Your message dated Wed, 16 Aug 2017 21:10:37 +0200
with message-id <[email protected]>
and subject line Re: Bug#872335: openssl: DES-CBC3-SHA not usable
has caused the Debian Bug report #872335,
regarding openssl: DES-CBC3-SHA not usable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
872335: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872335
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 1.1.0f-3
Severity: normal
Dear Maintainer,
After upgrading to stretch, one of our client complained that he
couldn’t access to one of our website with Internet Explorer 8 on
Windows XP.
After investigation, it looks like that the cipher recommended by
Mozilla (using https://mozilla.github.io/server-side-tls/ssl-config-generator/)
for IE8 compatibility, DES-CBC3-SHA, despite being enabled in
/etc/nginx/nginx.conf, is not present in the ciphers recognized by our
server (TLS_RSA_WITH_3DES_EDE_CBC_SHA not present in nmap localhost -p 443
--script=ssl-enum-ciphers)
It ss also absent from openssl ciphers -V ALL:COMPLEMENTOFALL. A quick
glance on this list show that there is no cipher compatible with IE8
(https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=8&platform=XP&key=101)
The cipher is still present in the ciphers(1ssl) manpage.
-- System Information:
Debian Release: 9.1
APT prefers stable
APT policy: (990, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssl depends on:
ii libc6 2.24-11+deb9u1
ii libssl1.1 1.1.0f-3
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20161130+nmu1
-- no debconf information
--- End Message ---
--- Begin Message ---
On 2017-08-16 19:13:44 [+0200], Kurt Roeckx wrote:
> > After upgrading to stretch, one of our client complained that he
> > couldn’t access to one of our website with Internet Explorer 8 on
> > Windows XP.
> >
> That cipher has been disabled by default because of the sweet32
> attack. There are no ciphers enabled anymore that can talk to IE
> on windows XP.
This is covered in the release notes [0]. There is nothing we can do
here, therefore closing the bug.
Windows XP has no support at all. You could try to replace IE8 with
Firefox/Chrome but replacing WindowsXP is probably better.
[0]
https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#openssl-issues
> Kurt
Sebastian
--- End Message ---
