Mailinglist Archive: opensuse (1355 mails)

< Previous Next >
Re: [opensuse] Re: opensuse sites *appear* not to be following recommended TLS settings.
  • From: Andrew Colvin <andrew@xxxxxxxxxxxxx>
  • Date: Sun, 24 Jun 2018 18:22:15 +0100
  • Message-id: <117688131.HVOSy20aiu@host>
On Sunday, 24 June 2018 17:56:59 BST L A Walsh wrote:
Darryl Gregorash wrote:
On 2018-06-24 05:33 AM, Carlos E. R. wrote:
On 2018-06-24 06:16, L A Walsh wrote:
I followed an opensuse advert for selling data storage for
body-cams to police.

It went through some redirects on google, then went to www.suse.com,

That page doesn't load here.

Well, it did after a minute, and it is an strange page. And I get it in
Spanish, despite my browser preference for English.

At the bottom, there is a aws float that hides a few of the allies, such
as Cisco.

A security alert (meltdown) floats on top full time.

No mention at all of openSUSE.

---
No, but also have problems going to the opensuse
forum site: https://forums.opensuse.org/ .
----- (it says: )

The connection was interrupted

The connection to forums.opensuse.org was interrupted while the page was
loading.

The site could be temporarily unavailable or too busy. Try again in a
few moments. If you are unable to load any pages, check your computer's
network connection. If your computer or network is protected by a firewall
or proxy, make sure that Pale Moon is permitted to access the Web.

[Try Again]

============

That's with Pale Moon V25.50(x64) -- (current version 27.9.3).
Have not upgraded this browser because I'd lose too many extensions
I want to use/keep for my everyday/casual usage. If I am
visiting a more sensitive site or one that requires more
security, I'll use Opera. Both webpages work fine in Opera.

I won't ever be able to check this following an advert, since I'm
running an ad blocker.

---
Fortunately, my ad blocker allows me to put in site and
page-specific exceptions as well as allowing me to temporarily
disable. Anyway, if you can access www.suse.com or


Not seeing the status 'NONE' in squidlog for forums.opensuse.org and have
tried reloading it more than once. Just seeing the 'connection was
interrupted.

however, If I turn on masquerading, and try to go direct with my browser,
instead of through proxy, I get a different message:

----------------------------------------------------
The connection was reset

The connection to the server was reset while the page was loading.

The site could be temporarily unavailable or too busy. Try again in a
few moments. If you are unable to load any pages, check your computer's
network connection. If your computer or network is protected by a firewall
or proxy, make sure that Pale Moon is permitted to access the Web. [Try
Again]
=================================================

In both cases, client is starting out with a TLSv1 Hello/handshake,
followed by a supported range, up to TLSv1.2. The lower
range in my browser seems to be configured at TLSv1.1.

In top case, squid is closing connection to browser
"politely"(?) with a FIN,ACK message after the opening TLS
message, while the bottom message (reset), comes from the remote
website, and it sends an 'ACK' then a 'RST' on the connection
(thus, "reset") -- roughly same response.


I don't think suse's new configuration is following suggested
practices. They seem to be applying some standard that is higher
than what is recommended for commercial+vendor transactions and
before the suggested date of implementation.

Hi

TLS1.0 and 1.1 are depricated and most websites have them turned off for
security reasons the same as SSL version. The old browser may also not be ale
to negotiate with the SHA2 certs as SHA1 is also past it life and most
browsers and sites no longer support so if your browser cannot handle SHA2
then you will not connect. Aditionally you may have old cipher support only
and many of these are disabled on the servers for the health of the server.
All things to check out

Andrew




--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups