest turning this back to false.
https://www.ssllabs.com/ssldb/analyze.html?d=www.cnbank.com