SSL protocol checking breaks updates of FF Minefield 3.7

Discussion in 'ESET NOD32 Antivirus' started by vtol, May 1, 2010.

Thread Status:
Not open for further replies.
  1. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    SSL protocol checking breaks updates of FF Minefield 3.7 and MediaCenter

    running update of FF Minefield with SSL checking on (4.2.40.0 on WIN 7 64bit) returns the following error

    FF Minefield update.png

    for MediaCenter the error reads:

    Failed to retrieve EpgListings (Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.)


    no problems when SSL checking is off, hence please sort this bug out.
     
    Last edited: May 4, 2010
  2. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    this has not been fixed until date, SSL protocol checking breaking:

    FF Minefield updates
    WIN 7 64 bit MediaCentre Updates
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You can accomplish SSL scanning in FF Minefield by exporting the ESET root certificate (e.g. via IE) and importing it to FF manually.
     
  4. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    tried it, but it does not solve the matter.

    there are two types of certificates to be exported from IE8 32bit, *.cert and *.p7b. latter cannot be imported into FF Minefield. hence leaves the *.cert.
    the only FF store accepting is servers

    21-05-2010 12-29-55.png

    having the certificate there gets me still the error when updating as shown in the initial post.

    also leaves MediaCentre Updates, which for now excluded from SSL scanning, yet again just being a workaround but no fix
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please follow the instructions mentioned in this KB article. If you have already added Mozilla's certificate to the Trusted certificates list, remove it. The next time you'll attempt to update FF, a pop-up window asking you whether to trust the certificate will appear, choose Exclude and FF will update fine.
     
  6. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    thanks. wondering what is wrong with the *.mozilla.org certificate that it has to be excluded (which is just another workaround) by NOD? it will just not only impact the update but any website using the *.mozilla.org certificate

    and what is wrong with the MediaCenterUpdate?
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    That's so because there's no way to make the root certificate a built-in certificate and thus FF doesn't trust it.

    As for MediaCenter, I'm not familiar with it. Could you provide me with a link where I could download it from so that I can test it?
     
  8. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    strange, because according to the KB you referred to NOD is excluding the *.mozilla.org certificate and not FF excluding the Eset certifcate?

    it is actually build-in WIN 7, I reckon all flavours.

    21-05-2010 15-53-09.png

    its updater is

    21-05-2010 15-56-07.png

    and the error log is mentioned in the initial post
     
  9. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    before it gets forgotten
     
  10. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    not fixed yet :(
     
  11. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    Re: SSL protocol checking breaks updates of FF 3.7 / MC update / FileZilla update

    on the MC update the error reads:
    seems the list keeps on growing, next application failing update with SSL protocol checking enabled is FileZilla, error log:
    and the workaround, mozilla certificate excluded) for FF does not work around any more with the latest FF 3.7 64bit version.

    when all of this getting fixed?
     
    Last edited: Jun 6, 2010
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: SSL protocol checking breaks updates of FF 3.7 / MC update / FileZilla update

    Mozilla products will not work with SSL enabled unless an exception is set. As it's been said, it's because 3rd party cannot be set as built-in which are the only ones Mozilla trusts.
     
  13. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    Re: SSL protocol checking breaks updates of FF 3.7 / MC update / FileZilla update

    that exception/workaround you pointed too does not work any more with the latest 64bit version of FF Minefield. if is stays that way FF 4 update will not be working with NOD32 SSL protocol checking enabled.

    why would be a problem for Eset to get in touch with Mozilla and simply fix it?

    having said that there are more incompatibilities mentioned.
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: SSL protocol checking breaks updates of FF 3.7 / MC update / FileZilla update

    Not possible as a new root certificate is generated dynamically when SSL scanning is enabled. The only possible option would be accepting other than built-in certificates by Mozilla which is against their strict policy.
     
  15. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    MC update / FileZilla update not fixed with 4.2.58.3
     
Thread Status:
Not open for further replies.