On 10/26/2014 9:09 AM, Gabriel wrote:
This is weird! Trying to access: https://www.norse-corp.com/careers.html
I see the error "Cannot communicate securely with peer: no common encryption
algorithm(s). (Error code: ssl_error_no_cypher_overlap)"
User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:33.0)
Gecko/20100101 Firefox/33.0 SeaMonkey/2.30
Build identifier: 20141014004953
It works with Firefox 33.0.1 but it shows an alert sign in the URL bar (I think
about mixed content).
G.
No one should have SSL 3 enabled! POODLE vulnerability has killed SSL 3.
I get the same message at your site on SeaMonkey 2.30, Pale Moon 25.0.2
(where the dev has disabled SSL 3) and Fx 24.8 ESR.
Qualys report
https://www.ssllabs.com/ssltest/analyze.html?d=norse-corp.com on that
site indicates that ONLY SSL 3 is used! The site claims they have
mitigated the POODLE risk but that site should be reported as broken.
Mozilla will be permanently disabling SSL3 soon and Mozilla blog
recommends that everyone in the meantime install their new addon SSL
Version control which works on Fx, Sea Monkey, Thunderbird and sets the
lowest SSL accepted to TLS 1.0. This addon is great because with a very
backward and dangerous server like that at norse-corp.com you can
temporarily enable SSL3 when you absolutely must visit that site amd
then disable SSL 3 again as soon as you leave the site. Still, you need
to report the site and also complain to the site's webmaster because you
won't be able to visit the site when Mozilla permanently disables SSL 3.
Plus, no site should be using only SSL 3 these days.
SSL Version Control extension by Mozilla will show grayed out install
button for SeaMonkey but ignore it and click to install anyway. It will
install just fine.
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
There is a separate problem with SeaMonkey 2.3. Even if that site was
using TLS 1.0, SeaMonkey 2.3 uses ONLY TLS 1.2 (the newest and
strongest protocol). At least, this is what Qualys reports when I run
SeaMonkey 2.3 through their analysis.
https://www.ssllabs.com/ssltest/viewMyClient.html
I have SeaMonkey set to use TLS 1.0, 1.1 and 1.2 inPreferences/Privacy
and Security/SSL but it is only using TLS 1.2. No browser currently has
proper fallback from TLS 1.2 to TLS 1.0 and on some sites (like my ISP's
crappy old server) SeaMonkey will fall back to TLS 1.0 (which is what
the server supports) but it is INSECURE fallback. On your site, SM
tries to use TLS 1.2 and doesn't try to fall back when that doesn't work
which is better than what happens on my ISP's website on many of their
secure pages.
The best current solution (not a good solution but the best that can be
had currently until the servers update to be able to use TLS 1.2 and/or
until the browsers finally properly support correct fallback from TLS
1.2 on servers that cannot use it to TLS 1.0) is to set
"security.tls.version.min" to the value "1" and set
"security.tls.version.max" to the value "1". Also install the Mozilla
extension SSL Version control. Here's a good reference article:
http://kb.mozillazine.org/Security.tls.version.*#Caveats
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
