[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#31946: 27.0.50; The NSM should warn about more TLS problems
From: |
Jimmy Yuen Ho Wong |
Subject: |
bug#31946: 27.0.50; The NSM should warn about more TLS problems |
Date: |
Fri, 29 Jun 2018 06:21:38 +0100 |
Update:
I just tried with this node.js script:
#! /usr/bin/env node
const https = require('https');
const fs = require('fs');
const options = {
key: fs.readFileSync('ryans-key.pem'),
cert: fs.readFileSync('ryans-cert.pem'),
ciphers: "DHE-RSA-AES128-GCM-SHA256"
};
https.createServer(options, (req, res) => {
res.writeHead(200);
res.end('hello world\n');
}).listen(8000);
Chrome gave me a ERR_SSL_VERSION_OR_CIPHER_MISMATCH, Firefox gave me a
SSL_ERROR_NO_CYPHER_OVERLAP, Safari just told me it can't establish a
connection.
Conversely, changing DHE to ECDHE will at least show me the warning
screen for a self-signed cert, so I'm fairly certain now that these 3
browsers have removed DHE KX.
Heads up:
I'm adding about 10 new checks into NSM ATM. Will send a early preview
patch here later today for feedback.
On Thu, Jun 28, 2018 at 7:15 PM, Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote:
> The Telemetry data[1] from Mozilla in bug report 1227519[2] suggests
> DHE usage is very low for HTTP. No data for any other protocol.
>
> I just used Wireshark on Chrome and Firefox on macOS, they all seem to
> advertise DH and DHE cipher suites in Client Hello for TLS 1.2, they
> even advertise CBC mode ciphers too. While I'm not sure about Firefox,
> surely Chrome has removed DHE_SHA KX and CBC modes according to
> ChromeStatus[3]?
>
>
> [1]: https://tlscanary.mozilla.org/runs/2018-01-25-01-21-44/
> [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1227519
> [3]: https://www.chromestatus.com/features#tls
>
> On Thu, Jun 28, 2018 at 6:01 PM, Lars Ingebrigtsen <larsi@gnus.org> wrote:
>> Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes:
>>
>>>> I can't see that that web page mentions Diffie-Hellman at all?
>>>>
>>>
>>> Click on the individual browsers.
>>
>> I see.
>>
>>> SSLLabs only reports that Firefox 59 / Win 7 has dropped support for
>>> DHE_RSA in the UA capabilities page[1], but client test[2] still shows
>>> it is supported, so does Chrome and Safari. I don't understand what's
>>> going on there. Could that list in in client test be static? Or that
>>> browsers still advertise their support for DHE_RSA when in fact they
>>> don't? Might have to get on a server and log out the TLS handshake to
>>> see what's actually going on...
>>>
>>> [1]: https://www.ssllabs.com/ssltest/clients.html
>>> [2]: https://www.ssllabs.com/ssltest/viewMyClient.html
>>
>> My
>>
>> Chromium 66.0.3359.117 (Developer Build) built on Debian 9.4,
>> running on Debian 9.4 (64-bit)
>>
>> on the viewMyClient reports not supporting DHE-RSA.
>>
>> Confusing. :-)
>>
>> I tried finding a web site that says how many sites do not support ECDHE
>> as key exchange, and only found something from 2014 that says that was
>> 60%...
>>
>> --
>> (domestic pets only, the antidote for overdose, milk.)
>> bloggy blog: http://lars.ingebrigtsen.no
- bug#31946: 27.0.50; The NSM should warn about more TLS problems, (continued)
- bug#31946: 27.0.50; The NSM should warn about more TLS problems, Noam Postavsky, 2018/06/27
- bug#31946: 27.0.50; The NSM should warn about more TLS problems, Jimmy Yuen Ho Wong, 2018/06/28
- bug#31946: 27.0.50; The NSM should warn about more TLS problems, Lars Ingebrigtsen, 2018/06/28
- bug#31946: 27.0.50; The NSM should warn about more TLS problems, Jimmy Yuen Ho Wong, 2018/06/28
- bug#31946: 27.0.50; The NSM should warn about more TLS problems, Lars Ingebrigtsen, 2018/06/28
- bug#31946: 27.0.50; The NSM should warn about more TLS problems, Jimmy Yuen Ho Wong, 2018/06/28
- bug#31946: 27.0.50; The NSM should warn about more TLS problems,
Jimmy Yuen Ho Wong <=
- bug#31946: 27.0.50; The NSM should warn about more TLS problems, Jimmy Yuen Ho Wong, 2018/06/29
- bug#31946: 27.0.50; The NSM should warn about more TLS problems, Jimmy Yuen Ho Wong, 2018/06/30
- bug#31946: 27.0.50; The NSM should warn about more TLS problems, Noam Postavsky, 2018/06/30
- bug#31946: 27.0.50; The NSM should warn about more TLS problems, Jimmy Yuen Ho Wong, 2018/06/30
- bug#31946: 27.0.50; The NSM should warn about more TLS problems, Noam Postavsky, 2018/06/30