SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
Robert Drake
rdrake at direcpath.com
Fri Jul 17 12:41:50 UTC 2015
On 7/17/2015 4:26 AM, Alexander Maassen wrote:
> Well, this block also affects people who have old management hardware
> around using such ciphers that are for example no longer supported. In my
> case for example the old Dell DRAC's. And it seems there is no way to
> disable this block.
>
> Ok, it is good to think about security, but not giving you any chance to
> make exceptions is simply forcing users to use another browser in order to
> manage those devices, or to keep an old machine around that not gets
> updated.
>
Or just fallback to no SSL in some cases :( We have some old vendor
things that were chugging along until everyone upgraded firefox and then
suddenly they stopped working. The "fix" was to use the alternate
non-SSL web port rather than upgrade because even though the software is
old, it's too critical to upgrade it in-line.
The long term fix is to get new hardware and run it all in virtual
machines with new software on top, but that may be in next years
budget. I've also got a jetty server (opennms) that broke due to this,
so I upgraded and fixed the SSL options and it's still broken in some
way that won't log errors. I have no time to track that down so the
workaround is to use the unencrypted version until I can figure it out.
Having said that, it seems that there is a workaround in Firefox if
people need it. about:config and re-enabling the weak ciphers.
Hopefully turning them on leaves you with a even bigger warning than
normal saying it's a bad cert, but you could get back in. This doesn't
help my coworkers. I'm not going to advise a bunch of people with
varying levels of technical competency to turn on weak ciphers, but it
does help with a situation like yours where you absolutely can't update
old DRAC stuff.
https://support.mozilla.org/en-US/questions/1042061
More information about the NANOG
mailing list