From owner-freebsd-questions@freebsd.org Wed Jul 29 08:38:46 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 06FF59ADCB7 for ; Wed, 29 Jul 2015 08:38:46 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 37054892 for ; Wed, 29 Jul 2015 08:38:44 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t6T8cEiY065055; Wed, 29 Jul 2015 18:38:17 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 29 Jul 2015 18:38:14 +1000 (EST) From: Ian Smith To: Arthur Chance cc: "Michael B. Eichorn" , Polytropon , freebsd-questions@freebsd.org Subject: Re: FreeBSD Forum access problem (was Re: Endless Data Loss) In-Reply-To: <55B79501.2020405@qeng-ho.org> Message-ID: <20150729181049.C17327@sola.nimnet.asn.au> References: <20150726233449.M17327@sola.nimnet.asn.au> <20150726180913.bfa82863.freebsd@edvax.de> <20150728230108.T17327@sola.nimnet.asn.au> <55B79501.2020405@qeng-ho.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2015 08:38:46 -0000 On Tue, 28 Jul 2015 15:43:13 +0100, Arthur Chance wrote: > On 28/07/2015 14:30, Ian Smith wrote: > > On Sun, 26 Jul 2015 18:09:13 +0200, Polytropon wrote: > > > On Sun, 26 Jul 2015 23:58:25 +1000 (EST), Ian Smith wrote: > > > > > > That's not the problem. The problem with the forums site is that it > > no > > > > longer allows connections using SSLv3 or TLS 1.0 .. it requires at > > least > > > > TLS 1.1 now, and might later accept only TLS 1.2, even just for > > reading. > > > > > > Thank you for clarification! I've set the security options > > > to only (!) allow TLS 1.1 and 1.2, _no_ SSL v3 or TLS 1.0, > > > and now I can connect to the forum again. I'll check now if > > > the other few websites I visit will be "impacted" by that > > > configuration change. > > > > I don't think you needed to disable older protocols - unless you want to > > not permit yourself to connect to older sites that only present those > > protocols - in order for the highest/latest options to be selected where > > they are enabled and perhaps demanded as in the case of the forums. > > > > But you should test that assumption, which is all it is. > > > > I've since found that even my not-SO-ancient firefox from 9.1 to > > 9.2-stable times would not connect to forums.freebsd.org either. > > > > % pkg info firefox > > firefox-23.0,1 > > Name : firefox > > Version : 23.0,1 > > Installed on : Sun Jul 20 02:37:45 EST 2014 > > Origin : www/firefox > > Architecture : freebsd:9:x86:64 > > > > Had to go hunting in the bowels of about:config to find what SSL > > protocols were set, and it just showed '1' (as an integer), so after > > some more hunting, on a hunch I tried '2' there. That worked! but I > > have not the slightest idea why it does, or what '2' signifies :) > > I'm on FF 39 so this may not apply to you, but with that caveat my > about:config shows > > security.tls.version.min = 1 > security.tls.version.max = 3 > > and an add-on (Configuration Mania) which gives nicer access to many config > settings interprets that as TLS 1.0 as minimum, TLS 1.2 as maximum. I have no > problem getting to the forums. Thanks for the info, Arthur, and for elaboration by Michael. FF 23 does have both of those, originally set .min=0 (allowing RC4, I guess?) and .max=1 (TLS 1.0). I then changed only .max=2, TLS 1.1 apparently, sufficient for access to forums.freebsd.org - at present, anyway. So now I have .min=1 and .max=3 like yours, which works the same on the forums. If I find any sites where .min=1 is a problem I'll report back. FWIW, I'd beaten around the FF help site earlier re this, with no joy. cheers, Ian