Certain users on Firefox 134 with DNS over HTTPS are unable to connect to our R2 buckets, only receiving a non-descript SECURE CONNECTION FAILED with no further error code. As a result, images on the site will not load.
What steps have you taken to resolve the issue?
The only workaround we have found is to either disable DNS over HTTPS or adding the domain to exceptions.
What are the steps to reproduce the issue?
I am unable to reproduce the issue on my end, even after trying every DNS over HTTPS setting on the browser, leading me to believe the issue may be regional or ISP based.
An affected user will simply be unable to connect to any of the R2 buckets we have (eg. cdn.wikirby.com), only receiving a non-descript secure connection failure.
I can second this issue, and clarify that I am the admin responsible for this site.
Ever since a recent Firefox version, most (though not all) requests to our R2 bucket (through Cloudflare’s CDN) end up failing on the TLS handshake.
I did some digging, and it seems that the failure is in ECH (Encrypted Client Hello). Disabling it in Firefox results in the requests going through perfectly fine, while enabling it will return the adverse behavior.
The only other oddity I noticed is requests are currently only being made from Firefox via HTTP/1.1, where requests would ordinarily be HTTP/2 or HTTP/3.
Many of our users, seemingly around the world, have been reporting this same issue. I believe most of these users are using Cloudflare DNS as their main provider (either as the system provider, or by default through Firefox’s DNS over HTTPS).
We’re generally at a loss as to what might be going wrong here. I can’t find that I’ve misconfigured anything in particular, and discussion about this issue seems to be rather limited on the web. Any advice or assistance would be appreciated.
I just tested with Firefox 135, updated as of a few moments ago. With DNS over HTTPS set to “Max Protection” and “network.dns.echconfig.enabled” set to “true” (which is the default), WiKirby will fail to load a large portion of the images on the main page.
Setting “network.dns.echconfig.enabled” to “false” will generally resolve the problem, even with DNS over HTTPS enabled. Disabling DNS over HTTPS alone will not solve the issue on my system, but my home resolver is set to Cloudflare.
I have also just now tested Firefox 133 with ECH and DNS over HTTPS enabled, and it works perfectly fine.
Different users have reported different results. I can confirm this on both a Windows and Linux box, and I am in New York. Some users in Europe or other regions seemingly cannot reproduce this given the same settings. Perhaps this is a limited/regional rollout of some new feature/setting?
Upon a little further research, I believe that users who have DNS over HTTP disabled on macOS are unaffected, as ECH is disabled in that configuration: Security/Encrypted Client Hello - MozillaWiki
They seem to be leaning on some issue between Firefox and R2. Disabling ECH on R2, as is mentioned on the issue ticket, does resolve the issue, but it shouldn’t be considered a permanent fix.
