Firefox 61: Fix Secure Connection Failed
If you have upgraded to yesterday's new Firefox 61 version you may have received a secure connection failed error when trying to connect to this very site and others.
The error message reads:
Secure Connection Failed
An error occurred during a connection to [site name]. SSL received a record that exceeded the maximum permissable length. Error Code: SSL_ERROR_RX_RECORD_TOO_LONG.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Here is a screenshot of the error when trying to connect to the site using Firefox 61.
We know so far that the issue is related to establishing a secure connection but it is unclear just from reading the message whether that is a site problem, a browser problem, or caused by software that interferes with the connection.
Previous versions of Firefox don't throw the error message. Mozilla revealed in the changelog that it enabled the latest draft of the TLS 1.3 specification. We reviewed the change back in April 2018, and you can easily check which version of TLS is supported by loading about:config?filter=security.tls.version in Firefox's address bar. Check the security.tls.version.maximum value; it should read 4 which is the new maximum. Previous versions of Firefox used the value 3 there.
In fact, if you switch the value to 3 the error goes away. You can access any site again and the secure connection failed error does not show up anymore.
While you can do that, you may want to know more about the issue that is causing secure connections to fail in Firefox 61.
Update: Before you proceed with the instructions below, try the following in Firefox to see if it resolves the issue on your end:
- Open about:preferences#privacy in the browser.
- Scroll down to the Certificates section and click on "View certificates".
- Make sure the Authorities tab is selected.
- Locate Avast certificates and use the delete option to remove them
- Use the import button to import the certificates from C:\ProgramData\AVAST Software\Avast\wscert.dat
Chance is that you have Avast, AVG, or other security software installed on the device that interferes with HTTPS traffic.
If you run Avast, you can disable the HTTPS scanning part of the security software's Web Shield to resolve the issue without dropping the maximum TLS version in Firefox from 4 to 3.
Here is how that is done:
Double-click on the Avast software icon in the System Tray area to display the main interface of the application.
Select Menu > Settings to display all program preferences.
Switch to the Components section in the sidebar.
Select the customize link displayed for the Web Shield component.
Locate "Enable HTTPS Scanning" and uncheck the box.
Select ok to save the change and ok on the next page to return to the main interface.
When you try to load sites that failed to load in Firefox 61 previously you will notice that the sites load just fine.
Other security solutions may use similar components that interfere with HTTPS traffic. If you don't run Avast try to find an option in the settings to turn of HTTPS scanning to resolve the issue.
Now You: Did you run into Secure Connection Failed issues with Firefox 61?
Had to modify security.tls.version.max value to 2. (HTTPS scanning was already disabled.) The issue does not occur in Chrome browser.
I am using FF 67.0.1, this fix does not work. I tried everything. I am still getting “Secure Connection Failed”
nope, TLS 1.3 does not solve the problem. Plus, I do not use Avast
Damn, problem solved, setting: security.tls.version.max;3 and security.tls.version.fallback-limit;3
Now the sites that gave problems are loading fine, why mozilla did this? I bet many non geek people are switching browser because of this, this sucks! really this will make people hate firefox
The “maximum security change to 3” worked for me. I am using Kaspersky and fiddled around for 2 days now. Very helpful and thank you so much!
I used to have this issue every time I refreshed the Firefox. I had Kaspersky installed.
Avast fixed it. Everything is fine now.
I turned ‘Enable HTTPS Scanning’ back on in AVG Free and can confirm that I do not receive any more Secure Connection Failed error pages.
Thank you, Martin, for the work around. Thank you, Ficho, for the update.
Users should not be running out of date versions of Firefox, nor should you be setting the TLS version to something other than default. Both of those “workarounds” leave you vulnerable.
Instead, either disable the “web scan” malware that the anti-virus uses, or just uninstall crappy anti-virus altogether and use Windows Defender.
Please stop telling users to do things that put them more at risk.
Until firefox fixes this, I uninstalled firefox and reverted back to version 59 and this problem went away. Also, you have to disable the auto updates.
I just installed FF 61 on another PC. Avast is running. HTTPS scanning is enambled. There is no connection issue.
Very interesting!
Interesting, thanks for the info. The problematic appears more complex as time flies.
same problem here!!! this solved it so far!!!
Thank you Martin, appreciate it !
Webroot SecureAnywhere – No issues ;)
I tried both of the solutions mentioned in avast and about config but neither worked
Theodore winces; does he dare ‘disturb the universe’ and mention that any and all of the problems mentioned on Martin’s site he never encounters. Could it be something else. No problems with FF; no problems with Windows 10 upgrades and such things. He closes his eyes and jumps into a refreshing pool of La Sal mountain water that is percolating-winding through the desert valley. Moonflowers are beginning to open. The mosquitoes question his wet skin. The sunset makes the surrounding slickrock look like orange sherbet. Project Fi even works in the desolate reaches of lonely juniper trees and Indian Paintbrush. “Never mind,” he thinks. His twisted, old limbs climb out of the pothole. He shivers a bit. “Dry rains after hot days like this. Fires. He will be working 24/7 by July 4.” He knows this, feels this. Lives for the coming of the Fire.
Is it specific to COMODO SSL? I found that the issue more affected with sites that uses COMODO SSL.
Using Avast here and no problems occured.
Firefox recently shipped with TLS1.3 support where as Avast/AVG are still using TLS1.2.
Just delete the certificates and import them back again until they push out a fix.
https://bugzilla.mozilla.org/show_bug.cgi?id=1468892#c31
Win Defender/Firewall on here, does a pretty good job although every now & then, malware can slip through. Using Win 8.1, I’ll miss EMET which is MS’s mitigation tool due to be dropped next month.
I keep trying FF but it fails on sites that work flawlessly in Chrome. Venture Sky & Google Earth to name a few. Also Chrome doesn’t throw erroneous SSL msgs, I’ll see those if sites are legit bad or Ublock detects an issue.
Since upgrading, it’s happening constantly on everything, most notably Google.
Come on, Firefox, fix your crap.
Not a good move to turn off HTTPS scanning. Rather use the Firefox config than turning off HTTPS scanning. This is a Firefox (Mozilla) fault not AV companies.
How many people can’t read this article because they can’t access this site, and therefore can’t fix the issue to access this site? Irony.
I am just into this very issue for 2 days now… Thanks for the suggested fix
Martin, I know this is off topic (I apologize).
Could you do a write up on anti-virus software? (apologize again if its already been done). I’ve read again and again about ppl who don’t use AV software.
For ppl who do that:
– Do you have families?
– Does the wife and kids each have their own computer with some sort of protection while your computer has none?
– What AV protection do you recommend?
I’ll man up and admit that I visit shady sites (streaming sites). I’ve been using AVG Free and it has saved my ass plenty of times. I wouldn’t think of going to those sites without it (especially when crypto mining was popular awhile back. If you have kids, I wouldn’t think about letting them use a computer without AV, too. Mac or PC).
I would love to read the results of that article. Again I apologize.
@BigTuna2K18, very good question
Most tech literate people aren’t using AV solutions because AV is ‘a man in the middle’ that you choose to trust blindly. AV has access to ALL your system files and to ALL your internet traffic – it knows you better than your mother :). So, if you know your stuff, you cannot install such a software on your system. Better to risk to get a malware and restore from my backups than give all my data willingly.
I always used common sense and tech knowledge and I never had a problem, but you need to be tech savvy at least for that.
For my family and friends is another matter. I choose to install an AV on their systems and I did it for saving my time. BUT, I always choose a PAID AV because the ‘freeware’ solutions make money for their companies by collecting and using your data (because those companies make money even if you are not paying them). Second, do not activate HTTPS traffic scan or deactivate it if it’s enabled and do NOT install AV certificates on your system (or delete them), because these certificates are not issued by a CA and can be spoofed easily by a third person who would have complete access to your system, and because if you let the AV to scan your HTTPS traffic it will know all your Google, Facebook, banks and all other logins passwords which it can see them in plain text; and if it’s a ‘freeware’ solution that makes money ask yourself how it does it…. And even if it’s a trustworthy company, if its servers are hacked all your private data will be in the wild.
Honestly! Many reviews of free and paid security suites, but if one is going to “shady” sites, it might be better to use a Linux distro running in VirtualBox or VMware Player. Or maybe use Comodo and run the browser in a sandbox. “Shady” sites use highly sophisticated techniques to gain whatever is wanted. One’s entire identity can be had without the user even “sniffing” a clue.
Panda Global Shield sounds interesting. Personally, like BitDefender and Norton.
https://www.pcmag.com/article2/0,2817,2372364,00.asp
i think it’s time for you to let go avast
get with the times
Anti-virus software sucks 👎. Firefox with Tracking Protection and a well-configured ad/tracking blocker is all you need.
I would add HOSTS file to the list.
Stay away from Avast its caused a lot of problems in past and today is still causing. Just remember the nightmare that some people had a blue screen when they upgraded to Windows 10 1803 via update.
Whenever I update Windows, I turn off my AV because there is always the possibility that it could prevent some components from installing properly. I have not had an issue with this approach.
I also make a full backup of the drive before the update so I can get back no matter what happens. It only takes 4 – 5 minutes to save days of recovery.
I have Windows 7 and just upgraded to Firefox 61 yesterday. I use AVG Free and the ‘Secure Connection Failed’ error message was driving me CRAZY!!!
I brought up AVG –> Menu –> Settings –> Components –> Web Shield Customize and un-checked “Enable HTTPS Scanning” like you did for Avast (Avast and AVG are the same company now).
Thank you, thank you, THANK YOU!!!
Great that it worked out for you and thank you for the instructions for AVG.
Wow. Thanks for that one Martin.
I installed the latest Firefox but did not browse many sites. So, until I read this article in Chrome, I was unaware of the problem with Firefox.
How is it that Chrome does not have this issue when I am using HTTPS Everywhere?
This would seem to suggest that Firefox is the real problem.
OK, I’m guessing that Chrome is not using TLS 1.3.
Chrome uses TLS 1.3 (it is the default on my Chrome).
No HTTPS problems.
@ilev, to be noted perhaps that there is no Firefox 61 TLS1.3 HTTPS problem as such. Myself and many other users have set security.tls.version.max to 4 since a long time without facing connection issues and when we have the very nature of the issue is that a site won’t handle it, nothing to do with Firefox. Problems reported here and elsewhere concern users who run an antivirus which includes HTTPS scanning and which get triggered by a setting they hadn’t either coded or anticipated, which is by the way relevant of faulty practices.
Hey Tom, hopefully you have some insight.
How is it that, before this fix, with Avast is scanning HTTPS, Chrome (apparently using TLS 1.3) worked fine and Firefox (updated to use TLS 1.3) did not?
I’m curious.
@pHROZEN gHOST, maybe the answer is in your question : “Chrome (apparently using TLS 1.3)”. Apparently or factually? If factually then I have no answer, and because I don’t have Chrome installed and never get to use it wherever I go (all my friends use Firefox) I cannot further investigate on that battle ground!
Hey Tom,
I respect your right to use whatever browser you choose.
I used the word “apparently” because of a comment made by ilev. Checking further, I can confirm that TLS 1.3 is on in Chrome.
http://www.ssllabs.com/ssltest/viewMyClient.html
So, it would appear that the issue is with Firefox not the AV’s scanning of https.
@pHROZEN gHOST,
“[…]So, it would appear that the issue is with Firefox not the AV’s scanning of https.”
Basically, logically, experimentally : yes.
But have you considered the impact of negative thoughts on the outcome of phenomenology?
No? Neither have I : my joke to hide my consternation : it indeed seems that at least part of the issue is specific to Firefox 61, which would invalidate my above, previous comment.
I am stunned immaculate :=)
For what it’s worth, after reading this article (in Chrome), I updated Firefox to version 61 and nagicated to https://www.ghacks.net. I connected successfully, with no error, on the very first try.
This has happened for me twice in the past when using Sandboxie and Firefox updated. I searched and found the about:config modification that solved the problem. Each time Sandboxie responded and fixed the problem in a week or two. So if you gave up using Sandboxie in the past because of this problem, update to the latest version and this problem will likely be gone. I say ‘likely’ because computers are complex beasts, and many times what works on one computer doesn’t work for someone else.
security.tls.version.max 4 works for me with Bitdefender Antivirus Plus 2018
I wouldn’t be surprised if Mozilla’s market share dropped from 10% to below 5% overnight because of this catastrophe. I had to go to my phone for an answer because I couldn’t load Google from my desktop.
What kind of QA team doesn’t test their software’s new SECURITY interaction with the top 3 most popular AV software? Does nobody at Mozilla use AV? Are they all just running around practically naked with just Windows Defender loin cloths?
If it’s a browser bug, they should have caught it and fixed it. If it’s the AV’s fault, they should have deprecated the new security protocols until the AV companies implemented proper adherence to standards. Either way it’s Mozilla’s fault and this should have never been allowed out the door.
As someone who has been using FF since the pre-Netscape / Mosaic days. I can say with confidence that this is easily the single most stupidest thing they’ve done – ever. Until now they’ve had a history of questionable-to-poor judgment, but this is just plain incompetence.
I couldn’t have said it better. In addition, my Lastpass addon kept logging me out every time I closed FF. That’ll be a few hours I’ll never get back trying to trouble shoot! Thank goodness I stumbled upon this submission by gHacks.
I had this very same problem just a couple of weeks ago even though I had Waterfox rather than Firefox installed on my mobile phone.
Whenever I go away on vacation to Thailand I always purchase a local SIM in order to avoid roaming charges. On this particular occasion, I bought a local SIM from AIS in their own store in Patong, Phuket. At first the same message as shown in the article appeared whenever AIS tried to make a connection, but they eventually resolved it although I don’t know how exactly.
I use the free version of Sophos Mobile Security on my phone though which is more than adequate for me having switched to that after Malwarebytes ceased to offer the full range of protection for the free version at the time. I’ve looked at the settings, but can’t find anything relevant unfortunately. However, now that I’ve returned home, I don’t use the phone for browsing at all preferring instead to use my Windows 8.1 laptop.
No problems on Windows 7 with no antivurs (ahahahaha, how ironic) and security.tls.version.maximum=4.
I first felt like copy/pasting your comment, Yuliya, laugh included!
No antivirus here as well, and if I had one it certainly wouldn’t be Avast which is always a problem ahead : what now this time, besides recalls to upgrade to a paid version for those who run it as freeware? They’d rather anticipate browsers’ modifications than focus on potential customers.
In fact I’ve had security.tls.version.max set to 4 for some time now and if I ever encountered an issue it will have been for a site not important enough (in my view) to lower 4 to 3.