From owner-freebsd-questions@freebsd.org Tue Jul 28 19:43:50 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 191B09ADCD7 for ; Tue, 28 Jul 2015 19:43:50 +0000 (UTC) (envelope-from ike@michaeleichorn.com) Received: from mx1.eichornenterprises.com (mx1.eichornenterprises.com [104.236.13.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.eichornenterprises.com", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B59101FEA for ; Tue, 28 Jul 2015 19:43:49 +0000 (UTC) (envelope-from ike@michaeleichorn.com) Received: from mail.eichornenterprises.com (cpe-24-166-126-146.neo.res.rr.com [24.166.126.146]) by mx1.eichornenterprises.com (OpenSMTPD) with ESMTP id 46338f55; Tue, 28 Jul 2015 15:43:45 -0400 (EDT) Received: by mail.eichornenterprises.com (OpenSMTPD) with ESMTPSA id 910c2ae5; TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO; Tue, 28 Jul 2015 15:43:44 -0400 (EDT) Message-ID: <1438112624.13980.36.camel@michaeleichorn.com> Subject: Re: FreeBSD Forum access problem (was Re: Endless Data Loss) From: "Michael B. Eichorn" To: Arthur Chance , Ian Smith , Polytropon Cc: freebsd-questions@freebsd.org Date: Tue, 28 Jul 2015 15:43:44 -0400 In-Reply-To: <55B79501.2020405@qeng-ho.org> References: <20150726233449.M17327@sola.nimnet.asn.au> <20150726180913.bfa82863.freebsd@edvax.de> <20150728230108.T17327@sola.nimnet.asn.au> <55B79501.2020405@qeng-ho.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.16.4 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 19:43:50 -0000 On Tue, 2015-07-28 at 15:43 +0100, Arthur Chance wrote: > On 28/07/2015 14:30, Ian Smith wrote: > > On Sun, 26 Jul 2015 18:09:13 +0200, Polytropon wrote: > > > On Sun, 26 Jul 2015 23:58:25 +1000 (EST), Ian Smith wrote: > > > > > > That's not the problem. The problem with the forums site is > > that it no > > > > longer allows connections using SSLv3 or TLS 1.0 .. it > > requires at least > > > > TLS 1.1 now, and might later accept only TLS 1.2, even just > > for reading. > > > > > > Thank you for clarification! I've set the security options > > > to only (!) allow TLS 1.1 and 1.2, _no_ SSL v3 or TLS 1.0, > > > and now I can connect to the forum again. I'll check now if > > > the other few websites I visit will be "impacted" by that > > > configuration change. > > > > I don't think you needed to disable older protocols - unless you > > want to > > not permit yourself to connect to older sites that only present > > those > > protocols - in order for the highest/latest options to be selected > > where > > they are enabled and perhaps demanded as in the case of the forums. > > > > But you should test that assumption, which is all it is. > > > > I've since found that even my not-SO-ancient firefox from 9.1 to > > 9.2-stable times would not connect to forums.freebsd.org either. > > > > % pkg info firefox > > firefox-23.0,1 > > Name : firefox > > Version : 23.0,1 > > Installed on : Sun Jul 20 02:37:45 EST 2014 > > Origin : www/firefox > > Architecture : freebsd:9:x86:64 > > > > Had to go hunting in the bowels of about:config to find what SSL > > protocols were set, and it just showed '1' (as an integer), so > > after > > some more hunting, on a hunch I tried '2' there. That worked! but > > I > > have not the slightest idea why it does, or what '2' signifies :) > > I'm on FF 39 so this may not apply to you, but with that caveat my > about:config shows > > security.tls.version.min = 1 > security.tls.version.max = 3 > > and an add-on (Configuration Mania) which gives nicer access to many > config settings interprets that as TLS 1.0 as minimum, TLS 1.2 as > maximum. I have no problem getting to the forums. > Correct, the Firefox TLS versions are indeed 1 = TLSv1.0, 2 = TLSv1.1, and 3 = TLSv1.2 in the future expect to see 4 = TLSv1.3 (which is in draft at present). At the moment min=1 max=3 is OK as about 40% of servers are TLSv1.0 only. For those on firefox < 36, opera < 30, and chrome/chromium < 43 you may want to do an update to improve security. These versions are when RC4 was made fallback only. This is important as a result of some server configurations attempting to mitigate BEAST prefering RC4. Note that RC4 is officially prohibited in TLS as of RFC 7465 (Feb 2015). Of course if upgrading is not an option there are methods availible in most browsers to selectively disable RC4. This would prevent communication with RC4 only servers (which unfortunately exist), as such upgrading to the above versions is preferred. Ike