On 05/07/2019 05:01, ferrite61@yahoo.com wrote:
> Little more than a week ago I posted about the Security Certs for NS 3.8. I was not aware at that time that NS 3.9 was already available (I was using a link provided for D/L of 3.8). Since there has been other bugs/problems, I thought to provide the actual results. The location of this Qualys Client Test is
>
> https://www.ssllabs.com/ssltest/viewMyClient.html
>
> Presuming the Certs are within NS 3.8, it would appear that the "weak" certs be removed for added security. I did not receive an answer to the question if the certs are tapped from the Distribution or the Browser. So, here are the results...
This test does nothing with certificates. However, the answer as to
which certificates get used depends upon the platform you are using. If
Linux, it will, by default, use the standard system-wide CA certificate
store (usually found in /etc/ssl/certs).
>
> Protocols
> TLS 1.3 No
> TLS 1.2 Yes*
> TLS 1.1 Yes*
> TLS 1.0 Yes*
> SSL 3 Yes*
> SSL 2 No
These are not an accurate reflection of reality -- the test relies on
support for more Javascript (and associated things) than NetSurf has.
NetSurf supports TLS1.0/1.1/1.2. SSL2/3 are disabled. TLS1.2 will always
be used by preference.
> Cipher Suites (in order of preference)
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Forward Secrecy 256
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Forward Secrecy 256
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) WEAK 256
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) WEAK 256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) WEAK 128
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) WEAK 128
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) Forward Secrecy 256
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) WEAK 256
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) Forward Secrecy 128
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) WEAK 128
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) WEAK 256
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) WEAK 256
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) WEAK 128
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) WEAK 128
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) WEAK 256
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) WEAK 128
> TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff) -
> (1) When a browser supports SSL 2, its SSL 2-only suites are shown only on the very first connection to this site. To see the suites, close all browser windows, then open this exact page directly. Don't refresh.
Qualys currently marks all CBC ciphersuites as "weak", as a result of a
preponderance of padding oracle issues in implementations. If built
against a modern OpenSSL, there are no currently known issues here. CBC
suites will remain enabled in NetSurf until such time as they are not
required for compatibility with web servers that don't support GCM.
J.
No comments:
Post a Comment