SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers

Alexander Maassen outsider at scarynet.org
Fri Jul 17 14:41:00 UTC 2015


As of 38.0.5, this no longer is even an option, as they removed sslv3
support, see the reviews at
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/

On Fri, July 17, 2015 2:41 pm, Robert Drake wrote:
>
>
> On 7/17/2015 4:26 AM, Alexander Maassen wrote:
>> Well, this block also affects people who have old management hardware
>> around using such ciphers that are for example no longer supported. In
>> my
>> case for example the old Dell DRAC's. And it seems there is no way to
>> disable this block.
>>
>> Ok, it is good to think about security, but not giving you any chance to
>> make exceptions is simply forcing users to use another browser in order
>> to
>> manage those devices, or to keep an old machine around that not gets
>> updated.
>>
> Or just fallback to no SSL in some cases :(  We have some old vendor
> things that were chugging along until everyone upgraded firefox and then
> suddenly they stopped working.  The "fix" was to use the alternate
> non-SSL web port rather than upgrade because even though the software is
> old, it's too critical to upgrade it in-line.
>
> The long term fix is to get new hardware and run it all in virtual
> machines with new software on top, but that may be in next years
> budget.  I've also got a jetty server (opennms) that broke due to this,
> so I upgraded and fixed the SSL options and it's still broken in some
> way that won't log errors.  I have no time to track that down so the
> workaround is to use the unencrypted version until I can figure it out.
>
> Having said that, it seems that there is a workaround in Firefox if
> people need it.  about:config and re-enabling the weak ciphers.
> Hopefully turning them on leaves you with a even bigger warning than
> normal saying it's a bad cert, but you could get back in.  This doesn't
> help my coworkers.  I'm not going to advise a bunch of people with
> varying levels of technical competency to turn on weak ciphers, but it
> does help with a situation like yours where you absolutely can't update
> old DRAC stuff.
>
> https://support.mozilla.org/en-US/questions/1042061
>





More information about the NANOG mailing list