Ssl error weak server cert key

on firefox 38.1.0 running on centOS 6.6 I’m having issue with TLS.

when this first happened I re did the cert using 2048 byte keys. This seemed to take care of the issue when navigating to addresses similar to https://localhost/somesite, however, if I try https://localhost:10000 it always fails with:

An error occurred during a connection to localhost.localdomain:10000. The server certificate included a public key that was too weak. (Error code: ssl_error_weak_server_cert_key)

   The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem.

The certificate Signature algorithim is -> PKCS #1 SHA-1 With RSA Encryption

The public key algorithim is -> PKCS #1 RSA Encryption

The key was create on 07/06/15 for a 10 year period, It is a Version 1 cert issued by myself with the following info
E = ctmattice@permitepaints.com
CN = localhost
OU = hq
O = permite
L = Stone Mountain
ST = ga
C = us

Ssl error weak server cert key

Search Support

1. Home
2. Support Forums
3. Firefox
4. Is anyone else experiencing problems.

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Is anyone else experiencing problems with their https connection to their Hardware. I am getting false positives stopping access to Hardware TLS

• 5 replies
• 65 have this problem
• 8 views
• Last reply by jscher2000 — Support Volunteer

Accessing some of my Hardware to make changes has become impossible with the latest attempt to secure TLS or Weak SSL certificates. I cannot access my Modem via https://192.168.1.1 as FF is not accepting the certificate from the device. This change is very new and not quite refined correctly yet I believe.

Chosen solution

Hmm, it sounds similar to:

You might have to use a different browser with the device for the time being. That also might make it easier to diagnose the situation, because the other browser probably can provide full certificate and connection details.

Which of the many possible SSL error messages are you getting?

Also, to aid in searching for past threads, it would be great to know:

• if an error code is indicated in parentheses on the error page, which code is it?
• what kind of device is it (e.g., Linksys) if you’re willing to disclose that?

Secure Connection Failed

An error occurred during a connection to 192.168.1.1:1000. The server certificate included a public key that was too weak. (Error code: ssl_error_weak_server_cert_key)

Chosen Solution

Hmm, it sounds similar to:

You might have to use a different browser with the device for the time being. That also might make it easier to diagnose the situation, because the other browser probably can provide full certificate and connection details.

Yes I am using a different Browser to solve the problem. From the small image below, sorry I cant capture much info here, you can see that the certificate store has accepted the certificate correctly. My mistake, I thought it wasnt there that said, if the certificate has been accepted, I cant understand why access isnt granted

That’s in Firefox’s Certificate Manager dialog?

I’m not sure making an exception (or importing a certificate) in Firefox resolves every objection. I haven’t run across any sites like this to experiment on.

Источник

Ssl error weak server cert key

DalBat
Попробуйте в security.tls.insecure_fallback_hosts прописать.

Спасибо, благодаря вашему ответу нашёл похожие, но мне не помогает.

Добавлено 14-07-2015 08:23:29
Можно вообще отключить эту SSL проверку в firefox?

Отредактировано DalBat (14-07-2015 08:23:29)

№807 14-07-2015 14:30:45

Re: Не работает после обновления. (проблемы после обновления)

DalBat
Нет. К счастью. Вообще, надо не браузер калечить, а пнуть этого «клиента» чтоб исправил. Либо вовсе по http заходить (потому что, какая польза от такого шифрования, если ключ за пару дней можно получить?).

Попробуйте еще security.tls.unrestricted_rc4_fallback;true выставить (не знаю, нужно ли при этом сайт и в security.tls.insecure_fallback_hosts оставлять).

№808 16-07-2015 10:59:51

Re: Не работает после обновления. (проблемы после обновления)

turbot
Я с вами полностью согласен, но клиенты, они такие клиенты.
Не помогло, но всё равно большое спасибо за ответы.

№809 16-07-2015 11:31:29

Re: Не работает после обновления. (проблемы после обновления)

Установил версию 38.0.5 моя учётка является админской, пользователей нет. Как запретить обновления до 39 глобальным способом?
Кто может подсказать? Служба MozillaMaintenance отключена через групповые политики, а при установке приложения галочка «Служба поддержки» снята, но всё равно после определённого времени снова просит обновится. Пользователей много, всех обучить не обновляться не получится.

№810 16-07-2015 13:21:28

Re: Не работает после обновления. (проблемы после обновления)

Взято с ru-board.

Чтобы полностью отключить обновление Firefox необходимо в файле %папка_установки_firefox%defaultsprefchannel-prefs.js заменить в строке pref(«app.update.channel», «release»); слово «release» на «no» (или «default»).

№811 16-07-2015 15:17:04

Re: Не работает после обновления. (проблемы после обновления)

Взято с ru-board.

Чтобы полностью отключить обновление Firefox необходимо в файле %папка_установки_firefox%defaultsprefchannel-prefs.js заменить в строке pref(«app.update.channel», «release»); слово «release» на «no» (или «default»).

И нафиг его править, когда проще сделать это в about:config, а ещё лучше через user.js?

№812 16-07-2015 16:37:09

Re: Не работает после обновления. (проблемы после обновления)

Извините, не подумал искать отключение обновлений через about:config.

№813 30-07-2015 00:07:34

Re: Не работает после обновления. (проблемы после обновления)

FireFox 39. Возникла проблема со входом в учётку-учётки Google.

https://accounts.google.com/ServiceLoginAuth#password — циклическая ссылка, что бы ни набиралось в качестве пароля — возвращается к ней.
На предыдущей странице — указываю логин, всё как обычно. Но он не «подхватывается», появляется вот такая страница:

Изучил все хелпы и чаво, всё что надо и не надо чистил-не чистил, защиты всяческие отключал-включал — ничего не помогает.
В предыдущей версии всё работало. Текущую 39ю ставил поверх. Что могло случиться?

(прошу не предлагать переустановку моей Win7x64 или снос Лиса со всеми данными профиля и установку «с нуля» — мне уже капитан Очевидность всё это понасоветовал лично)

Отредактировано Zzinst (30-07-2015 00:08:08)

\\\\\\\ о сколько нам открытий чудных пираты в торрентах качнут.

№814 31-07-2015 10:53:56

Re: Не работает после обновления. (проблемы после обновления)

Извините, не подумал искать отключение обновлений через about:config.

Всё равно у пользователей обновляется
Может существуют ещё какие-нибудь строки в about:config которые нужно настроить?

№815 31-07-2015 11:22:58

Re: Не работает после обновления. (проблемы после обновления)

DalBat
app.update.channel;no

Лучше спросить у знающих — чем лезть не зная.

№816 31-07-2015 13:18:37

Re: Не работает после обновления. (проблемы после обновления)

villa7
Во! Спасибо огромное! Теперь не обновляется.

№817 29-08-2015 13:46:04

Re: Не работает после обновления. (проблемы после обновления)

После обновления на 40.0.3 (а может быть, и на предыдущую версию, не уследил) возникла проблема с добавлением страницы в закладки. По Ctrl-D и при нажатии на звёздочку в адресной строке не добавляются. Добавить можно только перетащив вкладку на панель закладок. Профиль сносил и восстанавливал, файлы places.sqlite (все три) удалял, не помогает. Из дополнений, работающих с закладками, стоит только 2 Pane Bookmarks, стоит уже несколько лет, никогда с ним проблем не было. В какую сторону копать?

№818 29-08-2015 16:45:27

Re: Не работает после обновления. (проблемы после обновления)

Из дополнений, работающих с закладками, стоит только 2 Pane Bookmarks, стоит уже несколько лет, никогда с ним проблем не было.

А просто взять и отключить его для проверки — тупо лень или что? Да и вообще взять и «Перезапустить без дополнений. » наверное какая-то особая религия запрещает?

№819 30-08-2015 11:03:16

Re: Не работает после обновления. (проблемы после обновления)

А просто взять и отключить его для проверки — тупо лень или что?

Естественно, не лень Не помогает

взять и «Перезапустить без дополнений. «

А смысл? Без дополнений (в частности Classic Theme Restorer) звёздочки в адресной строке не будет.

В общем, получилось так: откатился на версию 39.0, и всё заработало. Так что, проблема не в дополнениях, а в самом FF.

Отредактировано Niclaus (30-08-2015 11:08:18)

№820 30-08-2015 12:15:25

Re: Не работает после обновления. (проблемы после обновления)

Смысл предельно простой — проверить проблема в дополнениях/пользовательских настройках или в самом браузере. Но некоторым даже это понять тупо лень.

В общем, получилось так: откатился на версию 39.0, и всё заработало. Так что, проблема не в дополнениях, а в самом FF.

А почему не в несовместимости какого-то дополнения с обновившейся версией программы? Так что проблема в данном конкретном случае в неадекватном пользователе.

№821 31-08-2015 04:58:24

Re: Не работает после обновления. (проблемы после обновления)

DzirtПо моему ваша реакция на такой вопрос свидетельствует как раз о вашей неадекватности! Возникла абсолютно аналогичная проблема с закладками и надеясь на развернутую информацию наткнулся на немотивированное хамство. Не все такие умники в настройках фф, как вы.

№822 31-08-2015 08:59:08

Re: Не работает после обновления. (проблемы после обновления)

Возникла абсолютно аналогичная проблема с закладками и надеясь на развернутую информацию наткнулся на немотивированное хамство

У вас одно сообщение. Вы в -1 или в -11 своем сообщении нарвались на немотивированное хамство? Да и было ли вообще «хамство»?

К тому же, какое собственно отношение это имеет к обсуждаемому вопросу?

№823 31-08-2015 09:35:06

Re: Не работает после обновления. (проблемы после обновления)

Dzirt, KrimSKR, давайте не будем ругаться и переходить на личности!
Что мы имеем: как видно, в 40 версии, по сравнению с 39 и предыдущими, был изменён механизм работы с закладками. Хотелось бы знать, что именно изменено, как это работает, или не работает, и что с этим делать. За этим, собственно, люди и приходят в ветку форума, которая называется «Не работает после обновления. (проблемы после обновления)».
А к Вам, Dzirt, персональная просьба: поставьте, пожалуйста, на ваш 40-й FF расширение Classic Theme Restorer, включите в нём отображение звёздочки в адресной строке, и скажите, добавляются ли страницы в закладки при её нажатии!

Отредактировано Niclaus (31-08-2015 09:45:02)

№824 31-08-2015 09:44:44

Re: Не работает после обновления. (проблемы после обновления)

Niclaus
Ну ясен же пень, что проблема явно в одном из используемых Вами расширений, так как у остальных всё работает.
Вероятно, разработчик обновит косячащее расширение и всё встанет на свои места.

№825 31-08-2015 10:11:06

Re: Не работает после обновления. (проблемы после обновления)

А к Вам, Dzirt, персональная просьба: поставьте, пожалуйста, на ваш 40-й FF расширение Classic Theme Restorer, включите в нём отображение звёздочки в адресной строке, и скажите, добавляются ли страницы в закладки при её нажатии!

Звездочка в адресной строке? А она что — там есть. Всю жизнь я добавлял страницы либо на «Панель закладок» перетаскиванием мышью, либо в «Закладки» при помощи нажатия Ctrl+D, либо в те же «Закладки», но предварительно нажав на Ctrl+B. Нафиг нужна эта звездочка — вообще не понимаю. Как и вашего подхода к решению возникшей проблемы «Файерфокс ацтой! Вот установите расширение X и у вас перестанет работать Y!» Ну да, может и перестанет. Только почему это вдруг внезапно проблема Firefox’а, а не расширения X? Которое не смогли/не успели/не было желания проверить на работоспособность в очередной версии FF.

PS: Если что — я тоже против постоянного изменения API плагинов, ломающего их работоспособность. Причем изменения эти в подавляющем большинстве случаев «шоб було» или «чтобы не расслаблялись и жизнь малиной не казалась». Но с этим ничего не поделаешь, к сожалению.

Источник

Ssl error weak server cert key

Поиск в Поддержке

Избегайте мошенников, выдающих себя за службу поддержки. Мы никогда не попросим вас позвонить, отправить текстовое сообщение или поделиться личной информацией. Сообщайте о подозрительной активности, используя функцию «Пожаловаться».

Learn More

An error occurred during a connection to 192.168.0.7:10000. The server certificate included a public key that was too weak. (Error code: ssl_error_weak_server_c

• 2 ответа
• 1 имеет эту проблему
• 120 просмотров
• Последний ответ от Moonrakre

This site is my own and it is on my LAN. I absolutely trust it and I need to make changes through Webmin. But I can no longer get in after upgrading Firefox to 40.0.2.

The TLS may be out of date but I don’t care, I don’t know how to fix that, and if I did know I would need to access the system through webmin anyway.

How can I add an exception for this issue on the address, please?

Источник

Сообщения без ответов | Активные темы

Кто сейчас на форуме

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 25

Вы не можете начинать темы Вы не можете отвечать на сообщения Вы не можете редактировать свои сообщения Вы не можете удалять свои сообщения Вы не можете добавлять вложения

First, thank you for taking time again to reply. This thread has already been most educating and informative, and it is delightful to see how the developers of Pale Moon really interact here.

Moonchild wrote:You should know that this minimum level of certificate strength is there because your traffic, although encrypted at the surface, is not secure. If you are using SSL to your routers to begin with, I can only assume you are using SSL because your intranet has untrusted traffic/users on it.

The local network in question is secure enough to use the router without any SSL. I am accessing it through SSL sometimes for remote administration. When I do that, I always make sure that I do it from my home network (cabled and very secure) or else, *only* through a WPA2-secured wireless network. I would never ever do it from a public wireless network or a WEP network. And it was exactly for the reason of security why I turned off non-https administration in the routers, so that there would not be any mistakes. I have OpenVPN running for such cases, too, but I am just lazy enough not to use it all the time (and even over OpenVPN, Pale Moon would now not let me into the router). Therefore, I can say that the router’s SSL is just an additional layer of security, which is there just in case.

The chances of someone taking down the WPA2 and then also the router’s SSL are quite small. My routers are not so important as to waste so much time on them.

You cannot fault Pale Moon for developing for and aiming to be used on the Internet when that is its main purpose.

I really did not mean to fault Pale Moon at all. I am very happy with Pale Moon 25.7. I understand that the developers are the ones who decide and I accept the decisions. After all, Pale Moon comes free and is a remarkably good browser. That does not rule out a discussion (like this one here). What I did was just describe how I would resolve my personal situation now and why I would do it (or how I see it).

If installing Tomato is easy, and Tomato comes with insecure certs by default, then I’d say you should talk to the people who publish Tomato to provide a normal, current-day, certificate strength by default in their product.

I already thought of trying this. However, the mod that I use (for certain reasons – and I like this version of Tomato very much) seems to have been out of development for 3 years. Besides, WRT54GL is a rather old model and, from a developer’s point of view, probably not worth developing anything new for it. So the chances are slim but I will write to the developer.

If the problem is creating a self-signed certificate and key then take the extra 5 minutes to look up how to do this with OpenSSL. It really isn’t that hard.

I have done it once before and it took much more than 5 minutes. Not to waste your time, I will not describe the exact sequence of operations I would have to do but I really know next to nothing about certificate creation and next to nothing about SSHing myself into a Tomato router. Last time I tried to SSH into a Zyxel router, I just failed, and another time I have SSHed into a QNAP NAS just to find out that any changes I could do were just undone by the NAS’s next reboot. Both times I spent considerable time trying, without any actual result. I am not saying that SSH and Tomato are impossible. I am saying that it would take quite some more time from me than just 5 minutes.

[EDIT: One of the main points I am writing this is for the warning that if I change the SSL certs in Tomato, «if ever save the settings on the Admin Access page with the Regenerate box checked, or with Save in NVRAM box unchecked, will loose your certificate and you will have to do these steps all over again». The point is that so far I have always saved that page with «Save in NVRAM» box unchecked (which is default) and I really do not know or understand the implications of always saving the settings with that box checked. I am not very much willing to experiment because I have seen things work and then, after such experiments, not work (including e.g. IPSEC VPN). And besides, this would be one more thing to remember as long as I use the routers, and I really have a lot of details and nuances to remember already while I am not a professional IT person.

The problem is that it «works» but it works in such a way that it can’t be trusted and should be changed.

«Should be changed» is a good point. I agree that weak certificates should not be used any more if possible. But in this case, the browsers have made it a «must be changed» already, without much choice left to the user.

Before I made my decision, I considered carefully what could be wrong with my routers’ security as I use it at this moment. As described above, the SSL is just for additional security. Could I as well give it up and config my router over http (not https), just in order to be able to update Pale Moon to 25.8? Basically I could (and given the circumstances I believe I would still be on the safe side). But that would not be safer than the weak encryption in question, so why should I give up that additional layer, albeit weak, only because the developers have made a generalised decision that something like this is «unacceptable»? Instead of giving it up, you say, I should increase my security by using stronger certificates. That is of course right in general but realistically, the immediate benefit of that in my specific circumstances escapes me at the moment.

By the way, when I was thinking of browser security, it occurred to me that there is a much more serious security problem still coming with every instance of Firefox (and, for that matter, Pale Moon). And in certain cases, this problem is easier to exploit than cracking a 512-bit certificate. The password saving feature can be quite dangerous since all the passwords (including those to the routers) are available in plaintext, at least as long as the browser is open. And I have seen passwords stolen at least once from Pale Moon (over the Internet or through a Trojan — I do not know how it was done but I know when and where it must have happened). The obvious solution to this security problem (in terms of probability, much more «unacceptable» than having a 512-bit certificate accepted if the user really needs it) would be to enforce a master password (and I am using one but most users do not). For some reason nothing has been done about it. When we talk about security and threats, I see much more danger potential in the password store, which is available to all users, than in a (hypothetical) option for advanced users to re-enable weak certificates, at least for certain URLs that they can personally select and confirm.

If you are serious about your router’s and network’s security, you’ll make the investment of time to secure these routers properly from unauthorized access. But something will have to be done — and blaming the browser for no longer accepting the unacceptable is not one of them.

I agree that something had to be done. Most logically, from a user’s viewpoint, that would have been providing a new feature and strongly warning about weak security. Perhaps also closing the weak security in the default settings (with an option to re-enable it by means that are not used by dumbusers). I am serious about my router’s and network’s security. But somehow it seems to me that in this case, the developers of Firefox are — once again — trying to teach us «what is right and what is wrong» by force. (I am saying this because the new feature (for the developers) or problem (for me) seems to have appeared first in Firefox 39 and only then in Pale Moon.) Perhaps it can also be claimed with good explanations, that any self-signed certificates are a security threat after all and anyone wanting to use https on their server (or even private router) must purchase a Verisign (etc.) certificate. Apple seems to do that already as regards iPhones.

The browsers are there for the user’s convenience, not for forcing the user to confront his problems, even if he has the problems. Just pointing to the problem would be enough. So yes, at this moment I would like to keep my life more convenient. I do not blame the browser or the developers for introducing stricter security options. That is a very good thing to do and should be done anyway. My only point was with the forceful removal of existing features that would actually benefit someone who is able to appreciate his own security situation.

No offense meant.

None taken whatsoever.

[ONE MORE EDIT: Because you took so much time to reply me, I decided to at least give it a try and see how long it would take to change the certificates. First I searched and read the basics of what software I can use for SSH access and how it works. Then I downloaded and unpacked Putty. Then I enabled the SSH daemon for one of the Tomato routers (in order to get into the router in the first place), allowing for password login on port 22. Next, I launched Putty and tried to open the session with the router at the given LAN IP and port. However, I got the reply «Connection refused». Tried three times. When I tried once more, with enabling a remote connection, the SSH daemon just failed to start. By that time (I was timing my effort), 15 minutes had passed and I had not even started the process with certificates. So I must read a lot more, and find out why the router refuses connection, etc. I have seen before that with routers it can become quite tricky. And it has by now proved my concept that this is not so easy at all. I really do not have time for this, sorry.]

View previous topic :: View next topic
Author	Message
Moriah Advocate Joined: 27 Mar 2004 Posts: 2253 Location: Kentucky	Posted: Wed Jul 29, 2015 4:06 am    Post subject: HELP — firefox weak public key cert I have network infrastructure devices that use https to connect the management interface. They are old (5+ years). After latest update to firefox, I can no longer connet to them, which is a BIG problem. I cannot even update them if I cannot connect to them. Besides, I doubt there is, or will be for quite some time, any update to them to address this problem. When I try to connect with firefox, I get: Code: Secure Connection Failed An error occurred during a connection to xxx.xxx.xxx.xxx. The server certificate included a public key that was too weak. (Error code: ssl_error_weak_server_cert_key)     The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.     Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site. This is a *BIG* problem!!! Is there any way to over-ride firefox’s desire to «protect» me? I really need to access these devices. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
eccerr0r Watchman Joined: 01 Jul 2004 Posts: 9222 Location: almost Mile High in the USA	Posted: Wed Jul 29, 2015 7:13 pm    Post subject: Try an old version of firefox? or try epiphany or ?? It looks like there will be no patches to firefox to «fix» this, you’ll have to devise one on your own for yourself. Probably could look for a «if keysize less than 1024 then abort» and remove that… Not recommended if you’re not accustomed to code hacking. Seems the longterm fix is to regenerate the server’s SSL key to a larger keysize but likely you need still need to log in first… _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD What am I supposed watching?
Back to top
Moriah Advocate Joined: 27 Mar 2004 Posts: 2253 Location: Kentucky	Posted: Wed Jul 29, 2015 7:23 pm    Post subject: Its an embedded system. It is a remote controlled power strip so I can re-boot a hung machine from far away — in this case about 400 miles away. I will need to make a trip to upgrade the software in the device, if an upgrade is even available. The fine folks at Mozilla are trying to strongarm people into fixing old servers, but they forgot about all the little embedded devices that might not have upgrades available yet. Some of these devices control our networks. I’m thinking its time to break a 20 year relationship with firefox et al. I would have no problem with this setting being the default, and providing a way to over-ride it, but apparently they did not provide such a way. They probably just lost a long time customer. A similar screw-up bu redhat 11 years ago is why I now use gentoo. Maybe I can work around the problem with lynx — good old scriptable lynx! _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
eccerr0r Watchman Joined: 01 Jul 2004 Posts: 9222 Location: almost Mile High in the USA	Posted: Wed Jul 29, 2015 7:49 pm    Post subject: Apparently Chrome did the same thing. Don’t know, a lot of things can be said to be doing this, it’s not just firefox. Then again, it’s easier to blame the free software than the hardware… Lynx and Links are good, maybe even Dillo would support 512 byte keys. I just hope that it’s not using any javascript… _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD What am I supposed watching?
Back to top
charles17 Advocate Joined: 02 Mar 2008 Posts: 3663	Posted: Thu Jul 30, 2015 6:48 am    Post subject: Re: HELP — firefox weak public key cert Moriah wrote: Is there any way to over-ride firefox’s desire to «protect» me? I really need to access these devices. Did you try with security.ssl3… settings as mentioned in bug 1180526?
Back to top
Moriah Advocate Joined: 27 Mar 2004 Posts: 2253 Location: Kentucky	Posted: Tue Aug 04, 2015 2:35 am    Post subject: I just read the entire bug report. The firefox people have made a terrible mistake, and it will cost them their business if they don’t fix it quickly. A very large number of people are very upset about this. Time to trash firefox, but what to replace it with? Certainly not chrome; gooogle is using that a spyware tool. Any suggestions? _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
eccerr0r Watchman Joined: 01 Jul 2004 Posts: 9222 Location: almost Mile High in the USA	Posted: Tue Aug 04, 2015 4:50 am    Post subject: If all browsers are doing the same thing… I’m not sure if it’s a mistake, it’s more of a nuisance to people who can’t upgrade an obsolete piece of software… Not sure what to say, the only way to «encourage» people to stop using broken software is to stop supporting it. If they continued to support it, nobody would ever have any reason to upgrade. The workaround has been around for a while, it just kept on being used instead of being an interim to fixing the obsolete software. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD What am I supposed watching?
Back to top
Moriah Advocate Joined: 27 Mar 2004 Posts: 2253 Location: Kentucky	Posted: Tue Aug 04, 2015 11:47 am    Post subject: You are thinking like a software developer, not a systems administrator. We are not talking about emerging a new vrsion of a piece of software. We are talking about little sealed boxes that perform a specific and important function, but that might not be upgradable. They can be protected in other ways besides the length of their diffie-helllman key. They can be behind firewalls with up to date diffie-hellman keys. They can cost a lot of money to replace. You are telling me because of the whim of some browser developer I have to go replace a bunch of remote power controllers that cost several hundred dollars each, and that each require a field trip to the remote location where they are deployed. So thats $400.00 for the device, $300.00 for a plane ticket, $60.00 to rent a car, $50.00 for food while travelling, plus $800.00 for the engineer’s time for a day, not to mention the cost of slipping the schedule on the project he was supposed to be working on before the browser imposed itself and forced this to occur. That’s $1610.00 per device. Now how many of these devices need to be replaced. Oh yes, if the device needs to be replaced with a new device that behaves differently over the network, we also have to rewrite all the software that talks to these devices in a scripted manner. I have 4 of these kinds of devices. You want to force me to spend a week of my time and $6440.00 just because you think I should do this? GO SUCK EGGS!!! Its new browser time. Any browser that triess to force me to do something like that has just ceased to be useful. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
ct85711 Veteran Joined: 27 Sep 2005 Posts: 1791	Posted: Tue Aug 04, 2015 11:56 am    Post subject: During my searches on this, you will encounter the same issue on most (if not all the major browsers) in that they all agreed to stop supporting the weak keys; this is including windows too. So in this case, it’s more of the browser industry as a whole made the change (iirc this change was made several years ago too).
Back to top
eccerr0r Watchman Joined: 01 Jul 2004 Posts: 9222 Location: almost Mile High in the USA	Posted: Tue Aug 04, 2015 1:19 pm    Post subject: There is an easy solution: Old firefox and old versions of other browsers are still available. You decided to take the convenience/cost savings of keeping an old piece of hardware, then you get the inconvenience of an old piece of software. Can’t have it both ways if you don’t know how to code. Yes this is the idea of the software developer and also is forward progress else we’d be stuck with old standards forever, and likely someone’s going to think it’s OK, and people continue to make hardware with old standards because it works with the new browser… Someone needs to break the chain. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD What am I supposed watching?
Back to top
Moriah Advocate Joined: 27 Mar 2004 Posts: 2253 Location: Kentucky	Posted: Tue Aug 04, 2015 2:06 pm    Post subject: I do know how to code, been doing it since 1967. I develop safety critical realtime embedded systems as an independent consultant, been doing that since 1986. But I don’t want to have to re-hack every new update to firefox that comes along. Failure to take updates can open real security holes — ones I definately want to close. I think they should have made it so that the default would be the behaviour they have now: refusal to connect, but allow for a selective override of that default on a per ip address basis. They can even threaten me with dire warnings if I invoke the override. Just let me do it when I know what I am doing. Its my browser (my copy at least), and my network, and my responsibility to see that it all works together to serve its intended purpose. Let me decide. PS: I do not want a self-driving car either. In fact, I prefer a manual transmission to an automatic most of the time. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
eccerr0r Watchman Joined: 01 Jul 2004 Posts: 9222 Location: almost Mile High in the USA	Posted: Tue Aug 04, 2015 2:46 pm    Post subject: Moriah wrote: But I don’t want to have to re-hack every new update to firefox that comes along. Failure to take updates can open real security holes — ones I definately want to close. Yup sorry Charlie. Take it or leave it. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD What am I supposed watching?
Back to top
Moriah Advocate Joined: 27 Mar 2004 Posts: 2253 Location: Kentucky	Posted: Tue Aug 04, 2015 5:53 pm    Post subject: I think I’m going to leave it, or at least start shopping around for another browser. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
Hu Moderator Joined: 06 Mar 2007 Posts: 19775	Posted: Tue Aug 04, 2015 10:26 pm    Post subject: As eccerr0r noted above, if there is any supported way to keep using the old devices, the operators of those devices will recommend that users configure for low security instead of fixing the device. We saw the same problem with Javascript: «No true Scotsman would ever turn off Javascript, so we’ll just design everything to require it to be on. Anyone who complains is not a true Scotsman, and will be told to turn it on, because it costs us extra effort to make a site that works well for all browsers.» I agree that your situation makes this very unpleasant, and you have one of the more compelling stories I have read for the sheer difficulty of upgrading the devices. The more typical problem is with sites that insist on running ancient Red Hat or ancient Windows Server. As a Gentoo user, you are at least better positioned than most to apply a software patch to undo the restriction. Users on binary distributions would have to recompile locally, and their environments are generally not as readily suited to that as Gentoo.
Back to top
Moriah Advocate Joined: 27 Mar 2004 Posts: 2253 Location: Kentucky	Posted: Tue Aug 04, 2015 10:50 pm    Post subject: I did better than that; I phoned the vendor of the offending depricated devices and asked them if they had a firmware upgrade available. They indicated that they knew there was a problem with new versions of Internet Explorer, but did not know about firefox, nor did they understand exactly the cause. i pointed them to this thread, and they thanked me profusely! _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
Hu Moderator Joined: 06 Mar 2007 Posts: 19775	Posted: Tue Aug 04, 2015 11:44 pm    Post subject: That is good to hear. I expected that the vendor would have no interest in resolving the problem on an old device and/or that the device was not sufficiently upgradeable that the vendor could help you. In the interest of providing an interim workaround, which I must stress is neither tested nor good for security, I looked into this on the Firefox side. The restriction is implemented in NSS, not in the Firefox core. This is good for people who want to patch it out, since NSS is smaller and takes less time to rebuild. The restriction was added in NSS accepts export-length DHE keys with regular DHE cipher suites («Logjam»). Based on the proposed patch, I found that SSL_ERROR_WEAK_SERVER_CERT_KEY is a new constant added for the purpose of reporting insecure keys. It is only referenced once. You should be able to bypass the restriction with the below patch, which reduces the minimum key length to 128 bits. This leaves you vulnerable to the original Logjam security problems. nss-3.19.2-reduce-security.patch.base64: LS0tIG5zcy0zLjE5LjIvbnNzL2xpYi9zc2wvc3NsM2Nvbi5jCisrKyBuc3MtMy4xOS4yL25zcy9s aWIvc3NsL3NzbDNjb24uYwpAQCAtMTAwNTgsNyArMTAwNTgsNyBAQAogICAgICAgICAgICAgICAg IChwdWJLZXlUeXBlID09IGRzYUtleSAmJgogICAgICAgICAgICAgICAgICBzcy0+c2VjLmF1dGhL ZXlCaXRzIDwgU1NMX0RTQV9NSU5fUF9CSVRTKSB8fAogICAgICAgICAgICAgICAgIChwdWJLZXlU eXBlID09IGRoS2V5ICYmCi0gICAgICAgICAgICAgICAgIHNzLT5zZWMuYXV0aEtleUJpdHMgPCBT U0xfREhfTUlOX1BfQklUUykpIHsKKyAgICAgICAgICAgICAgICAgc3MtPnNlYy5hdXRoS2V5Qml0 cyA8IDEyOAkvKiBhbGxvdyBzb21lIHdlYWsga2V5cywgYnV0IHJlamVjdCB2ZXJ5IHRpbnkga2V5 czsgdGhpcyBpcyBiYWQgZm9yIHNlY3VyaXR5LCBidXQgc29tZSB1c2VycyBtYXkgbmVlZCBpdCAq LykpIHsKICAgICAgICAgICAgICAgICBQT1JUX1NldEVycm9yKFNTTF9FUlJPUl9XRUFLX1NFUlZF Ul9DRVJUX0tFWSk7CiAgICAgICAgICAgICAgICAgKHZvaWQpU1NMM19TZW5kQWxlcnQoc3MsIGFs ZXJ0X2ZhdGFsLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNzLT52ZXJz aW9uID49IFNTTF9MSUJSQVJZX1ZFUlNJT05fVExTXzFfMAo= nss-3.19.2-reduce-security.patch: — nss-3.19.2/nss/lib/ssl/ssl3con.c +++ nss-3.19.2/nss/lib/ssl/ssl3con.c @@ -10058,7 +10058,7 @@                  (pubKeyType == dsaKey &&                   ss->sec.authKeyBits < SSL_DSA_MIN_P_BITS) ||                  (pubKeyType == dhKey && —                 ss->sec.authKeyBits < SSL_DH_MIN_P_BITS)) { +                 ss->sec.authKeyBits < 128   /* allow some weak keys, but reject very tiny keys; this is bad for security, but some users may need it */)) {                  PORT_SetError(SSL_ERROR_WEAK_SERVER_CERT_KEY);                  (void)SSL3_SendAlert(ss, alert_fatal,                                       ss->version >= SSL_LIBRARY_VERSION_TLS_1_0 The first block is encoded to prevent whitespace mangling. The second block is plain so that people can read it without decoding first.
Back to top
Moriah Advocate Joined: 27 Mar 2004 Posts: 2253 Location: Kentucky	Posted: Wed Aug 05, 2015 2:30 am    Post subject: I will stay with my current workaround, which is turning off ssl on the offending device. It is password protected, and behind 2 firewalls, and very infrequently used, so I can live with it for a little while until my vendor issues a patch to the outlet strip. _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
Display posts from previous:

You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum