haproxy 2.0 doesn't like private key that is not strong enough (only 1024 bits).
I generated new certificate for key that has 2048 bits just to find that this certificate is accepted but TLSv1.0 was removed from haproxy or some SSL library, haproxy 2.0.13 cannot connect to the old router...:-( haproxy cannot connect to the router and reports error 503 - Service unavailable. This is a script to generate new certificate, inspired by https://gist.github.com/yuezhu/47b15b4b8e944221861ccf7d7f5868f5 $ cat gen-new-pem.sh #!/bin/sh FNAME="firewall" DAYS=370 NUMBITS=2048 # Generate a unique private key (KEY) openssl genrsa -out $FNAME.key $NUMBITS # Generating a Certificate Signing Request (CSR) openssl req -new -key $FNAME.key -out $FNAME.csr # Creating a Self-Signed Certificate (CRT) openssl x509 -req -days $DAYS -in $FNAME.csr -signkey $FNAME.key -out $FNAME.crt # Append KEY and CRT to mydomain.pem cat $FNAME.key $FNAME.crt > $FNAME.pem -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1964122 Title: Cannot connect to router with admin page over TLS v1.0 Status in firefox package in Ubuntu: Won't Fix Bug description: firefox-97.0.2+linuxmint1+tricia I cannot connect to web interface of my old router that is on local LAN. It supports only TLS v1.0 and support for TLS v1.0 & 1.1 was removed in Firefox v97... I know I should replace my router with some better device, I already tried several times but new devices had other issues, I always returned back to my old router... I do not think that it is real security risk to have TLS v1.0 interface on local LAN... Any idea how to connect to a device with TLS v1.0? Any idea for a workaround? Maybe some proxy, or other browser, etc... I already tried Chromium browser but it is the same, I cannot connect with TLSv1.0. Do I really need to run old PC with W2k to manage my router?? ;-) --- https://support.mozilla.org/en-US/kb/secure-connection-failed-firefox- did-not-connect?as=u&utm_source=inproduct#w_tls-version-unsupported Note: The option to enable TLS 1.0 and 1.1 has been removed from the error page in Firefox version 97. --- Router supports TLS v1.0 only: $ curl -v -s --tlsv1.0 https://192.168.222.1:445 * Rebuilt URL to: https://192.168.222.1:445/ * Trying 192.168.222.1... * TCP_NODELAY set * Connected to 192.168.222.1 (192.168.222.1) port 445 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.0 (OUT), TLS handshake, Client hello (1): * TLSv1.0 (IN), TLS handshake, Server hello (2): * TLSv1.0 (IN), TLS handshake, Certificate (11): * TLSv1.0 (OUT), TLS alert, Server hello (2): * SSL certificate problem: self signed certificate * stopped the pause stream! * Closing connection 0 $ curl -v -s --tlsv1.1 https://192.168.222.1:445 * Rebuilt URL to: https://192.168.222.1:445/ * Trying 192.168.222.1... * TCP_NODELAY set * Connected to 192.168.222.1 (192.168.222.1) port 445 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.1 (OUT), TLS handshake, Client hello (1): * TLSv1.1 (IN), TLS handshake, Server hello (2): * TLSv1.1 (OUT), TLS alert, Server hello (2): * error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol * stopped the pause stream! * Closing connection 0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1964122/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
