Bug#1005808: chromium: ERR_SSL_VERSION_OR_CIPHER_MISMATCH after upgrade to 98.0.4758.80

[Benoît Panizzon]

Hi Andres

> Thanks for the explanation. What happens if you run chromium with
> --tls1 ? That sets the min SSL version to TLSv1.0, although I'm not
> sure what changed within chromium to actually drop TLSv1 support; if
> it's a third party library, then the code to support it might just be
> gone.

Unfortunately --tls1 does not solve the issue.

I also found: https://chromestatus.com/feature/5759116003770368 which
explains they removed tls1.0 all together with no way to bypass.

So I guess I have to switch to a different browser to access devices
with built-in ssl webserver which do not support anything else than
tls1 and sslv3

-Benoit-

Bug#1005808: chromium: ERR_SSL_VERSION_OR_CIPHER_MISMATCH after upgrade to 98.0.4758.80

[Benoît Panizzon]

Hi Andres

> I'm a bit confused by this bug report. Why do you need chromium 
> (presumably over https) talking to network hardware drivers? Or do
> you mean you have older network hardware where the firmware exposes
> an https port, and chromium no longer supports the older SSL
> protocols that the network hardware web server is trying to
> negotiate? What specific SSL versions are we talking about?

Sorry for the confustion. I wrote the report from a user point of view,
noticing that stuff was broken after the update and that it still
worked on a machine I had not yet updated.

I work for a telco. We have some equipment that is being used long past
it's intended time. But also manufacturers often stick to old
technologies like java web applets.

So this is the ciphers supported by the affected webgui of one of our
core telephony switches:

PORTSTATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   SSLv3: 
| ciphers: 
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors: 
|   NULL
| cipher preference: client
| warnings: 
|   Broken cipher RC4 is deprecated by RFC 7465
|   CBC-mode cipher in SSLv3 (CVE-2014-3566)
|   Forward Secrecy not supported by any cipher
|   TLSv1.0: 
| ciphers: 
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors: 
|   NULL
| cipher preference: client
| warnings: 
|   Broken cipher RC4 is deprecated by RFC 7465
|   Forward Secrecy not supported by any cipher
|_  least strength: C

I suppose TLSv1.0 and SSLv3 was completely ditched with the most recent
Chromium update.

I am aware that the SSL implementation is very unsafe, but that
equipment is in a corporate lan, not reachable from the internet
protected by additional ACL. IMHO chromium should somehow provide an
option to specify 'yes I know the risk, create an exception' to still
access such sites.

-- 
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

Bug#962262: Acknowledgement (opendmarc fails many emails without apparent reason)

[Benoît Panizzon]

Dear Maintainer

I think I got it. Maybe updating the manpage would be very helpfull for
other people who stumble over the same problem.

DMARC needs to do an SPF check.

Well I have milter-greylist already performing SPF check, so I
configured what I tought would make opendmarc ignore the SPF check and
assuming an email that went that far already passed SPF check (which is
true in my case).

Now I understand, opendmarc need to do SPF check itself. Only this way
the result ever returns 'pass'.

SPFSelfValidate true

Problem solved.

I wonder if I could make milter-greylist to create a header which would
satisfy opendmarc but I could not find any documentation of the
Authentication-Result: header.

-Benoît-

Bug#962262: Acknowledgement (opendmarc fails many emails without apparent reason)

[Benoît Panizzon]

Additional Infos:

History file entry of such an failing email:

job 055AOEWZ026900
reporter magma.woody.ch
received 1591352655
ipaddr 2a00:1450:4864:20::52c
from gmail.com
mfrom gmail.com
spf -1
pdomain gmail.com
policy 18
rua mailto:mailauth-repo...@google.com
pct 100
adkim 114
aspf 114
p 110
sp 113
align_dkim 5
align_spf 5
action 2