title: "Fix Firefox Failed to Establish Secure Connection Error When Accessing Weibo Search or Hot Search"
date: 2022-05-06T20:57:36+08:00
slug: Firefox_weibo_alpn
type: posts
draft: false
categories: ["Applications"]
tags: ["firefox","weibo"]#
Application Version: Firefox Developer Edition v101
Problem Description: The Weibo homepage can be accessed normally, but when clicking on the search or hot search links, the following error message is displayed:
Failed to establish a secure connection
An error occurred while connecting to s.weibo.com.
The received data cannot be verified for trustworthiness, so the page you want to view cannot be displayed.
It is recommended to report this issue to the website administrator.
Learn more…
By repeatedly comparing with the command "curl -v "URL"", it was found that there was an encryption negotiation rejected by the "Weibo Account Authentication Gateway Server" when accessing Weibo hot search.
Specific test instructions:
Using
curl -v "https://s.weibo.com/weibo?q=%23%E7%A5%9D%E8%9E%8D%E5%8F%B7%E5%87%86%E5%A4%87%E5%9C%A8%E7%81%AB%E6%98%9F%E8%B6%8A%E5%86%AC%23&topic_ad="
to obtain the 302 redirect request link
Continuing with
curl -v "https://passport.weibo.com/visitor/visitor?entry=miniblog&a=enter&url=https%3A%2F%2Fs.weibo.com%2Fweibo%3Fq%3D%2523%25E7%25A5%259D%25E8%259E%258D%25E5%258F%25B7%25E5%2587%2586%25E5%25A4%2587%25E5%259C%25A8%25E7%2581%25AB%25E6%2598%259F%25E8%25B6%258A%25E5%2586%25AC%2523%26topic_ad%3D&domain=.weibo.com&sudaref=&ua=php-sso_sdk_client-0.6.29&_rand=1651842429.1375"
Returns
……
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=CN; ST=Beijing; O=Sina.com Technology(China)Co.,ltd; CN=sina.com
……
Note this prompt:
ALPN, server did not agree to a protocol
ALPN#
ALPN (Application-Layer Protocol Negotiation): It is an extension of TLS for application layer protocol negotiation, which avoids additional round-trip communication overhead during the negotiation of encryption protocols.
ALPN supports negotiation of any application layer protocol, and currently the most commonly used application is HTTP/2 negotiation. The current mainstream browsers only support HTTP/2 deployed based on HTTPS, because browsers use the ALPN protocol to determine whether the server supports the HTTP/2 protocol.
Browser Negotiation Principle#
The process of ALPN negotiation protocol interaction can be analyzed through packet capture with WireShark.
* When the browser establishes an SSL connection and sends the first Client Hello packet, it carries the browser's supported versions in the extension field.
* When the server returns the Server Hello packet, if the server supports HTTP/2, it will return "h2", otherwise it will select a protocol it supports from the client's supported protocol list, usually HTTP/1.1.
Both the browser and the server support ALPN negotiation, which is the prerequisite for using HTTP/2.
Most web servers rely on the OpenSSL library to provide HTTPS services, and whether ALPN is supported depends entirely on the version of OpenSSL used. ALPN support started with OpenSSL version 1.0.2.
Disabling Firefox ALPN Functionality#
Enter the following in the address bar:
about:config
Confirm the risk warning.
Enter "ALPN".
Switch the value of
security.ssl.enable_alpn
to false.
Reference:
ALPN