nanog mailing list archives
RE: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
From: Matthew Huff <mhuff () ox com>
Date: Fri, 17 Jul 2015 13:42:37 +0000
After making the about:config changes, no warning is given to the user about the bad ciphers. Even if you click the SSL lock icon, no warning is given. Only if you know that the connection being made with "TLS_RSA_WITH_AES_128_CBC_SHA,128 bit keys, TLS 1.0" is a bad thing would you have any clue. ---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-694-5669 -----Original Message----- From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Robert Drake Sent: Friday, July 17, 2015 8:42 AM To: nanog () nanog org Subject: Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers On 7/17/2015 4:26 AM, Alexander Maassen wrote:
Well, this block also affects people who have old management hardware around using such ciphers that are for example no longer supported. In my case for example the old Dell DRAC's. And it seems there is no way to disable this block. Ok, it is good to think about security, but not giving you any chance to make exceptions is simply forcing users to use another browser in order to manage those devices, or to keep an old machine around that not gets updated.
Or just fallback to no SSL in some cases :( We have some old vendor things that were chugging along until everyone upgraded firefox and then suddenly they stopped working. The "fix" was to use the alternate non-SSL web port rather than upgrade because even though the software is old, it's too critical to upgrade it in-line. The long term fix is to get new hardware and run it all in virtual machines with new software on top, but that may be in next years budget. I've also got a jetty server (opennms) that broke due to this, so I upgraded and fixed the SSL options and it's still broken in some way that won't log errors. I have no time to track that down so the workaround is to use the unencrypted version until I can figure it out. Having said that, it seems that there is a workaround in Firefox if people need it. about:config and re-enabling the weak ciphers. Hopefully turning them on leaves you with a even bigger warning than normal saying it's a bad cert, but you could get back in. This doesn't help my coworkers. I'm not going to advise a bunch of people with varying levels of technical competency to turn on weak ciphers, but it does help with a situation like yours where you absolutely can't update old DRAC stuff. https://support.mozilla.org/en-US/questions/1042061
Current thread:
- SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Matthew Huff (Jul 16)
- Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Randy Bush (Jul 17)
- Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Alexander Maassen (Jul 17)
- Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Robert Drake (Jul 17)
- RE: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Matthew Huff (Jul 17)
- Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Alexander Bochmann (Jul 19)
- Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Jeff Gehlbach (Jul 17)
- Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Alexander Maassen (Jul 17)
- Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Geoffrey Keating (Jul 17)
- Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Michael O Holstein (Jul 17)
- Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Niels Bakker (Jul 17)
- Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Michael O Holstein (Jul 17)
- Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Alexander Maassen (Jul 17)
- Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Matt Palmer (Jul 17)
- Re: Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers tqr2813d376cjozqap1l (Jul 17)
- Re: Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers George Metz (Jul 18)
- Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers Randy Bush (Jul 17)