[Cialug] Firefox Support for TLS v1.0 and v1.2
Barry Von Ahsen
vonahsen at gmail.com
Mon Mar 1 17:26:12 UTC 2021
nmap has a ssl-enum-ciphers script, or openssl s_client should tell you the default cypher
# nmap --script ssl-enum-ciphers -p 443 <tgt>
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 11:02 CST
Nmap scan report for <tgt>
Host is up (0.00014s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
# openssl s_client -connect <tgt>:443
<snip>
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1866 bytes and written 409 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
-barry
> On Mar 1, 2021, at 10:47 AM, Todd Walton <tdwalton at gmail.com> wrote:
>
> So I finally got one of these today, for the first time:
> https://imgur.com/YDeN2Qa
>
> It's a message from Firefox in place of the website I was trying to load.
> It says:
>
> Secure Connection Failed
>
> An error occurred during a connection to directory-proxy.castlebranch.com.
> Peer using unsupported version of security protocol.
>
> Error code: SSL_ERROR_UNSUPPORTED_VERSION
>
> The page you are trying to view cannot be shown because the
> authenticity of the received data could not be verified.
> Please contact the website owners to inform them of this problem.
>
> This website might not support the TLS 1.2 protocol, which is the minimum
> version supported by Firefox. Enabling TLS 1.0 and TLS 1.1 might allow this
> connection to succeed.
>
> TLS 1.0 and TLS 1.1 will be permanently disabled in a future release.
>
> And there's a button that says it will "Enable TLS 1.0 and 1.1". But I've
> clicked the button and it still doesn't allow the site to load. It still
> says, "SSL_ERROR_UNSUPPORTED_VERSION". I loaded about:config and see that
> security.tls.version.enable-deprecated is now set to true.
>
> I'd like to figure out what version of TLS this site is offering up. Any
> ideas on how to do that?
> --
> Todd
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
More information about the Cialug
mailing list