[Triumf-linux-users] SSL/TLS support in browsers and other agents - feedback requested
Andrew Daviel
advax at triumf.ca
Thu Jun 11 16:00:06 PDT 2015
This isn't aimed specifically at Linux users, but rather at people who
might have actually heard of TLS and Diffie-Hellman etc.
There have been various initiatives to tighten network security in the
wake of Edward Snowden's reports etc., and various vulnerabilities found
in existing SSL deployments. E.g. SSL2 is long since deprecated, and since
last year, SSL3 is also deprecated in favour of TLS1.1 and 1.2, while SHA1
hash is now deprecated in SSL certificates.
I have been getting CCIRC reports advising me of TRIUMF webservers still
running SSL3, and I've been turning that off and implementing various
recommendations about cipher suites.
One effect of that is that old browsers will no longer be able to access
these websites - my old Nokia phone (E71 on Symbian) cannot access some
sites, and I've had a report of Konqueror 3.5.4 being unable to access
trmail since SSL3 was disabled. Older Java in particular has issues. It
can work the other way, too - I heard of someone who had to install an
obsolete version of IE just to access a UPS in order to turn it off, while
an older version of SeaMonkey appears to not trust the recent Comodo
EV certificate on admin.
I have a collection of miscellaneous sites I've been testing, viz.
http://andrew.triumf.ca/ssl.html
http://andrew.triumf.ca/ssl2.html
If you have any problems accessing any of these sites with any browser, or
conversely get any security warnings, please let me know.
Or if you know of any other user agents (wget, curl, Java, WebDAV, HTTP
libraries) that have any issues with any TRIUMF sites or devices.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-users
mailing list