Opened 2 years ago

Last modified 2 years ago

#2260 new bug

Unable to log to www with elinks, works on beta (as 2015-01-14)

Reported by: leoalone Owned by:
Priority: major Milestone: unassigned
Component: ServerSetup Keywords:
Cc:

Description (last modified by leoalone)

Trying to log to http://www.bewelcome.org with elinks (textual browser) that used to work at least until the last time i tried it, youc annot login singe gives a 403 error.
If you try to go directly to https://www.bewelcome.org you get timmediately a 403 eroor.
If I try https://beta.bewelcome.org on the other way all works almost perfectly.
Aparently the only difference is in these lines in apache config, present on www but not on beta:

  SSLProtocol all -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECD

This has been added to force use of stronger encryption but cold lead to problem to people that want to use a very, very light and very low band browser, at same time could create problem to people using an old browser, possibly on a device for which updates are no longer issued!
see RFC7435 for further details. https://www.rfc-editor.org/rfc/rfc7435.txt
Could we rethink this decision, or maybe being more sloppy on beta is enough for the really few people that have not TLS1.2 capable browsers ?
Is possible to put a warning somewhere in the page ?

Change History (6)

comment:1 Changed 2 years ago by leoalone

  • Description modified (diff)

comment:2 Changed 2 years ago by leoalone

update: also the graphic browser of nokia5800 does not works on www but only on beta

comment:3 Changed 2 years ago by shevek

Could you please check if the situation changed for these browser on beta?

comment:4 Changed 2 years ago by leoalone

now is worse: no longer works also on beta !

comment:5 Changed 2 years ago by shevek

@leo: With both browsers? I set an SSLCipherSuite yesterday to test something but the idea was to have one that is okay for old browsers as well. But I guess disallowing SSLv2 and SSLv3 doesn't help much in that regard.

comment:6 Changed 2 years ago by leoalone

tried with the Nokia 5800 : even that one fails with the new setup.
i would like to keep a version with more protocols for older browsers.

even elinks has failed with this configuration.

Last edited 2 years ago by leoalone (previous) (diff)
Note: See TracTickets for help on using tickets.