Bug#1005808: chromium: ERR_SSL_VERSION_OR_CIPHER_MISMATCH after upgrade to 98.0.4758.80

Wed, 16 Feb 2022 23:39:12 -0800 


On 2/17/22 02:21, Benoît Panizzon wrote:

Hi Andres


I'm a bit confused by this bug report. Why do you need chromium
(presumably over https) talking to network hardware drivers? Or do
you mean you have older network hardware where the firmware exposes
an https port, and chromium no longer supports the older SSL
protocols that the network hardware web server is trying to
negotiate? What specific SSL versions are we talking about?

Sorry for the confustion. I wrote the report from a user point of view,
noticing that stuff was broken after the update and that it still
worked on a machine I had not yet updated.

I work for a telco. We have some equipment that is being used long past
it's intended time. But also manufacturers often stick to old
technologies like java web applets.

So this is the ciphers supported by the affected webgui of one of our
core telephony switches:

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Broken cipher RC4 is deprecated by RFC 7465
|       CBC-mode cipher in SSLv3 (CVE-2014-3566)
|       Forward Secrecy not supported by any cipher
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Broken cipher RC4 is deprecated by RFC 7465
|       Forward Secrecy not supported by any cipher
|_  least strength: C

I suppose TLSv1.0 and SSLv3 was completely ditched with the most recent
Chromium update.

I am aware that the SSL implementation is very unsafe, but that
equipment is in a corporate lan, not reachable from the internet
protected by additional ACL. IMHO chromium should somehow provide an
option to specify 'yes I know the risk, create an exception' to still
access such sites.




Thanks for the explanation. What happens if you run chromium with --tls1 
? That sets the min SSL version to TLSv1.0, although I'm not sure what 
changed within chromium to actually drop TLSv1 support; if it's a third 
party library, then the code to support it might just be gone.
























					Reply via email to