User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36 Steps to reproduce: I am the administrator for our web site: https://www.paslists.com:9211/forms/frmservlet?config=RESPONSEDE. This is a customer-facing online system that was working until Firefox v37 came out. It still works with Chrome, Opera and Safari. We use a Go-Daddy SSL certificate - all SHA-2 chain - which now no longer works. However, if I set security.tls.version.fallback-limit to 1, it works again. I am reporting this per the note I found that describes the work-around (https://hacks.mozilla.org/2015/04/trainspotting-firefox-37-developer-edition-and-more/). Text follows: ------------------------------------------- We have disabled insecure TLS version fallback. If a secure site isn’t working, you can try setting the “security.tls.version.fallback-limit” preference in about:config to 1 and see if it works then. If you see this anywhere, please file a Tech Evangelism bug, noting the URL of the site, so we can work with the operators to update it. Site operators should make sure their servers aren’t TLS-intolerant, which you can do with the SSL Labs tool. -------------------------------------------- We are running Weblogic 10.3.6 as part of Oracle Forms and Reports 11.1.2.0. Oracle has no information on this issue for us. The underlying version of Java is 1.7.0_45. Please help us repair our site so that this change is no longer required!

Hi eraskin, Thanks for the report. It looks like your server is TLS 1.2 intolerant (because security.tls.version.fallback-limit=2 works as well). Unfortunately I'm not sure how you can fix the server, other than setting up a reverse proxy that isn't TLS 1.2 intolerant, or upgrading your Oracle stack. Maybe others who do know could chime in. In any case, if your site isn't fixed in time, it will be added to a static whitelist so that connections will work by default again. However the earliest that change will hit a release version is Firefox 38 (scheduled for release on the week of 2015-05-12).

Switch to the JSSE stack, which should be a simple config change.

Unfortunately, we have configured Weblogic for the JSSE stack. Of course, maybe we did it incorrectly, but it is set up.

Then it is probably something in front of the actual server, maybe a firewall.

Interesting. We are running ClearOS as a firewall. Port forwarding our https port straight to our Weblogic 10.3.6 server. Any suggestions on what to check in the firewall. I've never seen port forwarding interfere with an SSL protocol before.

Firefox can no longer connect this server anyway due to 768-bit DHE key. I'll remove this server from the whitelist.

Seems to be fixed. Successfully connected with 3DES over TLS1.2