On 2017/02/16 10:18, Danchev, Lambri wrote: > Dear OpenBSD Team, > > Recently I red article describing security and releability of OpenBSD. > I had made attempt to visit your web site https://www.openbsd.org/, but > couldn't open even the front page as per next error: > > ssl_error_protocol_version_alert > > Which tells me that something in your security certificates is not OK. > Please, find next screenshots from FireFox and Internet Explorer browsers. > Both browsers reported one and the same issue - your website could not be > opened using secure "https" protocol.
I suspect you may have a corporate proxy or "security" device that is doing a man-in-the-middle of your SSL connections, and is unable to cope with modern security (https://www.openbsd.org *only* offers TLSv1.2, no earlier version). Please check some other website and verify the certificate issuer (e.g. the certificate for https://www.letsencrypt.org/ should be issued by IdenTrust's TrustID Server CA A52). If this is showing some other signing CA then this is almost certainly the cause. A recent review of security of this type of device shows many that only support TLSv1.0. The original paper https://jhalderm.com/pub/papers/interception-ndss17.pdf is currently offline (404) but google has a cached copy. https://webcache.googleusercontent.com/search?q=cache:Igg-o2pcwyYJ:https://jhalderm.com/pub/papers/interception-ndss17.pdf+&cd=3&hl=en&ct=clnk&gl=uk&client=firefox-b
