SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers

• Previous message (by thread): SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
• Next message (by thread): SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Load balancers can also be used like this, while maintaining redundancy 
(assuming HA LB config). Terminate SSL/TLS on the LB and run plain-text 
to the application/appliance. As long as the load balancer is in an 
acceptable part of the network.

--Will

On 7/17/15 1:59 PM, Michael O Holstein wrote:
> Yes, the config option in FF is global .. I'm sure it could be done with an extension though.
>
> The 'el cheapo' solution that comes to mind is use a Rasberry Pi with dual ethernet (second via USB) and run Nginx on it .. secure out the front, insecure out the back. It'd cost you something like $50.
>
> I'm surprised "SSL stupidifiers" aren't on sale for $9 at Aliexpress or DX.
>
> -Mike
>
> ________________________________________
> From: NANOG <nanog-bounces at nanog.org> on behalf of Alexander Maassen <outsider at scarynet.org>
> Sent: Friday, July 17, 2015 4:50 PM
> To: nanog at nanog.org
> Subject: Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
>
> (Sorry Michael for the duplicate, forgot to press reply all :P)
>
> No problem making the web more secure, but in such cases I think it would
> have been better if you could set this behaviour per site, same as with
> 'invalid/self signed certs'. And in some cases, vendors use weak ciphers
> because they also utilize less resources. Everyone who has a DRAC knows
> about it's sluggish performance.
>
> Another backdraw of the DRAC's is, they are https only, and you cannot
> turn this behaviour off. Guess for that the only options would be to make
> your own interface and utilize the telnet/snmp interface. (Which is
> probably less secure then SSLv3), or some form of SSLv3 <-> strong cipher
> proxy.
>
> And needing to replace hardware that works perfectly fine for the purposes
> it's intended for just because a browser refuses to connect to it and
> denies you the option to make exceptions sounds just like the well known
> error 'Not enough money spend on hardware'
>
> On Fri, July 17, 2015 9:14 pm, Michael O Holstein wrote:
>>> making 99% of the web secure is better than keeping an old 1% working
>> A fine idea, unless for $reason your application is among the 1% ..
> nevermind the arrogance of the "I'm sorry Dave" sort of attitude.
>> As an example .. we have a vendor who, in the current release (last 3
> months) still requires "weak" ciphers in authentication responses. That
> was mostly okay until another vendor (with more sense) wanted to auth
> the same way but only permitted strong ciphers.
>> My $0.02
>>
>> Michael Holstein
>> Cleveland State University
>
>

• Previous message (by thread): SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
• Next message (by thread): SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]