[182463] in North American Network Operators' Group
RE: SEC webpages inaccessible due to Firefox blocking servers with
daemon@ATHENA.MIT.EDU (Matthew Huff)
Fri Jul 17 09:42:46 2015
X-Original-To: nanog@nanog.org
From: Matthew Huff <mhuff@ox.com>
To: Robert Drake <rdrake@direcpath.com>, "nanog@nanog.org" <nanog@nanog.org>
Date: Fri, 17 Jul 2015 13:42:37 +0000
In-Reply-To: <55A8F80E.60900@direcpath.com>
Errors-To: nanog-bounces@nanog.org
After making the about:config changes, no warning is given to the user abou=
t the bad ciphers. Even if you click the SSL lock icon, no warning is given=
. Only if you know that the connection being made with "TLS_RSA_WITH_AES_12=
8_CBC_SHA,128 bit keys, TLS 1.0" is a bad thing would you have any clue.
----
Matthew Huff=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 | 1 Manhattanville Rd
Director of Operations=A0=A0=A0| Purchase, NY 10577
OTA Management LLC=A0=A0=A0=A0=A0=A0 | Phone: 914-460-4039
aim: matthewbhuff=A0=A0=A0=A0=A0=A0=A0 | Fax:=A0=A0 914-694-5669
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Robert Drake
Sent: Friday, July 17, 2015 8:42 AM
To: nanog@nanog.org
Subject: Re: SEC webpages inaccessible due to Firefox blocking servers with=
weak DH ciphers
On 7/17/2015 4:26 AM, Alexander Maassen wrote:
> Well, this block also affects people who have old management hardware
> around using such ciphers that are for example no longer supported. In my
> case for example the old Dell DRAC's. And it seems there is no way to
> disable this block.
>
> Ok, it is good to think about security, but not giving you any chance to
> make exceptions is simply forcing users to use another browser in order t=
o
> manage those devices, or to keep an old machine around that not gets
> updated.
>
Or just fallback to no SSL in some cases :( We have some old vendor=20
things that were chugging along until everyone upgraded firefox and then=20
suddenly they stopped working. The "fix" was to use the alternate=20
non-SSL web port rather than upgrade because even though the software is=20
old, it's too critical to upgrade it in-line.
The long term fix is to get new hardware and run it all in virtual=20
machines with new software on top, but that may be in next years=20
budget. I've also got a jetty server (opennms) that broke due to this,=20
so I upgraded and fixed the SSL options and it's still broken in some=20
way that won't log errors. I have no time to track that down so the=20
workaround is to use the unencrypted version until I can figure it out.
Having said that, it seems that there is a workaround in Firefox if=20
people need it. about:config and re-enabling the weak ciphers.=20
Hopefully turning them on leaves you with a even bigger warning than=20
normal saying it's a bad cert, but you could get back in. This doesn't=20
help my coworkers. I'm not going to advise a bunch of people with=20
varying levels of technical competency to turn on weak ciphers, but it=20
does help with a situation like yours where you absolutely can't update=20
old DRAC stuff.
https://support.mozilla.org/en-US/questions/1042061
