New problem with Firefox updates when SSL scanning is enabled

[User 13]

I don't know if this is the case since Internet protection module 1094 is installed or even since 1092, with 1091 it was no problem.

I guess it is caused by module 1094.

 

I noticed it first when Firefox 26 was available since 2 days ago, but when I checked "Help" "About Firefox" it said my version 25.01 was up to date.

After I closed Firefox, disabled SSL scanning in ESS and reopened Firefox the Update to version 26 was downloaded.

 

The same happens with several Add-Ons that I have installed in Firefox.

When I check for Updates in Firefox manually with SSL scanning enabled it says that all Add-Ons are up-to date, but there are clearly newer versions available.

With deactivated SSL scanning the updated Add-Ons are found and installed.

 

So the bottom case is, if SSL scanning is enabled, you don't get any Firefox or Firefox Add-Ons found or installed, no matter if it is a manual search for updates or an automatic search by Firefox in the background.

Edited December 14, 2013 by User

[Marcos 5,070]

Mozilla doesn't accept self-signed certificates and refuses to update in such case. You must exclude Mozilla's certificate from scanning.

[User 13]

And how exactly can I exclude Mozilla's certificate?

[Marcos 5,070]

If you configure ESET to ask about non-visited websites and then attempt to update Firefox, you will be asked whether you want ESS to scan the secured communication utilizing the given certificate with an option to exclude it from scanning. Then you can switch back to "Always scan SSL" while checking the box "Apply created exceptions based on certificates".

[User 13]

"Apply created exceptions based on certificates".

 

 

When I activate that option, then there is a separate new problem with my used POP3S Mailserver, even if I add the certificate exception for the Mailserver:

 

Server: XXX

Windows Live Mail-Fehlernummer: 0x800CCC0F

Protokoll: POP3

Port: 995

Secure (SSL): Ja

 

I have no problems with the Mailserver, when "Apply created exceptions based on certificates" is deactivated.

 

 

The other problem is that the sites

https://support.mozilla.org

https://mozilla.org

 

do not work even with added certificate exceptions and activated "Apply created exceptions based on certificates".

The error message is: Fehlercode: ssl_error_no_cypher_overlap

 

These sites work, when "Apply created exceptions based on certificates" is deactivated.

 

I do not know, if the Firefox updates and Addon-Updates work with added exceptions, as there is no error message displayed in Firefox and I have all new updates installed.

Edited January 6, 2014 by User

[User 13]

Are there any plans to resolve this issue?

 

I have disabled https scanning for a few weeks now.

The option to activate "Apply created exceptions based on certificates" is no alternative as this causes many new separate problems (see posting above).

 

The best solution in my eyes would be if ESS could be programmed to circumvent Mozilla's refusal to accept self-signed certificates, so that updates for Firefox and Firefox Addons work with standard configuration.

[Marcos 5,070]

I'll try to find out if we could somehow exclude the communication with Mozzila's servers from https scanning without the need for users to set up exclusions.

[User 13]

 

"Apply created exceptions based on certificates".

 

 

When I activate that option, then there is a separate new problem with my used POP3S Mailserver, even if I add the certificate exception for the Mailserver

 

 

 

Today I activated https scanning again with that method and the problem with the mailserver seems to be solved.

 

 

So now I have the following exceptions in ESS trusted certificates:

*.cdn.mozilla.net

aus3.mozilla.org

versioncheck.addons.mozilla.org

www.mozilla.org

 

Is this OK to get to get all Firefox and Addons updates automatically or do I have to alter anything?

 

 

Although some problems remain if "Apply created exceptions based on certificates" is activated:

 

If I use the Mozilla plugin check on the website

https://www.mozilla.org/de/plugincheck/

then the following error message is shown in the browser: (Fehlercode: ssl_error_no_cypher_overlap)

 

The same with the following sites:

https://support.mozilla.org

https://mozilla.org

 

Also

https://www.changedetection.com/

shows the error message (Fehlercode: ssl_error_handshake_unexpected_alert)

 

These errors only occur when "Apply created exceptions based on certificates" is activated.

Edited March 10, 2014 by User

[User 13]

 

Although some problems remain if "Apply created exceptions based on certificates" is activated:

 

If I use the Mozilla plugin check on the website

https://www.mozilla.org/de/plugincheck/

then the following error message is shown in the browser: (Fehlercode: ssl_error_no_cypher_overlap)

 

The same with the following sites:

https://support.mozilla.org

https://mozilla.org

 

Also

https://www.changedetection.com/

shows the error message (Fehlercode: ssl_error_handshake_unexpected_alert)

 

These errors only occur when "Apply created exceptions based on certificates" is activated.

 

 

I just tried again and these errors are still not fixed.

Is this problem being investigated?

[Marcos 5,070]

I just tried again and these errors are still not fixed.

Is this problem being investigated?

 

We haven't released an Internet protection module with the SSL scanning functionality refactored. It's currently available as an internal beta.

[User 13]

Were there any changes concerning SSL scanning in the module released yesterday "1137 (20140704)"?

 

 

[Marcos 5,070]

Were there any changes concerning SSL scanning in the module released yesterday "1137 (20140704)"?

 

Yes. This module is currently available on pre-release servers only.

[User 13]

If I use the Mozilla plugin check on the website

https://www.mozilla.org/de/plugincheck/

then the following error message is shown in the browser: (Fehlercode: ssl_error_no_cypher_overlap)

 

The same with the following sites:

https://support.mozilla.org

https://mozilla.org

 

Also

https://www.changedetection.com/

shows the error message (Fehlercode: ssl_error_handshake_unexpected_alert)

 

These errors only occur when "Apply created exceptions based on certificates" is activated.

 

 

 

 

OK, I just tested the new module and can confirm that the above problems no longer occur with the new module.

 

 

Concerning Mozilla: Is it still necessary to add trusted certificates for Mozilla?

[Marcos 5,070]

Concerning Mozilla: Is it still necessary to add trusted certificates for Mozilla?

 

Haven't tried but I doubt that Mozilla has changed their policy in the mean time and would accept self-signed root certificates now.

[User 13]

So now I have the following exceptions in ESS trusted certificates:

*.cdn.mozilla.net

aus3.mozilla.org

versioncheck.addons.mozilla.org

www.mozilla.org

 

 

I just found out the following:

With activated SSL web scanning and the above exceptions the normal Firefox updates work, but the Firefox addons updates don't work although "versioncheck.addons.mozilla.org" is added to trusted certificates.

Also in interactive mode when "versioncheck.addons.mozilla.org" pops up and I confirm it, the addons are not updated.

Only when I deactivate SSL web scanning, the Firefox addons are updated.

 

Why is this?

Edited July 23, 2014 by User

[Marcos 5,070]

I just found out the following:

With activated SSL web scanning and the above exceptions the normal Firefox updates work, but the Firefox addons updates don't work although "versioncheck.addons.mozilla.org" is added to trusted certificates.

Also in interactive mode when "versioncheck.addons.mozilla.org" pops up and I confirm it, the addons are not updated.

Only when I deactivate SSL web scanning, the Firefox addons are updated.

 

Why is this?

 

I was unable to reproduce this. Have the following certificates excluded:

 

*.cdn.mozilla.net

aus3.mozilla.org

versioncheck.addons.mozilla.org

www.mozilla.org

addons.mozilla.org

[User 13]

How can I add addons.mozilla.org to trusted certificates?

 

In interactive mode I get only a popup with "versioncheck.addons.mozilla.org".

Edited July 23, 2014 by User

[Marcos 5,070]

Ok, that certificate is not relevant for updating add-ons. I've tried to reproduce it again and now I have the following certificates excluded. Firefox itself as well as add-ons update fine:

 

*.google.com
*.google.com
*.cdn.mozilla.net
aus3.mozilla.org
versioncheck.addons.mozilla.org
snippets.mozilla.com
www.mozilla.org

 

I have Internet protection module 1138 installed.

[User 13]

Updates of firefox add-ons don't work at the moment with Internet protection module 1198 and the following certificates excluded:

 

ping.mozversioncheck.com

*.google.com

aus4.mozilla.org

versioncheck.addons.mozilla.org

*.cdn.mozilla.net

www.mozilla.org

 

Only after disabling of SSL protocol scanning the Mozilla add-ons are updated.

Edited May 28, 2015 by User

[User 13]

Updates of firefox add-ons don't work at the moment with Internet protection module 1198 and the following certificates excluded:

 

ping.mozversioncheck.com

*.google.com

aus4.mozilla.org

versioncheck.addons.mozilla.org

*.cdn.mozilla.net

www.mozilla.org

 

Only after disabling of SSL protocol scanning the Mozilla add-ons are updated.

 

 

There is still no solution to this problem with the newest modules.

No firefox addon updates are working with SSL scanning activated.

 

Will there be a solution in version 9?

[itman 1,659]

Well, this explains why I haven't been receiving any Thunderbird updates since I installed Eset. Below is what I excluded when accessing update functions within Thunderbird. Only one I didn't exclude was for Google analytics since I assumed that was for tracking by Google. Is this enough to now start getting update notifications from Mozilla?