Date: Tue, 28 Jul 2015 15:43:44 -0400 From: "Michael B. Eichorn" <ike@michaeleichorn.com> To: Arthur Chance <freebsd@qeng-ho.org>, Ian Smith <smithi@nimnet.asn.au>, Polytropon <freebsd@edvax.de> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD Forum access problem (was Re: Endless Data Loss) Message-ID: <1438112624.13980.36.camel@michaeleichorn.com> In-Reply-To: <55B79501.2020405@qeng-ho.org> References: <mailman.67.1437912001.91662.freebsd-questions@freebsd.org> <20150726233449.M17327@sola.nimnet.asn.au> <20150726180913.bfa82863.freebsd@edvax.de> <20150728230108.T17327@sola.nimnet.asn.au> <55B79501.2020405@qeng-ho.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2015-07-28 at 15:43 +0100, Arthur Chance wrote: > On 28/07/2015 14:30, Ian Smith wrote: > > On Sun, 26 Jul 2015 18:09:13 +0200, Polytropon wrote: > > > On Sun, 26 Jul 2015 23:58:25 +1000 (EST), Ian Smith wrote: > > > > > > That's not the problem. The problem with the forums site is > > that it no > > > > longer allows connections using SSLv3 or TLS 1.0 .. it > > requires at least > > > > TLS 1.1 now, and might later accept only TLS 1.2, even just > > for reading. > > > > > > Thank you for clarification! I've set the security options > > > to only (!) allow TLS 1.1 and 1.2, _no_ SSL v3 or TLS 1.0, > > > and now I can connect to the forum again. I'll check now if > > > the other few websites I visit will be "impacted" by that > > > configuration change. > > > > I don't think you needed to disable older protocols - unless you > > want to > > not permit yourself to connect to older sites that only present > > those > > protocols - in order for the highest/latest options to be selected > > where > > they are enabled and perhaps demanded as in the case of the forums. > > > > But you should test that assumption, which is all it is. > > > > I've since found that even my not-SO-ancient firefox from 9.1 to > > 9.2-stable times would not connect to forums.freebsd.org either. > > > > % pkg info firefox > > firefox-23.0,1 > > Name : firefox > > Version : 23.0,1 > > Installed on : Sun Jul 20 02:37:45 EST 2014 > > Origin : www/firefox > > Architecture : freebsd:9:x86:64 > > > > Had to go hunting in the bowels of about:config to find what SSL > > protocols were set, and it just showed '1' (as an integer), so > > after > > some more hunting, on a hunch I tried '2' there. That worked! but > > I > > have not the slightest idea why it does, or what '2' signifies :) > > I'm on FF 39 so this may not apply to you, but with that caveat my > about:config shows > > security.tls.version.min = 1 > security.tls.version.max = 3 > > and an add-on (Configuration Mania) which gives nicer access to many > config settings interprets that as TLS 1.0 as minimum, TLS 1.2 as > maximum. I have no problem getting to the forums. > Correct, the Firefox TLS versions are indeed 1 = TLSv1.0, 2 = TLSv1.1, and 3 = TLSv1.2 in the future expect to see 4 = TLSv1.3 (which is in draft at present). At the moment min=1 max=3 is OK as about 40% of servers are TLSv1.0 only. For those on firefox < 36, opera < 30, and chrome/chromium < 43 you may want to do an update to improve security. These versions are when RC4 was made fallback only. This is important as a result of some server configurations attempting to mitigate BEAST prefering RC4. Note that RC4 is officially prohibited in TLS as of RFC 7465 (Feb 2015). Of course if upgrading is not an option there are methods availible in most browsers to selectively disable RC4. This would prevent communication with RC4 only servers (which unfortunately exist), as such upgrading to the above versions is preferred. Ike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1438112624.13980.36.camel>