• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Problem with forum access

erdos

Member

Thanks: 2
Messages: 79

#1
I'm having difficulties access this forum.

From IE on windows and Opera browser on FreeBSD, I can't access this forum. It gives various error message such as SQL or SSL/TLS problem.

With Firefox, I can access the forum on some pc, but not other pc. I've played around with the security settings in IE and Opera but to no avail.

The problem started a couple weeks ago, before it was fine. Was something being changed on this forum in the past couple weeks?
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,584
Messages: 11,210

#2
Your systems may not have modern cryptography protocols or cipher suites available. The forums currently only support the secure TLSv1.1 and TLSv1.2 protocols. If you're on TLSv1.0 or (shudder) SSLv3 or worse, upgrade to modern cryptography. You will find that an increasing number of SSL sites are in the process of upgrading to higher standards due to POODLE attacks and other vulnerabilities in SSLvX and TLSv1.0.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,584
Messages: 11,210

#3
SSLabs says about the Forums' SSL implementation (which is rated A+, by the way):

Code:
Configuration

Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 No
SSL 3 No
SSL 2 No

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)  ECDH 256 bits (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)  ECDH 256 bits (eq. 3072 bits RSA)   FS 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)  DH 4096 bits (p: 512, g: 1, Ys: 512)   FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)  DH 4096 bits (p: 512, g: 1, Ys: 512)   FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  ECDH 256 bits (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  ECDH 256 bits (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  ECDH 256 bits (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  ECDH 256 bits (eq. 3072 bits RSA)   FS 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)  DH 4096 bits (p: 512, g: 1, Ys: 512)   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)  DH 4096 bits (p: 512, g: 1, Ys: 512)   FS 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)  DH 4096 bits (p: 512, g: 1, Ys: 512)   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)  DH 4096 bits (p: 512, g: 1, Ys: 512)   FS 256


Handshake simulation

Android 2.3.7 No SNI 2 Protocol or cipher suite mismatch Fail3
Android 4.0.4 Protocol or cipher suite mismatch Fail3
Android 4.1.1 Protocol or cipher suite mismatch Fail3
Android 4.2.2 Protocol or cipher suite mismatch Fail3
Android 4.3 Protocol or cipher suite mismatch Fail3
Android 4.4.2 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Android 5.0.0 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Baidu Jan 2015 Protocol or cipher suite mismatch Fail3
BingPreview Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Chrome 42 / OS X R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Firefox 31.3.0 ESR / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Firefox 37 / OS X R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Googlebot Feb 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
IE 6 / XP No FS 1  No SNI 2 Protocol or cipher suite mismatch Fail3
IE 7 / Vista Protocol or cipher suite mismatch Fail3
IE 8 / XP No FS 1  No SNI 2 Protocol or cipher suite mismatch Fail3
IE 8-10 / Win 7 R Protocol or cipher suite mismatch Fail3
IE 11 / Win 7 R TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   FS 128
IE 11 / Win 8.1 R TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   FS 128
IE Mobile 10 / Win Phone 8.0 Protocol or cipher suite mismatch Fail3
IE Mobile 11 / Win Phone 8.1 TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   FS 128
Java 6u45 No SNI 2 Protocol or cipher suite mismatch Fail3
Java 7u25 Protocol or cipher suite mismatch Fail3
Java 8u31 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
OpenSSL 0.9.8y Protocol or cipher suite mismatch Fail3
OpenSSL 1.0.1l R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
OpenSSL 1.0.2 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
Safari 5.1.9 / OS X 10.6.8 Protocol or cipher suite mismatch Fail3
Safari 6 / iOS 6.0.1 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Safari 6.0.4 / OS X 10.8.4 R Protocol or cipher suite mismatch Fail3
Safari 7 / iOS 7.1 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Safari 7 / OS X 10.9 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Safari 8 / iOS 8.1.2 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Safari 8 / OS X 10.10 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
Yahoo Slurp Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
YandexBot Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 128
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).
 

ralphbsz

Daemon

Thanks: 647
Messages: 1,101

#5
Having read the thread on the mailing list, the one question that wasn't answered at all is the following:

Given that the forum has freely available information, which is readable to all the world, what is the point of forcing read-only access (not posting, not logging in) to use https rather than http in the first place, and specific TLS versions (with better security)? This is like saying that you can only go to the reading room of the local library to study the front page of the New York Times after your driver's license has been checked, and your retina scan matches your license.

The important observation here is: The content of this forum is public and freely accessible. The act of reading it online does not perform any state change on it, it has very little security exposure, and does not need to be restricted to people with particularly good computer security. The only threat vector I can see is that a third party performs a MITM attack, acts as if they were the real FreeBSD forum, and serve forged (modified) content; this seems so far fetched to border on ludicrous.

Why are we making it harder for people to find information on FreeBSD, just because they're running obsolete browsers?
 

kpa

Beastie's Twin

Thanks: 1,680
Messages: 6,084

#7
One specific issue is passwords. Some people do use the same passwords on multiple sites even if that is strongly discouraged. Leaking passwords, plaintext or hashed could lead to compromises on other sites that contain much more sensitive information than what is here.
 

erdos

Member

Thanks: 2
Messages: 79

#11
That is a good sign for you to change bank.
My point is the security of a public website such as this shouldn't be shouldered by its users.

I would have given up on this forum if I hadn't have access before and suddenly couldn't do it anymore. When new users couldn't access it when they first visit, then they simply move on since they have no way to know how to set up their browsers according to info here.
 

gkontos

Daemon

Thanks: 454
Messages: 2,094

#12
My point is the security of a public website such as this shouldn't be shouldered by its users.

I would have given up on this forum if I hadn't have access before and suddently couldn't do it anymore. when new users couldn't access it when they first visit, then they simply move on since they have no way to know how to set up their browsers according to info here.
Have you ever considered the possibility of upgrading your software? Technology is always moving forward. Security is part of technology. So, instead of complaining because the administrators/maintainers of this website are following better security tactics, do yourself a favor and update your systems too.
 

erdos

Member

Thanks: 2
Messages: 79

#13
Have you ever considered the possibility of upgrading your software? Technology is always moving forward. Security is part of technology. So, instead of complaining because the administrators/maintainers of this website are following better security tactics, do yourself a favor and update your systems too.
This is not about using obsolete browsers, it's about some very specific settings of browsers. Please look back previous posts, maybe it's not a issue for you, but for people who are not aware of it, they can't access this forum, if they can't access the forum, they won't be able to find the correct settings. Simple like that.

FYI, on my work laptop, which has encrypted hard drive and receiving periodic mandatory security updates from company IT support, that's the pc I still couldn't access this forum using latest of IE and Firefox - Even with the correct TLS/SSL settings.
 

protocelt

Daemon

Thanks: 404
Messages: 1,253

#14
FYI, on my work laptop, which has encrypted harddrive and receiving periodic mandatory security updates from company IT support, that's the pc I still couldn't access this forum using latest of IE and firefox - Even with the correct TL
S/SSL settings.
No disrespect meant but that seems more like a configuration or firewall policy problem on your end to me. FWIW, I use 3 different browsers (IE, Firefox, and Chromium) on FreeBSD, Windows, and Linux. I have had zero problems ever connecting to the Forums at multiple locations from multiple computers with no security configuration changes to any of the browsers what so ever.
 

erdos

Member

Thanks: 2
Messages: 79

#15
No disrespect meant but that seems more like a configuration or firewall policy problem on your end to me. FWIW, I use 3 different browsers (IE, Firefox, and Chromium) on FreeBSD, Windows, and Linux. I have had zero problems ever connecting to the Forums at multiple locations from multiple computers with no security configuration changes to any of the browsers what so ever.

Thanks for chipping in!

I can ONLY access the forum on my home PCs after I made the browser security settings change exactly like this:

Configuration

Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 No
SSL 3 No
SSL 2 No

You might be right about my other work laptop which doesn't have access to this forum, it could be firewall settings. But with that same laptop, I could access the forum just fine before this whole TLS/SSL changes.
 

protocelt

Daemon

Thanks: 404
Messages: 1,253

#16
Thanks for chipping in!

I can ONLY access the forum on my home PCs after I made the browser security settings change exactly like this:

Configuration

Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 No
SSL 3 No
SSL 2 No

You might be right about my other work laptop which doesn't have access to this forum, it could be firewall settings. But with that same laptop, I could access the forum just fine before this whole TLS/SSL changes.
Not sure about Chrome/Chromium but I'm pretty sure that is the default security configuration in both Firefox 37(all platforms) and Internet Explorer 11. As for your laptop, IMO if it's covered by your IT department at work, I would ask them about it. There may be a good reason for the firewall configured the way it is.

Also keep in mind Firefox 36 did treat TLS 1.0 as secure. That is no longer the case in Firefox 37. You didn't specify which versions of browsers you were using.
 

erdos

Member

Thanks: 2
Messages: 79

#17
Not sure about Chrome/Chromium but I'm pretty sure that is the default security configuration in both Firefox 37(all platforms) and Internet Explorer 11. As for your laptop, IMO if it's covered by your IT department at work, I would ask them about it. There may be a good reason for the firewall configured the way it is.

Also keep in mind Firefox 36 did treat TLS 1.0 as secure. That is no longer the case in Firefox 37. You didn't specify which versions of browsers you were using.
I see.

That's why I couldn't find the TLS settings in Firefox on my work laptop, since it's built-in and preset. I have 37 installed.
As for the IE, I'm not sure what Version I have at work. But I can manually change the TLS/SSL from settings. I'll check that tomorrow.

Now I understand what the other guy said about using not-up-to-date browser on this forum.

Still, this is the first and only website I encountered so far that has specific requirements about security settings.
 

protocelt

Daemon

Thanks: 404
Messages: 1,253

#18
Still, this is the first and only website I encountered so far that has specific requirements about security settings.
Should you not have made any changes you surely would have eventually ran into the same problem on other websites at some point. :)
 

gkontos

Daemon

Thanks: 454
Messages: 2,094

#19
FYI, on my work laptop, which has encrypted hard drive and receiving periodic mandatory security updates from company IT support, that's the pc I still couldn't access this forum using latest of IE and Firefox - Even with the correct TLS/SSL settings.
I will be very honest with you. I used to work for a big multinational firm dealing with banking transaction clearance. I was in the network security department dealing only with firewalls. The IT support staff provided us with encrypted HD laptops and software that was supposed to pull periodic security updates. The updates did not work as they supposed too and I was left with a laptop running Windows XP and a very old IE. I had created numerous tickets regarding this issue. Nobody did anything and eventually they gave me local administrator rights. I was really pissed because it was clear to me that all this bulshit was happening for one reason. It looked nice to the auditors.
All outgoing internet traffic was redirected from 2 Microsoft ISA servers before reaching the external fws. The external fws had a policy that permitted any outgoing http/https traffic from the ISA servers.
So, I installed OpenVpn client on my laptop and I established a tunnel over port 443 with my home through the ISA server. I also installed a local torrent server and I uploaded 1 song. (The song was relevant to the situation). I made sure that I record everything in detail and opened another ticket asking for a remote audit on my laptop. The reply that I got was that everything is ok and there was nothing suspicious.

I then sent a very detailed email to the Emea Security Director, describing exactly what I had done and what should be done in the future in order to prevent this from happening again. They sincerely thanked me for bringing this to their attention and they fired me 6 months later.
 

protocelt

Daemon

Thanks: 404
Messages: 1,253

#20
gkontos, I don't work in the IT department in my place of employment, but do help them out from time to time with some small stuff. I've seen this sort of thing happen on more than one occasion and for the life of me could never understand why. Even trying to look at it from a pure business perspective never made sense to me. Each time no reason was given for the dismissal and the only thing said was "person's dismissal was in no way related to said incident", though it was more than completely obvious it was. Sorry for off topic post. After reading the above, I just felt the need to add that. These kinds of blatant and unfair corporate politics touch a nerve. :)
 

gkontos

Daemon

Thanks: 454
Messages: 2,094

#21
protocelt, I think that I have drifted also a bit off topic :) The reason I mentioned the story is mainly to show that sometimes people don't really care about security. They just want to appear as being "secured" for marketing and policy issues only.
 

ralphbsz

Daemon

Thanks: 647
Messages: 1,101

#22
I would have given up on this forum if ...
I have given up on this forum, at least until the mindset of the administrators changes. I can use FreeBSD without this forum, and if that becomes too difficult, I can use a different OS.

... So, instead of complaining because the administrators/maintainers of this website are following better security tactics, ...
The "security tactics" described here are akin to installing a retina scanner at the door of the public library, and protecting the building with armed guards. I can understand that this is sometimes necessary, for example at a bank (where the physical security for the piles of money at the bank building should be commensurate with the digital security for remote access to your account). It is neither necessary nor appropriate for reading information that is being published for the world to read. If going to the library requires one to stare down the barrel of a gun, then the library has failed its purpose.

What is worse: It demonstrates that the people who administer the forum have not thought about threats, assets worthy of protection, and attack surfaces. That is worrisome.

By the way, as this post demonstrates, I'm capable of configuring my browser for reading this forum, and posting on it.
 

Michael Harding

New Member

Thanks: 2
Messages: 5

#23
FWIW, I am not able to connect to the forums from firefox-38.0.5,1, on 10.1-RELEASE-p10, amd64. I am able to connect from Chromium (which is how I am typing this comment). All software is up to date (all ports and system), ran pkg_libchk to make sure there were no missing libs. The connection to other ssl sites appears to work fine. When trying from Firefox, it spits out, everytime:
Code:
Secure Connection Failed

The connection to forums.freebsd.org was interrupted while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.
 

Michael Harding

New Member

Thanks: 2
Messages: 5

#24
So, I checked in 'about:config' and 'security.tls.version.max' was set to '1' rather than '3' for some reason. I reset it and now I can get into the forums. Strange...
 

fossette

Active Member

Thanks: 30
Messages: 119

#25
Personally, not one forum page would load when I was temporarily forced to use an old web browser. I thought that the forum server was down or being criminally hacked... A redirected webpage would have been very useful to let me know about the problem (and fix it sooner). But no big deal now as I'm back on my beloved FreeBSD system.

Dominique.
 
Top