[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers

Subject: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
From: outsider at scarynet.org (Alexander Maassen)
Date: Fri, 17 Jul 2015 16:41:00 +0200
In-reply-to: <[email protected]>
References: <[email protected]> <m2zj2vdwus.wl%[email protected]> <[email protected]> <[email protected]>

As of 38.0.5, this no longer is even an option, as they removed sslv3
support, see the reviews at
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/

On Fri, July 17, 2015 2:41 pm, Robert Drake wrote:
>
>
> On 7/17/2015 4:26 AM, Alexander Maassen wrote:
>> Well, this block also affects people who have old management hardware
>> around using such ciphers that are for example no longer supported. In
>> my
>> case for example the old Dell DRAC's. And it seems there is no way to
>> disable this block.
>>
>> Ok, it is good to think about security, but not giving you any chance to
>> make exceptions is simply forcing users to use another browser in order
>> to
>> manage those devices, or to keep an old machine around that not gets
>> updated.
>>
> Or just fallback to no SSL in some cases :(  We have some old vendor
> things that were chugging along until everyone upgraded firefox and then
> suddenly they stopped working.  The "fix" was to use the alternate
> non-SSL web port rather than upgrade because even though the software is
> old, it's too critical to upgrade it in-line.
>
> The long term fix is to get new hardware and run it all in virtual
> machines with new software on top, but that may be in next years
> budget.  I've also got a jetty server (opennms) that broke due to this,
> so I upgraded and fixed the SSL options and it's still broken in some
> way that won't log errors.  I have no time to track that down so the
> workaround is to use the unencrypted version until I can figure it out.
>
> Having said that, it seems that there is a workaround in Firefox if
> people need it.  about:config and re-enabling the weak ciphers.
> Hopefully turning them on leaves you with a even bigger warning than
> normal saying it's a bad cert, but you could get back in.  This doesn't
> help my coworkers.  I'm not going to advise a bunch of people with
> varying levels of technical competency to turn on weak ciphers, but it
> does help with a situation like yours where you absolutely can't update
> old DRAC stuff.
>
> https://support.mozilla.org/en-US/questions/1042061
>

References:
- SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
  - From: mhuff at ox.com (Matthew Huff)
- SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
  - From: randy at psg.com (Randy Bush)
- SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
  - From: outsider at scarynet.org (Alexander Maassen)
- SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
  - From: rdrake at direcpath.com (Robert Drake)

Prev by Date: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
Next by Date: another tilt at the Verizon FIOS IPv6 windmill
Previous by thread: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
Next by thread: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
Index(es):
- Date
- Thread