Hi Andres
> I'm a bit confused by this bug report. Why do you need chromium
> (presumably over https) talking to network hardware drivers? Or do
> you mean you have older network hardware where the firmware exposes
> an https port, and chromium no longer supports the older SSL
> protocols that the network hardware web server is trying to
> negotiate? What specific SSL versions are we talking about?
Sorry for the confustion. I wrote the report from a user point of view,
noticing that stuff was broken after the update and that it still
worked on a machine I had not yet updated.
I work for a telco. We have some equipment that is being used long past
it's intended time. But also manufacturers often stick to old
technologies like java web applets.
So this is the ciphers supported by the affected webgui of one of our
core telephony switches:
PORTSTATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| Broken cipher RC4 is deprecated by RFC 7465
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
| Forward Secrecy not supported by any cipher
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| Broken cipher RC4 is deprecated by RFC 7465
| Forward Secrecy not supported by any cipher
|_ least strength: C
I suppose TLSv1.0 and SSLv3 was completely ditched with the most recent
Chromium update.
I am aware that the SSL implementation is very unsafe, but that
equipment is in a corporate lan, not reachable from the internet
protected by additional ACL. IMHO chromium should somehow provide an
option to specify 'yes I know the risk, create an exception' to still
access such sites.
--
Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e A G-Leiter Commerce Kunden
__
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 PrattelnFax +41 61 826 93 01
Schweiz Web http://www.imp.ch
__