[Cialug] Firefox Support for TLS v1.0 and v1.2

Barry Von Ahsen vonahsen at gmail.com
Mon Mar 1 17:26:12 UTC 2021 

nmap has a ssl-enum-ciphers script, or openssl s_client should tell you the default cypher

# nmap --script ssl-enum-ciphers -p 443 <tgt>
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 11:02 CST
Nmap scan report for <tgt>
Host is up (0.00014s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A



# openssl s_client -connect <tgt>:443
<snip>
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1866 bytes and written 409 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384




-barry





> On Mar 1, 2021, at 10:47 AM, Todd Walton <tdwalton at gmail.com> wrote:
> 
> So I finally got one of these today, for the first time:
> https://imgur.com/YDeN2Qa
> 
> It's a message from Firefox in place of the website I was trying to load.
> It says:
> 
> Secure Connection Failed
> 
> An error occurred during a connection to directory-proxy.castlebranch.com.
> Peer using unsupported version of security protocol.
> 
> Error code: SSL_ERROR_UNSUPPORTED_VERSION
> 
>    The page you are trying to view cannot be shown because the
> authenticity of the received data could not be verified.
>    Please contact the website owners to inform them of this problem.
> 
> This website might not support the TLS 1.2 protocol, which is the minimum
> version supported by Firefox. Enabling TLS 1.0 and TLS 1.1 might allow this
> connection to succeed.
> 
> TLS 1.0 and TLS 1.1 will be permanently disabled in a future release.
> 
> And there's a button that says it will "Enable TLS 1.0 and 1.1". But I've
> clicked the button and it still doesn't allow the site to load. It still
> says, "SSL_ERROR_UNSUPPORTED_VERSION". I loaded about:config and see that
> security.tls.version.enable-deprecated is now set to true.
> 
> I'd like to figure out what version of TLS this site is offering up. Any
> ideas on how to do that?
> --
> Todd
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug

More information about the Cialug mailing list