Secure connection: fatal error (40)

Secure connection: fatal error (40)

Just upgraded from 10.10 to 11.01. Windows Vista with latest updates.

Tried to connect with my bank and I get

Secure connection: fatal error (40)
Failed to connect to server. The reason may be that the encryption methods supported by the server are not enabled in the security preferences.
Please note that some encryption methods are no longer supported, and that access will not be possible until the website has been upgraded to use strong encryption.

Well obviously this is a huge problem. Either for me or for Opera, because I will be forced to migrate one more site to Firefox, and I would much prefer to keep it in Opera. I thought that by upgrading to v11 I would be able to move some sites from Firefox back to Opera ...

None of the possibilities listed in the message (not included above) apply. It was working a couple of days ago in v10.10. It works right this minute in the current version of Firefox.

I have to conclude that something changed between v10.10 and v11.01, or else that something broke during my upgrade. installation.

Any ideas?

Edward

This site has been patched for a security issue called the TLS Renego issue.

Unfortunately, the server has not been properly fixed, and the server is actually intolerant for the technology needed to make the patch work properly: TLS Extensions (this requirement is spelled out clearly in the specification for the protocol patch). Opera expects and requires Renego patched servers to be extension and version tolerant, and will not compromise security by falling back to using SSL v3-only without extensions (falling back to an older version than the one supported by the server is actually a security vulnerability, and SSL v3 is the weakest of the currently used SSL/TLS protocol versions), it is therefore not possible to establish a connection using TLS 1.0 with TLS Extensions.

This site is one of 123 known among the 180144 patched servers scanned this week that have this problem. There are also 142 (38 overlapping) that are version intolerant. This is actually much less than the roughly 800 sites that have not patched all their servers yet.

This site is using an SSL accelerator frontend (it says it is using IIS/7, but I know it doesn't have this particular issue), so the bank will need to get a proper patch for the frontend.

Thanks, Yngve. I will report this to the bank. However, since they are certain to complain that they don't support Opera, I attempted to see what Firefox might be planning. I found this page, which says that Firefox will log violations to the error console. Specifically, it says

while we wait for most of the web to upgrade, software testers need to know whether a site is vulnerable or not, and evangelists want to push server operators to upgrade their systems.

Therefore Firefox (and other Mozilla products) log information about “potentially vulnerable” servers to the Error console using the message "<site> : server does not support RFC 5746, see CVE-2009-3555".

However, when I view the error console in Firefox and open the ccbg.com web site, I see nothing related (no errors, no messages, and the only warnings are related to the crappy HTML).

Why do Opera and Firefox disagree? Is there a way I can elicit this (at least as a warning) in Firefox? (Or if I have to, holding my nose and using IE.) That would give me a much better chance of getting past the front line support.

I should note that I don't know how to find another non-compliant server, so I can't verify that Firefox actually logs the condition as claimed.

Edward

Originally posted by paleolith:

However, when I view the error console in Firefox and open the ccbg.com web site, I see nothing related (no errors, no messages

Because the site do implement the Renego (RFC 5746) patch, so Firefox will not display that warning; the problem is that if the client supports the Renego Patch and it also supports the RFC 4366 Certificate Status Extension (which Opera and IE on Win7 do), the server just shuts down the connection, and earlier this week I found that the problem is caused by the combination of the two extension, everything is fine when only one of them is used (Most browsers also send a third extension called the ServerName Indication (SNI) extension, but it does not affect this). IE allows itself to be "chased" all the way back to SSL v3 (a 15 year old protocol version, with some problems) before it is able to connect; Opera's implementation of this patch is specifically designed to not permit such a "version rollback attack" for Renego patched servers (see original article).

This bank is hosted in a 256 IP address range operated by one specific hosting company that are hosting at least 25 sites (of the 40 known with this particular issue; there are about 20 other that have a problem with the SNI extension), who all exhibit this problem. The hosting company's CTO has been made aware of the issue.

Originally posted by gdveggie:

If you, as a customer of the bank, indicate you have a security concern, that alone should be sufficient to get to a supervisory level person to explain the concern.

Umm ... here's the dialog I expect ...

me: Opera is demonstrating a severe security vulnerability which endangers me and you.

Bank CSR: You are able to access and use the site with Firefox, right?

me: Yes, but that's because Firefox is still open to the attack.

Bank CSR: You are able to access and use the site with Firefox, right?

me: Firefox will probably be changed soon to eliminate this hole, and then I will not be able to access the site using Firefox.

Bank CSR: You are able to access and use the site with Firefox, right?

me: I'd like to insist that this problem, and my concerns, be reported to your network administrators.

Bank CSR: You are able to access and use the site with Firefox, right?

Part of the problem is that the front-line CSR does not have the mental model to understand the issue. The CSRs are trained to get the customer working -- and in probably at least 95% of the cases, their assumption that the customer is the one who needs help is correct. Not only is the net the computer, today the browser is the computer, and by extension the browser is the net. Most users do not fully understand the distinction, and bank CSRs are not trained to help people understand, only to get them access to their accounts.

(What bank can stay in business ignoring customers' security concerns?)

And what bank can stay in business making bad loans ...

yngve's statistics are pretty telling, if not compelling

Yes, I'm convinced. The issue is how to prod the bank into action. Which turns out to be a multi-level problem, based on Yngve's further response (see below).

Heck, you might even contact them and find that they're already aware of it and working on it!

Which might be true. But having learned from Yngve that the problem is actually at Jack Henry and Associates, not at CCBG ... well, I might end up writing a letter on paper. If the bank is aware but Jack Henry is dragging its feet, a letter from a concerned and knowledgeable customer (which probably would reach someone beyond the front line help desk) might help them hold Jack Henry's feet to the fire.

Originally posted by yngve:

Because the site do implement the Renego (RFC 5746) patch, so Firefox will not display that warning

Ah-ha. I also tried tightening the security options mentioned in the Firefox notes that I linked earlier: set

allow_unrestricted_renego_everywhere to false
require_safe_negotiation to true
treat_unsafe_negotiation_as_broken to true

FF still doesn't log anything. (I didn't fully understand what these options do, so this was just a stab in the dark.)

I use Opera in part because of the attention to these details. But I know from experience that I'll get a much better response from the bank when FF reports the problem. (I'm sure that IE will be the last to indicate anything at all. Heaven forbid that MS would put effort into explaining mundane matters like security to its customers.)

IE allows itself to be "chased" all the way back to SSL v3 (a 15 year old protocol version, with some problems) before it is able to connect

Ugh. I verified that IE does not complain at all, though I did not expect anything else.

This bank is hosted in a 256 IP address range operated by one specific hosting company that are hosting at least 25 sites [...] who all exhibit this problem. The hosting company's CTO has been made aware of the issue.

Ah-ha again. I had not previously realized that Jack Henry hosts the ccbg.com site as well as netteller.com. When I get the ccbg.com home page, I enter my user ID (not password), and get directed to netteller.com to complete the authentication and for the rest of the session. I had assumed that if I could get past the first step, then I'd be OK. But now that I know (from figuring it out after reading Yngve's post) that Jack Henry hosts both domains, and (from Yngve) that it's the SSL front end there that's causing the problem, I know that it's the entire session that's the problem, not just the first step.

Over the past few years, I have disliked other things which are clearly Jack Henry's doing. This certainly cinches it. If I were advising a client, I would tell them to steer clear.

Edward

Originally posted by gdveggie:

you spent way more time drafting the post than it would take to contact the bank and get the ball rolling.

Heh, guilty as charged. And as usual.

Hmm, going there in person is a possibility. There's a couple of managers at my branch who know me pretty well. It doesn't hurt that I'm a 30-year-duration customer.

Thanks,

Edward

Well, I never got around to beating up on my bank. But glory hallelujah, it's fixed!

(I'm assuming that Opera didn't back off ... no reason they should! But I last saw the error using v11.03 and first saw it fixed using v11.11.)

Yngve, it would be interesting to hear how much the count of unfixed servers dropped recently.

Edward

I'm actually guessing this won't work, but it's such a quick thing to try that it might be worth it (my boilerplate ):

Many problems reported with new Opera versions vanish with a fresh installation. The quickest way to find out (5-10 min) is to try a fresh Opera installation in a completely new folder (e.g., C:\Program Files\Opera11_01\ instead of the typical C:\Program Files\Opera\). This simply sidesteps many registry and user profile problems that sometimes occur with updated installations, and doesn't require that you uninstall any existing Opera installations. (You can have more than one Opera version installed at the same time, or more than one copy of the same version, and even have them running simultaneously, as long as they are installed to different folders.)

If the fresh Opera installation works properly, you can either just proceed with the fresh installation or decide if it is (a) worth the effort to migrate any old bookmarks/settings/skins/etc to the new installation or (b) completely clean out any vestiges of the old installation from your registry and file system so you can get a fresh installation in the typical C:\Program Files\Opera\ folder.

Also, a couple years ago I had to contact my bank for info about a security setting (don't recall now what it was exactly) to get a browser working on their site (IE, I think, but don't recall for sure). Your bank might need to tell you how to set something, e.g., in your Security Protocols:
(Tools > Preferences (or Ctrl+F12) > Advanced > Security > Security Protocols )

@yngve: Very interesting! Thanks for the informative and educative post!

Originally posted by paleolith:

...they are certain to complain that they don't support Opera

That would be my first thought, too. ...But my second thought is that this is a security issues that stands on its own, independent of Opera, as attested to in the Mozilla page, the MyOpera page, and probably other sites as well.

If you, as a customer of the bank, indicate you have a security concern, that alone should be sufficient to get to a supervisory level person to explain the concern. (What bank can stay in business ignoring customers' security concerns?) Then if you point a bank rep to yngve' post and the MyOpera and Mozilla pages, it might be enough to get them to take a serious look at it.

(yngve's statistics are pretty telling, if not compelling: "This site is one of 123 known among the 180144 patched servers scanned this week that have this problem. There are also 142 (38 overlapping) that are version intolerant. This is actually much less than the roughly 800 sites that have not patched all their servers yet."

Heck, you might even contact them and find that they're already aware of it and working on it!

Wow, yngve,! Again, very informative! Not even my thread/issue, but thanks !! [/quote]

Great post!!!

I was literally laughing as I read it... ...but not because of your pessimism (well, OK, maybe that was part of it). I was laughing because it is so obvious from your post that you will be able to acquit yourself well if/when you run into the front-line CSR response!

...And that you spent way more time drafting the post than it would take to contact the bank and get the ball rolling.

...But then that means I'm laughing at myself, because I do the same thing.

And as for the repeated "You are able to access and use the site with Firefox, right?", one good way to deal with a repetitive reply is to have one of your own and, if necessary, be just as repetitive. So I think I might prepare and mentally rehearse a statement to repeat back, such as, "Yes, and that is exactly the problem, and that's why I'd like to speak to someone with the ability to address this issue." ...Which I guess gets to the strategy I was imagining and kind of implied: to either bypass the CSR level or get past the CSR level as quickly as possible:

Originally posted by gdveggie:

If you, as a customer of the bank, indicate you have a security concern, that alone should be sufficient to get to a supervisory level person to explain the concern.

Usually it is sufficient to simply request to speak to a supervisor at the outset (and I certainly wouldn't expect a CSR to address this issue in any meaningful way). Even with a supervisor, I wouldn't expect the supervisor to be able to do anything about it except to help me contact the next level of assistance. But after reading your post, I think I would set my sights a little higher and go into it with the intention of persistently proceeding up the ladder and/or through the departments until I can explain the situation to someone who has some authority and responsibility to take the issue and run with it.

I just realized I should maybe make another thought explicit: I'm not thinking of going at this on the level of "I want to be able to use my favorite browser, Opera." I'm thinking more along the lines of "I want to be able to use a secure browser, and the one I'm most familiar with that addresses these specific security issues is Opera." (i.e., if IE or FF were secure, I would be willing to use them),.... ...And then I suppose you have to decide whether to say, "But the real issue is the bank's servers are not secure." ....And maybe it's not a bad idea to consider just approaching it as a server issue rather than a browser issue in the first place.

Also, I don't know your situation, but I was imaging going in to my bank rather than calling a customer service number. I think it is often more effective to talk with someone face-to-face, and there are always management level people available at any major branch (often "VP" level) with the motivation to satisfy you and probably with enough knowledge and authority to at least pursue the issue up a level or two to get better answers and get back to you.

Well, whatever you decide to do, post back and let me know how it goes. I just wanted to encourage you to proceed, because it seems clear you have the wherewithal to push it through if you decide you want to. So I say GFI !! (Go for it!) And in case my color scheme is too obscure, I'll point out that I figure your bank is making you blue but I'm imagining you GOing for it!

Originally posted by paleolith:

...There's a couple of managers at my branch who know me pretty well. It doesn't hurt that I'm a 30-year-duration customer.

Laughing again for the same primary reason. You just knocked your credibility and chances for success another couple notches! (or 6)

Hi,

i got the "Secure connection: fatal error (40)" too.
Actually i am using Opera 11.62 OS MS WinXPPro, under previous version 11.61 all worked fine.
The website causing this problem is: https://blog.fefe.de/
CACerts Certifikates are successfully importet into Opera.
Firefox and IE working fine with this website.
What could be the problem? Just a misconfiguration here?

Best regards.

Operanix, I suggest that you start a new thread so that you can be more attention to the problem. Although you are getting the same error message, this is clearly a completely different problem. My original posting turned out to be a problem with a site not patching their software to fix a protocol problem, and nothing to do with security certificates.

I see the certificate problem, but I can reach the site when I say trust the certificate anyway. That would not have happened with the original problem.

Edward