====== PFSense - Troubleshooting - SSL_ERROR_RX_RECORD_TOO_LONG ======

Getting the error **SSL_ERROR_RX_RECORD_TOO_LONG** when attempting to access multiple different sites, sometimes goes away with refresh but sometimes persists.

{{:pfsense:pfsense_ssl_error_rx_record_too_long.png?800|}}

Usually when using Squid option of **Splice All** for SSL/MITM Mode.

Can't connect to 192.168.1.1:443 (certificate verify failed)

<code>
SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 50.
</code>

Check:

<code bash>
openssl s_client -connect 192.168.1.1:443
</code>

returns:

<code bash>
...
Verify return code: 21 (unable to verify the first certificate)
...
</code>

----

===== Cause =====

The SSL_ERROR_RX_RECORD_TOO_LONG message from Firefox typically comes as a result of a mis-configuration on the server side.

The two most predominant causes of the SSL_ERROR_RX_RECORD_TOO_LONG message from the server side:

  * The listening port mis-configured – If you want your website to establish secure connections you must configure it to use Port 443.
  * The system does not support an adequate TLS version – This problem arose ten years ago with the advent of TLS 1.2 and is appearing again with TLS 1.3.


----

===== Solution =====

  * **Services -> SquidGuard Proxy Filter -> Common ACL -> ALL to allow**

  * May need to refresh the browser cache:
    * CTRL F5
    * CTRL+SHIFT+r
    * SHIFT+reload button 

  * Might need to turn off support for the newest and most secure connection protocol, TLS 1.3.
    * In Firefox
      * Type **about:config** in the address bar and press Enter/Return.
      * In the search box above the list, type **TLS**.
      * Double-click the **security.tls.version.max** preference to display a dialog where you can edit the value from 4 to 3 (or in other words, from TLS 1.3 to TLS 1.2).
      * Then click **OK**.

----