There’s a lot of really bad advice on this, so be careful what you trust.
In addition to my daily screeds on Hashed Out, I also tackle a range of other SSL-related writing tasks throughout my day-to-day—one of those is troubleshooting articles. Yesterday I was doing research for a knowledgebase article on how to solve a Firefox error message: SSL_ERROR_RX_RECORD_TOO_LONG.
The problem with these articles is that they’re written to check boxes on an SEO checklist instead of written from a security-first standpoint. And in this context that’s dangerous because Google’s algorithm rewards the SEO-optimized misinformation over more accurate descriptions that weren’t necessarily meant to rank well.
So, today we’ll use our own SEO powers for good and talk about the SSL_ERROR_RX_RECORD_TOO_LONG Firefox error. There seems to be a lot of confusion over what this error actually is. What it means. How to fix it. And apparently we also need to outline some things that you definitely shouldn’t do.
So, let’s hash it out.
What is SSL_ERROR_RX_RECORD_TOO_LONG?
The SSL_ERROR_RX_RECORD_TOO_LONG message from Firefox typically comes as a result of a misconfiguration on the server side. Contrary to what a lot of these guides will tell you, there usually isn’t a whole lot that a regular internet user can do to overcome the SSL_ERROR_RX_RECORD_TOO_LONG message. Most of the advice is dangerous. It asks the user to adjust something to accommodate what is, in all reality, bad security on the part of the website you’re trying to visit.
Let’s start by covering the two most predominant causes of the SSL_ERROR_RX_RECORD_TOO_LONG message from the server side:
- You’ve got the listening port misconfigured – If you want your website to establish secure connections you must configure it to use Port 443.
- You don’t support an adequate TLS version – This problem arose ten years ago with the advent of TLS 1.2 and is appearing again with TLS 1.3.
The vast majority of the time, the SSL_ERROR_RX_RECORD_TOO_LONG message occurs because of one of those two issues on the server-side. Let’s go over how to fix both of these, and then we’ll go over some possible other fixes from the client side—as well as what not to do from the client side. Let’s start with the simplest of the two…
Upgrade TLS Version Support to fix SSL_ERROR_RX_RECORD_TOO_LONG
TLS 1.3 was formally published in the middle of August as RFC 8446. It’s not exactly new though, over about 28 drafts the standard was debated and refined, but plenty of major industry players knew enough of what would be in the standard to begin rolling out support for it. As such, most major browsers already have TLS 1.3 active and many servers have already begun to upgrade.
So, what do you need to do to improve TLS version support? You’re going to need to update your SSL/TLS library. The majority of servers and systems use the Open SSL library, which pushed out its 1.1.1 update in September and supports TLS 1.3.
If you’re not ready to support TLS 1.3 for whatever reason, at least make sure you’re supporting TLS 1.2. Support for TLS 1.0 and SSL 3.0 should now be fully deprecated and disabling TLS 1.1 is also strongly advised. So, to recap:
- Add support for TLS 1.3 as soon as possible
- Make sure you’re supporting TLS 1.2 at the very least
- Turn off support for SSL 3.0, TLS 1.0 and (highly suggested) TLS 1.1
Upgrading Open SSL is going to vary from server to server, but there’s plenty of documentation to help you with it.
Configuring the correct listening port to fix SSL_ERROR_RX_RECORD_TOO_LONG
As we mentioned earlier, the correct listening port for HTTPS traffic is 443. So if you’re using an irregular port or you don’t have a trusted SSL/TLS certificate on that port, you’re potentially going to trigger the SSL_ERROR_RX_RECORD_TOO_LONG message.
Again, the exact way to fix this is going to vary based on server type, but if you just Google: Server Name + Port 443 + HTTPS, you should be fine.
One more thing: be extra careful to get the exact nomenclature correct, too. For instance on NGinX servers “listen 443” won’t work like you want, but “listen 443 ssl” will.
Fixing SSL_ERROR_RX_RECORD_TOO_LONG for Regular Users
Now let’s talk about what can be done from a user standpoint…
Clear your Cache
In some rare cases, clearing or bypassing the cache can fix this issue. The easiest way to test this is to just open up an Incognito or Private Window and trying to access the website that way—sans cache and cookies. In addition to going incognito, you can also use:
- Ctrl + Shift + R
- Shift + click Reload
This probably won’t work, but it might. At least it’s not actively dangerous.
Change the security.tls.version.max preference
This is the point where we officially begin approaching the dangerous advice. Here’s the thing, right now Microsoft has yet to roll out full support for TLS 1.3. So, if you’re a Microsoft user, it might help to drop the TLS version support down by one. It could be a case where a website supports TLS 1.3 and Firefox thinks it does, too. But the Operating System running Firefox can’t and it creates the SSL_ERROR_RX_RECORD_TOO_LONG error.
So, if you are a Microsoft user, and only if, you may want to drop support for TLS 1.3 temporarily. Here’s how:
- Open a new tab and type “about:config” into the address bar
- In the search field, type “TLS” and filter the list
- Double-click security.tld.version.max
- Change the 4 to a 3
The way Firefox numbers its version support can be confusing. 1 is for TLS 1.0, so 4 is TLS 1.3 and 3 is TLS 1.2.
I can’t reiterate this enough, do not go further back than TLS 1.2.
At this point TLS 1.2 has been out ten years, its successor has been published. There is almost no excuse for websites not to support at least 1.2. Previous TLS versions have known vulnerabilities.
Some other things that might fix SSL_ERROR_RX_RECORD_TOO_LONG but probably won’t
Here are a few other pieces of non-dangerous advice that could potentially solve Firefox’s SSL_ERROR_RX_RECORD_TOO_LONG message. They probably won’t, because most of them don’t actually deal with the source of the problem, but give them a try because who knows…
- Try browsing in Incognito mode – We touched on this earlier, but sometimes this can fix the issue.
- Try using a VPN – Again, this could work in some situations but it’s not a surefire solution by any means.
- Check your Proxy settings – Sometimes a misconfigured proxy can cause issues. Unless you’re an IT admin, don’t mess with yourself though. And don’t disable the Proxy—despite what some articles might suggest.
- Update your Browser – It shouldn’t take getting a SSL_ERROR_RX_RECORD_TOO_LONG message to remind you to update your browser regularly, but if it did, start keeping up with updates moving forward.
- Reinstall your Browser – This could work, or it could waste ten minutes of your time.
What you definitely SHOULDN’T do to fix SSL_ERROR_RX_RECORD_TOO_LONG
Now let’s talk about some things that you definitely shouldn’t do if you’re an internet user dealing with the Firefox SSL_ERROR_RX_RECORD_TOO_LONG message. A lot of these are just bad advice, and even if they would work to solve your problem they would also open up a bunch of attack vectors. You almost have to ask yourself, is going to this site worth risking an infected computer or worse? The answer is almost always no.
So here are a few suggestions of what NOT to do:
Don’t switch to HTTP
There’s a reason that Google is twisting the entire internet’s arm to get it to migrate to HTTPS. HTTP has faithfully served the internet for about two decades, but it was never designed for secure transmission of data. HTTP was designed back in a time when commercial activity was banned and the internet was solely intended for sharing information between the government and academia. HTTPS was created out of necessity when commercial activity eventually did become part of the internet.
Today, in 2018, it’s the standard. The default. You should expect your communication with websites to be encrypted as a matter of course. So advice like this…
The quickest way to access the website that is being blocked by the irksome Secure Connection Failed message is to replace https:// with http:// at the beginning of the URL. This workaround has proved useful to many users, so you are free to give it a try.
…is retrograde and needs to be called out. Not only is this bad advice in this very specific context, but teaching people that reverting back to HTTP is just bad for cybersecurity in general. The idea is that HTTPS should become so commonplace that it’s an afterthought, it’s not something that should be positioned as hindrance to visiting your favorite websites.
Don’t revert to HTTP. If this is the only way you can reach a website that’s a sign right there.
Don’t Turn off your Antivirus
Unfortunately, some lines of action performed by powerful antivirus solutions may be a little too harsh. This might be your case since your security tool might have taken against certain SSL certificates or your Firefox on the whole. With that said, we believe you might need to temporarily disable your antivirus software and see if it is indeed the evil behind your issue.
No, no, no. First of all, if your antivirus is fighting with your Firefox browser, that’s because it’s misconfigured and you – or somebody with the wherewithal – should definitely look into that. But just turning it off is ridiculous advice. That would be like calling the security company because your house alarm goes off sometimes when you try to open your front door and being told, “just disable the alarm system. Problem solved.”
If you’re not a site owner, the best way to fix SSL_ERROR_RX_RECORD_TOO_LONG is to contact the site owner
The best advice I can give you, if you’re not the site owner, is to respond to the Firefox SSL_ERROR_RX_RECORD_TOO_LONG by notifying the site owner. As we discussed, this is almost always a result of a server-side error and not something a regular internet user can fix.
Either way, definitely don’t disable your antivirus, turn TLS version support down to 0 or revert to HTTP.
As always, leave any comments or questions below…