[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-gnuzilla] Unable to browse https://gnupg.org/ with IceCat
|
From: |
Dimitris Arvanitis |
|
Subject: |
Re: [Bug-gnuzilla] Unable to browse https://gnupg.org/ with IceCat |
|
Date: |
Fri, 19 Feb 2016 10:01:10 +0100 |
Hallo!
I have this problem as well with Iceweasel and the user.js from
https://github.com/pyllyukko/user.js/ (Firefox hardening). So you mean
you can safely remove the last two lines quoted by you and then
gnupg.org would work?
Best regards,
Dimitris
Am Samstag, den 06.02.2016, 08:47 -0500 schrieb Mark H Weaver:
> Mark H Weaver <address@hidden> writes:
>
> > When I try to connect to https://gnupg.org/ with IceCat 38.6.0, I get
> > the following error:
> >
> > Secure Connection Failed
> >
> > An error occurred during a connection to gnupg.org. Cannot communicate
> > securely with peer: no common encryption algorithm(s). (Error code:
> > ssl_error_no_cypher_overlap)
> >
> > Epiphany is able to connect successfully.
> >
> > At first I thought that perhaps the web server at gnupg.org was poorly
> > configured, but apparently that's not the case. It seems to have an
> > excellent TLS configuration.
> >
> > I eventually found that the problem was caused by these lines in
> > data/settings.js in the gnuzilla source, which end up in
> > browser/app/profile/icecat.js in the IceCat source tarballs:
> >
> > // Avoid logjam attack
> > pref("security.ssl3.dhe_rsa_aes_128_sha", false);
> > pref("security.ssl3.dhe_rsa_aes_256_sha", false);
> > pref("security.ssl3.dhe_dss_aes_128_sha", false);
> > pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
> >
> > These lines disable several important cipher suites, despite the fact
> > that Logjam was fixed in every reputable system over 8 months ago.
> >
> > For now, users can work around this problem by going into about:config
> > and changing these settings to "true". I'm also going to remove these
> > customizations from the IceCat build in GNU Guix.
>
> After doing this, I discovered that the last two of those preferences
> above don't even exist anymore. In other words, the lines above
> actually *created* the "security.ssl3.dhe_dss_aes_128_sha" and
> "security.ssl3.dhe_rsa_des_ede3_sha" preferences, although apparently
> there's no code that actually looks at those settings.
>
> I used an online checker to verify that after this change, my IceCat
> browser is safe against the Logjam attack.
>
> Finally, note that the relevant code that needed to be patched here is
> NSS, which is bundled with IceCat itself and used by default. So, the
> only way that a user compiling IceCat could become vulnerable to Logjam
> is if they explicitly asked to use an external copy of NSS that was old
> and had not been patched.
>
> I think those lines should be removed from upstream IceCat.
>
> What do you think?
>
> Regards,
> Mark
>
> --
> http://gnuzilla.gnu.org
signature.asc
Description: This is a digitally signed message part