[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-gnuzilla] Icecat SSL warning/error pages; what settings affect
|
From: |
jc_gargma |
|
Subject: |
Re: [Bug-gnuzilla] Icecat SSL warning/error pages; what settings affect the production of these 'error' pages? |
|
Date: |
Mon, 27 Feb 2017 03:24:34 -0800 |
> Error code: SSL_ERROR_UNSAFE_NEGOTIATION
This error is due to the site not supporting RFC 5746.
Without it the browser has no way of knowing whether the site is vulnerable to
a potential MITM attack, and therefore assumes the connection is unsafe.
Contacting the site owners might help in the long run, though not all sites
are receptive to unsolicited security advice.
In the meantime, if you really need to access those sites, you can toggle
security.ssl.require_safe_negotiation
to false in about:config
> I did notice during one of these scenarios, that Firefox was reporting
> TLS1.0. It led me wonder if it is a settings issue on what level of ssl
> components are acceptable.
IceCat used to require at least TLS 1.2 by default.
It no longer does, but it's possible your settings are inherited from a
previous version.
In such a case, you may also need to set
security.tls.version.min
to 1
> In some cases, Icecat reports an unsafe/unencrypted session and no valid or
> invalid certificate is available, when Firefox states for the same page it
> is ok (and I can browse the certificate details etc).
>
> Is Icecat setup by default to be less forgiving towards what it receives
> SSL wise, bearing in mind I have not changed any ssl related settings in
> either browser?
Yes, but TLS 1.2 and cipher settings have been relaxed in recent versions due
to how many sites were broken by default.
-jc
signature.asc
Description: This is a digitally signed message part.