QNAP NAS Community Forum

[River Trent]

QNAP 239 Firmware 3.4.2 Build 0331T

I've just upgraded by desktop machine to Ubuntu 11.04 which has firefox 4.
On my QNAP i run 2 web sites which are only accessible through SSL, (Port 443) one site is a Virtual Host.
The site which is a Virtual Host (https://teambetamax.dnsalias.com/ receives this error

Secure Connection Failed

An error occurred during a connection to teambetamax.dnsalias.com.

Renegotiation is not allowed on this SSL socket.

(Error code: ssl_error_renegotiation_not_allowed)

Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

I've tried this on a couple of machines and this always happens with firefox 4, site is fine on firefox 3 and safari browsers.

any ideas?

[Moogs]

This was a change made by Mozilla to address a security issue:

To enable SSL renegotiation you need to point your browser to about:config.

Find this:

security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref

and set it to true. After this you should be able to access the site.

[schumaku]

Yes - however there is a good reason _not_ to enable this insecure behaviour, because a men in the middle has the option to triger a re-negotiation i.e. to plain http.

QNAP must update the OpenSSL so the new secure re-negotiation becomes available.

[River Trent]

So it is a QNAP issue.

I agree with schumaku.

[River Trent]

Has anyone any idea if this will be done soon as it's a major problem for me???

[River Trent]

Bump

[schumaku]

Has anyone any idea if this will be done soon as it's a major problem for me???

If it's just your own browser I hardly see a major problem, as the workaround is well known.

What do you expect from bumping?

[River Trent]

Fair comment for "bumping",

But it's not just my own browser, I have a lot of members to the site and a few of them are using firefox 4, and hence get the " Error code: ssl_error_renegotiation_not_allowed".

[schumaku]

About what I guessed anyway, was not difficult.

[River Trent]

Firmware version: 3.4.3 Build 0520T has not fixed the problem.

[River Trent]

Any news anyone, really could do with this fixing

[AlexKe]

Hi River Trent,

The OpenSSL version is not that old to cause the https connection issue with Firefox 4.x.
Below is the setting on my test NAS. Can you how us your setting or you can PM me your NAS link for remote checking.

Web server setting.png

Virtual host setting.png

https connection on virtual host.png

[schumaku]

Alex, try to use the SAME PORT (8081) for all SSL Web servers in place ... it is a common agreed standard using 443 for ALL SSL Web connections. And you will find QNAP PM and RD lazyiness is guilty.

[schumaku]

1. configure multiple DNS names pointing to the same cname, and some to the same IP address (both is correct) to your test NAS TCP/IP address.
2. Create multiple virtual hosts on these hostnames for SSL and the same ports - start ewith all on 8081, like the base Web server.

[AlexKe]

Hi Folks,

https://wiki.mozilla.org/Security:Reneg ... lable_pref

security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref
Current default value: DEPENDS, see end of section

It's not desirable to set this to true, as it completely disables the new protection mechanisms. However, in controlled environments where many old new server must be accessed, this may be used.

It's highly recommended to leave this at the default value “false”, and instead populate preference security.ssl.renego_unrestricted_hosts with a list of hosts that require the exception.

The preference carries “temporarily_available_pref” in its name, as it's supposed to go away later.

Regarding default values:

current development versions (including Firefox 4 beta) use “false”.
The stable releases 3.5.9 and 3.6.2 use “true”.
It's not yet decided which default value will be used for the stable Firefox 4 release.

Advice: just try the way which Moogs mentioned about.