From owner-freebsd-questions@freebsd.org Tue Jul 28 13:30:55 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D86669AD08C for ; Tue, 28 Jul 2015 13:30:55 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DB84C95 for ; Tue, 28 Jul 2015 13:30:54 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t6SDUetp026088; Tue, 28 Jul 2015 23:30:41 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 28 Jul 2015 23:30:40 +1000 (EST) From: Ian Smith To: Polytropon cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD Forum access problem (was Re: Endless Data Loss) In-Reply-To: <20150726180913.bfa82863.freebsd@edvax.de> Message-ID: <20150728230108.T17327@sola.nimnet.asn.au> References: <20150726233449.M17327@sola.nimnet.asn.au> <20150726180913.bfa82863.freebsd@edvax.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 13:30:55 -0000 On Sun, 26 Jul 2015 18:09:13 +0200, Polytropon wrote: > On Sun, 26 Jul 2015 23:58:25 +1000 (EST), Ian Smith wrote: > > That's not the problem. The problem with the forums site is that it no > > longer allows connections using SSLv3 or TLS 1.0 .. it requires at least > > TLS 1.1 now, and might later accept only TLS 1.2, even just for reading. > > Thank you for clarification! I've set the security options > to only (!) allow TLS 1.1 and 1.2, _no_ SSL v3 or TLS 1.0, > and now I can connect to the forum again. I'll check now if > the other few websites I visit will be "impacted" by that > configuration change. I don't think you needed to disable older protocols - unless you want to not permit yourself to connect to older sites that only present those protocols - in order for the highest/latest options to be selected where they are enabled and perhaps demanded as in the case of the forums. But you should test that assumption, which is all it is. I've since found that even my not-SO-ancient firefox from 9.1 to 9.2-stable times would not connect to forums.freebsd.org either. % pkg info firefox firefox-23.0,1 Name : firefox Version : 23.0,1 Installed on : Sun Jul 20 02:37:45 EST 2014 Origin : www/firefox Architecture : freebsd:9:x86:64 Had to go hunting in the bowels of about:config to find what SSL protocols were set, and it just showed '1' (as an integer), so after some more hunting, on a hunch I tried '2' there. That worked! but I have not the slightest idea why it does, or what '2' signifies :) cheers, Ian