Solved how to install old version chromium 88 for tls1.0 support.

fff2024g · Feb 20, 2024

dear all :
i am new guy . my old device need web browser support tls1.0 to access it. now i have used freebsd14 and chromium 121 . the chromium 121 don't support tls1.0. any one have idea to enable chromium 121 support tls1.0. or how to install old chromium88 version to my freebsd14 ? thanks.

covacat · Feb 20, 2024

probably will be easier to put a proxy in between that supports it than try to build an ancient chrome with a lot of deps

fff2024g · Feb 21, 2024

covacat said:
probably will be easier to put a proxy in between that supports it than try to build an ancient chrome with a lot of deps

Dear covacat , thanks for reply. my network device firewall used tls1.0. how to build a proxy ,let my freebsd14 with chromium 121 access it through web browser ? thanks.

covacat · Feb 21, 2024

i used squid with ssl-bump option for a similar case
my problem was reversed i had a (https) client not speaking tls > 1.0 and was rejected by most of the sites so i put squid in the middle
client spoke to squid tls 1.0 which spoke tls 1.2 upstream (the client was closed source so i could not rebuild it)
in such a setup squid will generate certs which you have to trust but i assume your appliance certs is expired anyway

fff2024g · Feb 21, 2024

covacat said:
i used squid with ssl-bump option for a similar case
my problem was reversed i had a (https) client not speaking tls > 1.0 and was rejected by most of the sites so i put squid in the middle
client spoke to squid tls 1.0 which spoke tls 1.2 upstream (the client was closed source so i could not rebuild it)
in such a setup squid will generate certs which you have to trust but i assume your appliance certs is expired anyway

thanks for your reply. my some old devices were firewall , couldn't upgrade to new . so this firewall only use tls1.0. now all web browsers don't support tls1.0. so i can't access this old firewall through web browser. your solution may is not for me . thanks.

fff2024g · Mar 13, 2024

dear all :
now i find a web browser in freebsd 14 to support tls1.0. this web browser name is gnome epiphany. this epiphany web browser belongs to gnome GUI 40. epiphany web browser now support tls 1.0 ,1.1,1.2,1.3. now you can use this web brower to access old device (support tls1.0). thanks.

zirias@ · Mar 13, 2024

fff2024g said:
my network device firewall used tls1.0

I would be worried about this. Everything < TLS1.2 is considered broken and insecure.

At least make very sure your management web interface is only reachable from within a trusted network segment. But then, a device this old that didn't even get any updates to support at least TLS1.2 probably isn't too trustworthy as a firewall any more.

sko · Mar 13, 2024

I doubt a firewall that comes from the ages where TLS1.0 was the latest and greatest can be considered useful, let alone secure nowadays...
Either it needs to be updated (urgently) or nuked from orbit and replaced with something more recent, at least OS wise, e.g. by installing FreeBSD on it if its just some x86 hardware and not some ancient cisco ASA or other proprietary appliance.

fff2024g · Mar 14, 2024

zirias@ said:
I would be worried about this. Everything < TLS1.2 is considered broken and insecure.

At least make very sure your management web interface is only reachable from within a trusted network segment. But then, a device this old that didn't even get any updates to support at least TLS1.2 probably isn't too trustworthy as a firewall any more.

thanks. my device worked in a local LAN. thanks.

sdepc1ftn · Mar 19, 2024

covacat said:
i used squid with ssl-bump option for a similar case
my problem was reversed i had a (https) client not speaking tls > 1.0 and was rejected by most of the sites so i put squid in the middle
client spoke to squid tls 1.0 which spoke tls 1.2 upstream (the client was closed source so i could not rebuild it)
in such a setup squid will generate certs which you have to trust but i assume your appliance certs is expired anyway

Hi covacat , I am trying to setup exactly same config as you said in Squid, but not successful. My squid proxy is dropping TLSv1 connection from client. Can you send me squid config pl.

covacat · Mar 19, 2024

actually i did this on an ancient ubuntu box and the relevant config line is

Code:

http_port 127.0.0.1:3136  ssl-bump cert=/usr/local/squid/etc/amproxy.pem key=/usr/local/squid/etc/amproxy.private
ssl_bump server-first all
sslproxy_flags DONT_VERIFY_PEER

OpenSSL 1.0.1f 6 Jan 2014