Edwin Helbert Aponte Angarita wrote:
To go along with that, openSUSE Tumbleweed will get openssl 1.0.2c with ssl3 disabled soonish.
Ciao, Marcus
Hello,
Sorry if you see this email several times. I have experienced some problems to get it posted.
I have a printer and a router (not too old) that have web servers using https with SSLv3.0 to access configuration.
Is your printer accessible from the outside net or is it accessible only from your internal net (presumption -- you have, at least, 2 network zones: inside (192.168.x.x or 10.x.x.x, etc) & outside (everything else). If it only accessible via your internal net and your computer's network address is also, "local only" -- then it _sounds_ like you don't need any encryption between the printer and your system. So you could disable an encrypted connection and plaintext to send to your printer (does it require usernames/passwords to print? Most don't -- so usally sniffing printer traffic results in attackers waisting much time for an uncertain payoff). Similarly for the router: What does your router do that your SuSE box cannot do? Presumably, the router was able to be accessed via an SSLv3 connection, like https? Does it also take a username and password? Does it have IP based network controls -- or does it maybe only have 1 external hookup that goes to a cable or dsl modem? Then maybe it has 1-4 "internal hookups" -- but would I be wrong to think all your internal addresses are on "unroutable" subnets (like 192.168.x.y or 10.x.y.z among a few others). If so, you might be able to configure the router to only listen for administrative access on internal ports and ignore external admin-connection attempts. Basically, if you have an internal net that is 'mostly' protected from the external net -- i.e. no direct connection from outside net to your internal net), maybe it is configurable to only listen on your interior interface (better if it can be limited to a physical interface(int. vs. ext), or it may have 'eth0' assigned for the internal nets, and eth1 for the outside. However your router may do it, if you can ensure outside traffic cannot get inside your net, except through the router (or a linux gateway), then do you really need encryption? I've been running samba w/no encryption since day one for performance reasons -- but my samba server only services my internal nets: interfaces = 192.168.4.1/24 192.168.3.1/24 127.0.0.1/32 (many will tell you there is no reason for the latter unless your server serves files to itself -- which it might in some sites). Just recently I updated my Suse openssl packages, and had real bad slowness problems with thunderbird, it seems the TLS protocol wasn't very robust or was just slow. I tried updating to a new version (Fossamail - v25.1.5 based on Tbird, was x64 too), I had it setup to speak TLS, but still had perf problems, as well as it *crashed* more often than my *old* Tbird (v2.0.0.24). On certain things -- it crashed reliably (trying to view an email in original HTML). I kicked it to the curb, went back to Tbird -- it whined because SSL3 was off, so no way to start an IMAPS session. So I switched it to "dovecot". Note: dovecot, by default is setup to not listen to unencrypted IMAP or allow unencrypted USER/PASS session setup -- so have to make sure dovecot listens to IMAP(143) and (or instead of) IMAPS(993).. Made that change and the speedup in email fetching/sending...etc became much faster -- and Tbird stopped hanging. So if you can use a non-encrypted connection (i.e. your local net is not connected to the outside world except through proxies (mine go through squid - external addresses are _usally_ unreachable unless I configure some temporary exception -- like explicitly turning on NAT on my linux box. But normally most of my internet communicating apps work though a webproxy(like squid) or SOCKS(dante). All of the above id dependent on keeping a strict barrier between outside and inside -- i.e. if I turn on 'NAT' for some reason (some software requires direct access and refuses to use a proxy to "activate the SW"), my risks go up -- but usually NAT is off and when it is on, well, I pretty much have to rely on the fact that being on an 'unroutable' IP (192.168/... or 10/...) will usually have the traffic dropped at any first gateway (i.e. my Netgear cable modem comes configured to drop any such traffic rather than trying to pass it on). The other advantage -- you can \often\ see a marked increase in performance.
I am getting this error "sec_error_reused_issuer_and_serial" when trying to access them with Firefox 38.0.1 (and chromium) on opensuse 13.2 , and I am not allow to continue despite the error. Do you know how can I get firefox not to complain about SSLv3 temporarily?
---- Where are you trying to connect? i.e. if you have a public email account like 'gmail', and need to download from them, you MUST not use unencrypted access methods... in that case, ick.... I don't think the follow-on-damage to the breakage of SSLv3 is even close to being done. TLS is a dog during the session startup (and that was over a local net (and many of the sessions would just "timeout" and hang tbird... If you are using gmail (as I see your domain says now), you might try to use something like fetchmail to download from gmail and then deliver it to your local account -- fetchmail is much easier to update and recompile with *safe* communication methods than is Tbird. Good luck... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org