PINE64
Forum issues after the cluster move - Printable Version

+- PINE64 (https://forum.pine64.org)
+-- Forum: General (https://forum.pine64.org/forumdisplay.php?fid=1)
+--- Forum: General (https://forum.pine64.org/forumdisplay.php?fid=74)
+--- Thread: Forum issues after the cluster move (/showthread.php?tid=10160)



Forum issues after the cluster move - Dendrocalamus64 - 06-09-2020

I sometimes access this site from an older computer which is stuck on an older Firefox ESR version. There are still no SSL errors on e.g. www.pine64.org, but after the move forum.pine64.org now gives:

An error occurred during a connection to forum.pine64.org. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

It can only be accessed by using plain http.


RE: Forum issues after the cluster move - fire219 - 06-09-2020

If you can get me a list of the SSL cyphers that the old Firefox ESR install supports, I'll see what can be done to fix this.


RE: Forum issues after the cluster move - Dendrocalamus64 - 06-09-2020

It's Firefox 45.9.0esr, released 2017.04.19, the last pre-Electrolysis ESR version.

According to ssllabs' database, it supports TLS 1.2.
https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=45&platform=Win%207&key=127

According to their server test,
https://www.ssllabs.com/ssltest/analyze.html?d=forum.pine64.org&s=91.219.133.83

The forum supports TLS 1.2 & 1.3, but the handshake simulation section shows,
Firefox 31.3.0 ESR / Win 7 - Server sent fatal alert: handshake_failure
Firefox 47 / Win 7 R - Server sent fatal alert: handshake_failure
Firefox 49 / XP SP3 - RSA 2048 (SHA256) - TLS 1.2 > http/1.1

and a number of other TLS 1.2 browsers getting bumped to plain http.

Looking at the specific TLS 1.2 cipher suites supported, there is just no overlap. The still-good ones FF45 supports would be,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128

and the closest the server has enabled are,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits FS 256

(but it does have one weak one enabled.)


Also, www.pine64.org is available via IP6, but according to their testing the SSL config is out of sync with the IP4 one & substantially behind it (e.g. no TLS 1.3):
https://www.ssllabs.com/ssltest/analyze.html?d=www.pine64.org&s=2a02%3aaf8%3afab0%3a800%3a31%3a193%3a136%3a207