Joel Maxuel j.maxuel at gmail.com
Thu Apr 18 07:31:52 ADT 2019

I have encountered the reverse problem with modern browsers.  Firefox and
chromium (and derivatives) don't like, or refuse to do TLS 1.0 at this
point (Firefox needs a few security options flipped to resolve this,
chromium has no workaround AFAIK).

FWIW, I do have a use case for this, and no, it's not for anything outside
my house, and for the times I use that browser otherwise, JavaScript
operates under a short whitelist.

Browsers change behaviour (Chrome has since moved or removed this detail
however if you can find the right version of any of the popular ones):

Example, slashdot now forwards HTTP traffic to HTTPS with "TLS 1.2, AES
with 256 bit encryption (High); ECDH_P384 with 256 bit exchange".

Alternatively, you can share (if comfortable in doing so) a couple websites
that you suspect have changed their base security settings (and we can look
at the HTTPS details).

Joel Maxuel

"One should strive to achieve, not sit in bitter regret."
 - Ronan Harris / Mark Jackson

On Thu, Apr 18, 2019 at 2:58 AM Mike Spencer <mspencer at tallships.ca> wrote:

> I'm encountering web sites that a browser won't talk to.  Variously,
> there's a report of a crypto mismatch or the remote site just closes
> the connection.
> Browsers both claim to support TLS 1.2.
> Are sites already requiring TLS 1.3? Or do some implementations use
> differing crypto protocols unsupported by others? Or something else?
> Is there a way, short of deciphering a packet sniffer's output (such
> as Wireshark) to get a report on what, exactly, happens in the setup
> negotiation for HTTPS?  wget(1) will report the HTTP headers but not what
> happens in the security setup phase.
> Is there a way to beat this up, understand what's going on, without
> reading a slew of RFCs?
> - Mike
> PS:
> I know, I know, "Do you have the latest browser available?"  No, I
> don't.  Every new version implements something I don't want that I
> have to try to disable or disables something I rely on forcing a
> work-around or abject submission.  I just learned about the "ping"
> attribute for anchor tags, one more thing to filter.
> --
> Michael Spencer                  Nova Scotia, Canada       .~.
>                                                            /V\
> mspencer at tallships.ca                                     /( )\
> http://home.tallships.ca/mspencer/                        ^^-^^
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20190418/96d2f3b7/attachment.html>

More information about the nSLUG mailing list