On 1/26/2017 7:12 AM, Steve Dunn wrote:
On 2017-01-26 03:12, Ant wrote:
As you guys know, both Gecko based web browsers are the (lat/new)est
stable versions which I told them. "Can't they be made to also support
modern protocols?" is what they asked. So, I am asking you guys on how
to resolve/fix this security connection issue.
There are a lot of pieces to the puzzle here. Each side supports
various combinations of SSL/TLS versions, cipher suites, and so on - and
in many cases the software allows the administrator/user to enable or
disable parts of it. I may speak ten languages and you may speak
twenty, but if we have no languages in common, we can't have a
conversation. The same applies to SSL/TLS.
I'm glad to see that it got sorted out this time; it sounds like they
made a configuration error when they were trying to improve security. If
you run into this sort of thing in future and want some troubleshooting
info, try these two steps:
1. Go to https://www.ssllabs.com/ssltest/index.html and have it test
the site that's giving you problems
2. Go to https://www.ssllabs.com/ssltest/viewMyClient.html - this will
tell you what parameters your browser supports
The first one includes simulation of various browsers to show whether
that browser can connect to the site and, if so, what parameters would
be used. It doesn't include Seamonkey but it does include a few Firefox
versions so you may find your answer in there without even resorting to
step 2. (I believe it simulates default settings only, so if you've
fiddled with some of your settings, you may get a different result than
the test does even if you're using exactly the same browser version.)
Failing that, comparing the list of what parameters the site supports
from step 1 and what parameters your browser supports from step 2 will
often show that there's a mismatch which prevents communications.
Thanks. :) FYI from my SeaMonkey v2.46 web browser:
"ou are here: Home > Projects > SSL Client Test
SSL/TLS Capabilities of Your Browser
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101
Firefox/49.0 SeaMonkey/2.46
Other User Agents ยป
Protocol Support
Your user agent has good protocol support.
Your user agent supports TLS 1.2, which is the best available protocol
version at the moment.
Logjam Vulnerability
Your user agent is not vulnerable.
For more information about the Logjam attack, please go to weakdh.org.
To test manually, click here. Your user agent is not vulnerable if it
fails to connect to the site.
FREAK Vulnerability
Your user agent is not vulnerable.
For more information about the FREAK attack, please go to
www.freakattack.com.
To test manually, click here. Your user agent is not vulnerable if it
fails to connect to the site.
POODLE Vulnerability
Your user agent is not vulnerable.
For more information about the POODLE attack, please read this blog post.
Protocol Features
Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
Cipher Suites (in order of preference)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) Forward Secrecy
256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) Forward Secrecy 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
(1) When a browser supports SSL 2, its SSL 2-only suites are shown only
on the very first connection to this site. To see the suites, close all
browser windows, then open this exact page directly. Don't refresh.
Protocol Details
Server Name Indication (SNI) Yes
Secure Renegotiation Yes
TLS compression No
Session tickets Yes
OCSP stapling Yes
Signature algorithms SHA256/RSA, SHA384/RSA, SHA512/RSA, SHA1/RSA,
SHA256/ECDSA, SHA384/ECDSA, SHA512/ECDSA, SHA1/ECDSA, SHA384/DSA,
SHA256/DSA, SHA1/DSA
Elliptic curves secp256r1, secp384r1, secp521r1
Next Protocol Negotiation Yes
Application Layer Protocol Negotiation Yes h2 spdy/3.1 http/1.1
SSL 2 handshake compatibility No
Mixed Content Handling
Mixed Content Tests
Images Passive Yes
CSS Active No
Scripts Active No
XMLHttpRequest Active No
WebSockets Active No
Frames Active No
(1) These tests might cause a mixed content warning in your browser.
That's expected.
(2) If you see a failed test, try to reload the page. If the error
persists, please get in touch.
Related Functionality
Upgrade Insecure Requests request header (more info) Yes"
:D
--
"..., you ready for a little dumpster diving?" "Um... okay." "You know I
don't mind getting my hands dirty." "I mean, maggots, wet trash, I am
the first one in." "Okay, so what are you waiting for?" "Ants."
(Chuckles) "Ants?" "Yes, I have got a problem with ants." "They are
sneaky, and they are mobile, and when they get on you, even if you get
them off..." "Okay, Calleigh, chill." --CSI: Miami (Wannabe episode; #218)
Note: A fixed width font (Courier, Monospace, etc.) is required to see
this signature correctly.
/\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
/ /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
| |o o| |
\ _ / If crediting, then use Ant nickname and AQFL URL/link.
( ) Axe ANT from its address if e-mailing privately.
_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey