Re-enabling SSL 3.0 support in Firefox after RHSA-2014:1919

Updated -

After apply the security update RHSA-2014:1919, Firefox may issue an error message such as the attached one when connecting to certain sites, stating that there are “no common encryption algorithm(s)”, giving the “ssl_error_no_cypher_overlap” error code.

SSL 3.0 handshake failure

There are two ways to resolve this issue, one applying to an individual user, and one system-wide.

User-specific configuration

The following steps have to be applied for each user who needs to connect to sites which only support the protocol version, SSL 3.0.

  1. Start Firefox.
  2. Enter “about:config” in the URL bar.
  3. If a warning message is shown, acknowledge it. (Making the changes described below does not invalidate support coverage.)
  4. Enter “security.tls” in the “Search” field. Among other entries, the item “security.tls.version.min” will appear. Double-click on this entry.
  5. A dialog box, “Enter integer value” will appear. Replace the value “1” in the input field with “0”, and click on “OK”. The configuration setting should look as shown in the picture below.
    Changed TLS configuration setting
  6. Visit the site which supports SSL 3.0 only to verify that the configuration change was effective.

System-wide configuration

These settings will change the defaults for all users on the system to which they are applied.

  1. Log in as root.
  2. Open the text file /usr/lib64/firefox/browser/defaults/preferences/all.js with a text editor such as vim. This file is not part of the Firefox package; you may have to create it.
  3. Add this line to the file at the end:

    pref("security.tls.version.min", 0);
  4. Save the file, and log out.

  5. Repeat steps 2 to 4 for the file /usr/lib/firefox/browser/defaults/preferences/all.js if the system uses a 32-bit version of Firefox.
  6. As a user on the same system, log in, (re)start Firefox, and visit the site which supports SSL 3,0 only to verify that the configuration change was effective.

Note that these changes only set the default. If users changed the same preference settings using “about:config”, their changes override the “all.js” setting.

It is possible to deploy the “all.js” file using a configuration management tool such as Puppet.


"After apply the security update"

I keep seeing posts on the Red Hat site (not to mention documentation in the RHEL releases themselves) which look like they are written by someone for whom English is not their first language. Is it too much to ask that all articles on the site be proof-read by someone who is a native English speaker?

I second the motion. Tech writer is a profession that does not get enough respect.