On Fri, February 10, 2017 06:26, Patrick Begou wrote:> Hello > > I have more and more troubles using firefox in professional > environment with > CentOS6. The latest version is 45.7.0 But I can't use it anymore to > access some > old server hardware (IDRAC7 of DELL C6100) because of > "/SSL_ERROR_WEAK_SERVER_CERT_KEY/". I had to install an old Firefox32 > version > to administrate these servers. > > Today I upgrade the firmware of 2 DELL switch and now Firefox cannot > connect to them anymore saying: /An error occurred during a > connection to xxx.xxx.xxx.xxx. The server rejected > the handshake because the client downgraded to a lower TLS version > than the server supports// //SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT > > /Is there a CentOS6 recommended web browser allowing continuous > connections to olds and new base level (and local) system > administration services ? >This situation arises because older, dare I say old, equipment released with embedded software and using http/https as the administrative front end were shipped with minimally compliant x-509 certificates. Often self-signed with 1kb keys and md5 signature hashes. Not to mention many are past their expiry dates. However, given the revelations of state sanctioned snooping on network traffic browsers are being pushed to implement increased compliance checking for the overall security of users. Firefox is simply implementing what various 'authorities' are recommending as secure practices with respect to authentication using pki and x-509 certificates. The present situation is a PIA. It could be a lot more user-friendly if FF so chose. They could have easily allowed one to turn off these advanced compliance checks for specific IP and DNS addresses so that the intended benefit remained but the interference with existing infrastructure was minimised. But, FF is on its own chosen path to oblivion and the idea of compromise is totally absent from their project plan. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On 02/10/2017 12:34 PM, James B. Byrne wrote:> > On Fri, February 10, 2017 06:26, Patrick Begou wrote: >> Hello >> >> I have more and more troubles using firefox in professional >> environment with >> CentOS6. The latest version is 45.7.0 But I can't use it anymore to >> access some >> old server hardware (IDRAC7 of DELL C6100) because of >> "/SSL_ERROR_WEAK_SERVER_CERT_KEY/". I had to install an old Firefox32 >> version >> to administrate these servers. >> >> Today I upgrade the firmware of 2 DELL switch and now Firefox cannot >> connect to them anymore saying: /An error occurred during a >> connection to xxx.xxx.xxx.xxx. The server rejected >> the handshake because the client downgraded to a lower TLS version >> than the server supports// //SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT >> >> /Is there a CentOS6 recommended web browser allowing continuous >> connections to olds and new base level (and local) system >> administration services ? >> > > This situation arises because older, dare I say old, equipment > released with embedded software and using http/https as the > administrative front end were shipped with minimally compliant x-509 > certificates. Often self-signed with 1kb keys and md5 signature > hashes. Not to mention many are past their expiry dates. > > However, given the revelations of state sanctioned snooping on network > traffic browsers are being pushed to implement increased compliance > checking for the overall security of users. Firefox is simply > implementing what various 'authorities' are recommending as secure > practices with respect to authentication using pki and x-509 > certificates. > > The present situation is a PIA. It could be a lot more user-friendly > if FF so chose. They could have easily allowed one to turn off these > advanced compliance checks for specific IP and DNS addresses so that > the intended benefit remained but the interference with existing > infrastructure was minimised. > > But, FF is on its own chosen path to oblivion and the idea of > compromise is totally absent from their project plan. > >IMHO FireFox is doing the right thing. Compromises in policy is how system compromises often happen. If you can change the setting to be more forgiving of certain bad vendors, then so can malware. What we really need to do is demand better from the manufacturers of products we use in a "professional environment" - and it is extremely important we demand better from them now, during the dawn of IoT.
On 2/10/2017 12:44 PM, Alice Wonder wrote:> IMHO FireFox is doing the right thing. Compromises in policy is how > system compromises often happen. > > If you can change the setting to be more forgiving of certain bad > vendors, then so can malware. > > What we really need to do is demand better from the manufacturers of > products we use in a "professional environment" - and it is extremely > important we demand better from them now, during the dawn of IoT.you get 'better' from vendors by maintaining paid support contracts, doing frequent firmware updates, and regular hardware updates. the hardware in question here is likely over 5 years old (I know this too well, I have a rack full of 3-6 year old hardware in my lab at work, all of which is off support due to it being test/dev, and corporate budgetary constraints). Chrome is even worse as far as making it impossible to connect to older embedded services like the various IPMI remote consoles, etc. -- john r pierce, recycling bits in santa cruz
Alice Wonder a ?crit :> On 02/10/2017 12:34 PM, James B. Byrne wrote: >> >> On Fri, February 10, 2017 06:26, Patrick Begou wrote: >>> Hello >>> >>> I have more and more troubles using firefox in professional >>> environment with >>> CentOS6. The latest version is 45.7.0 But I can't use it anymore to >>> access some >>> old server hardware (IDRAC7 of DELL C6100) because of >>> "/SSL_ERROR_WEAK_SERVER_CERT_KEY/". I had to install an old Firefox32 >>> version >>> to administrate these servers. >>> >>> Today I upgrade the firmware of 2 DELL switch and now Firefox cannot >>> connect to them anymore saying: /An error occurred during a >>> connection to xxx.xxx.xxx.xxx. The server rejected >>> the handshake because the client downgraded to a lower TLS version >>> than the server supports// //SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT >>> >>> /Is there a CentOS6 recommended web browser allowing continuous >>> connections to olds and new base level (and local) system >>> administration services ? >>> >> >> This situation arises because older, dare I say old, equipment >> released with embedded software and using http/https as the >> administrative front end were shipped with minimally compliant x-509 >> certificates. Often self-signed with 1kb keys and md5 signature >> hashes. Not to mention many are past their expiry dates. >> >> However, given the revelations of state sanctioned snooping on network >> traffic browsers are being pushed to implement increased compliance >> checking for the overall security of users. Firefox is simply >> implementing what various 'authorities' are recommending as secure >> practices with respect to authentication using pki and x-509 >> certificates. >> >> The present situation is a PIA. It could be a lot more user-friendly >> if FF so chose. They could have easily allowed one to turn off these >> advanced compliance checks for specific IP and DNS addresses so that >> the intended benefit remained but the interference with existing >> infrastructure was minimised. >> >> But, FF is on its own chosen path to oblivion and the idea of >> compromise is totally absent from their project plan. >> >> > > IMHO FireFox is doing the right thing. Compromises in policy is how > system compromises often happen. > > If you can change the setting to be more forgiving of certain bad > vendors, then so can malware.In this situation the working solution is the worst one: disabling https and re-enabling http on these devices.> > What we really need to do is demand better from the manufacturers of > products we use in a "professional environment" - and it is extremely > important we demand better from them now, during the dawn of IoT. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >