Yes, thank you, I was able to confirm that RSA is DOA in 1476. 1475 and
before only supported RSA so 1476 broke SSL for everyone, though I doubt
many people use it.
The bigger issue is why 1476 built at all. It has been a long time
since I did any development for Freenet. Are there not unit tests for
the SSL libraries? I wonder what that says about Fred's code coverage
in general.
Is someone trying to reinvent the wheel here? It looks like 1476 only
supports TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. I can't imagine there
is not a SSL library that can be integrated with Fred that implements
all the common standards including detecting client support for them.
I agree with Florent "that we should switch to what others are doing
cipher-wise", and half the ciphers at the provided link are RSA. What I
don't understand is why the provided link did not go to the Intermediate
(default) security model. When something is the default that is
typically what others are doing.
-Pascal
On 3/5/2017 3:29 AM, Florent Daigniere wrote:
It's because you are using a custom RSA certificate... and we don't have
any RSA-compliant cipher in the new build.
Either wait for next build (that might fix it) or get an ECDSA cert from
letsencrypt.
Florent
PS: I think that we should switch to what others are doing cipher-wise:
https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
On Sat, 2017-03-04 at 18:54 -0600, Pascal wrote:
Unfortunately, I have been unable to find any error messages. It
simply
does not work.
The command "openssl s_client -connect freenet.us.to:443" will show
you
what ssl negotiation for a 1475 fproxy looks like. "openssl s_client
-connect freenet.6lit.com:443" will show you 1476. Downgrading the
1476
by changing out freenet.jar to 1475 makes it work again, so I know
the
config & certs are good.
I just installed the above 1476 on a headless CentOS 7 test
server. I'd
be happy to give you ssh access if that would help.
-Pascal
On 3/4/2017 3:50 PM, Arne Babenhauserheide wrote:
Pascal <pascal...@users.sourceforge.net> writes:
FProxy SSL does not work at all in 1476. Downgrading to 1475
brings it
back. 1475 does not work with recent Chrome.
Thank you for your report!
Could you tell us the actual error your seeing so we can try to
track
down its origin?
Best wishes,
Arne
_______________________________________________
Devl mailing list
Devl@freenetproject.org
https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
_______________________________________________
Devl mailing list
Devl@freenetproject.org
https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
_______________________________________________
Devl mailing list
Devl@freenetproject.org
https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
_______________________________________________
Devl mailing list
Devl@freenetproject.org
https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
