ICS/Lotus (mostly), Linux, Travel, Skiing, Mixology, and Random Musing of Interest

Bill Malchisky


    Find me here…

  • Skype
  • Bleedyellow via Sametime
  • Firefox Upgrade Kills iNotes, ICS SSL Product Access with Domino CA/Self-Signed Certs

    Bill Malchisky  August 3 2014 07:00:00 PM
    On Thursday, 24 July, I ran iNotes on Firefox sans problems. When I tried it on Friday, 25 July, I received a server connection error. I replicated in Notes so I knew the server was up. Then I tried accessing iNotes via Chrome on the same machine -- it worked. Tried a different operating system: Firefox generated an error, but Chrome and Safari worked. My third OS permutation yielded the same results, substituting IE for Safari. In each case Firefox failed to connect via SSL. (The error code did not phase me as I see that occasionally when testing--several reasons for an invalid cert.) What changed? This was easy. That morning, I upgraded three of my machines to the latest version of the browser -- Firefox 31.

    Image:Firefox Upgrade Kills iNotes, ICS SSL Product Access with Domino CA/Self-Signed Certs

    My work-around proved successful, as utilizing another browser allowed me to continue sans issue, with a goal to troubleshoot later that weekend. The issue derives from a new security model within Firefox, forcing the hand of web site owners to utilize only third-party SSL certificates (ideally), unless the end-users enact an alternate solution. On Thursday, 31 July 2014, IBM released Technote 21680147, indicating the root cause with four recommended solutions/workarounds:

    1. Disable the new security library verification within the browser
    2. Use Firefox 24.7 extended support release (which omits this new capability); corporation release is here
    3. Use another browser brand
    4. Purchase a third-party SSL certificate

    the Technote illustrates implementation of option one, with links incorporating option four into your ICS servers, thus further details are omitted within this post.

    I can see several issues with the first three for smaller firms. Medium sized companies and larger firms tend to test carefully before desktop application upgrades of any software product; so a good plan will catch this error early, but possibly create an unexpected project. They also tend to use third-party certificates for external access. Test boxes can be impacted as paying for another cert may be outside of your budget, but the Domino CA makes it easy to test SSL access with an application -- as an example.

    There are issues outside of the ICS brand too. A business accessing a private VPN server via a browser's SSL connection to generate a secure tunnel will most likely have connectivity issues if that tunnel is generated with a self-signed certificate (I can think of a couple of good reasons for this scenario); sometimes a secure private box with specialized access, needs a self-signed certificate. Also, if end-users/testers access web applications on a site with a self-signed certificate, they could encounter issues with Firefox 31+.

    For most Internet accessible servers, the site administrator best practice utilizes third-party SSL certificates, which is a practice I condone. Having stated that, it is not an option in all cases, and now those affected have at least three ways to resolve it.

    Hope this helps and saves you some time.
    No Comments Found

    Powered by IBM Lotus Domino 8 | Lotus User Group | Get Firefox! | This blog is listed on Planet Lotus   IBM Certified

    © 2010 William Malchisky.