Disabling sslv3 and tlsv1

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Disabling sslv3 and tlsv1

Gautam Naha
Hi 

Could some body let me know if there is any  thing else that needs to be done on disabling sslv3 / tlsv1.

I have used sslEngineConfigurator.setEnabledProtocols(new String[]{"TLSv1.1","TLSv1.2"}) and tested OK with openssl  to check if sslv3 and tlsv1 were indeed disabled.

But the issue is when browsers like Firefox try to access the webpage and it throws a message like "Connection Interrupted" and cannot show the web page. To my understanding the browser should be able to negotiate the highest level of tls (i.e tls1.1 and tls1.2) with the server and web page should have been displayed. I do not want the user to change any setting in browser as this should work automatically.

The only browser that works OK is Chrome.

Please can somebody advice if there is some other stuff that needs to be done.
FYI , Firefox browser is ver 24.0 .

thanks
Gautam
Reply | Threaded
Open this post in threaded view
|

Re: Disabling sslv3 and tlsv1

Will Sargent
You should check with HowsMySSL:


Will Sargent
Consultant, Professional Services
Typesafe, the company behind Play Framework, Akka and Scala

On Tue, Dec 2, 2014 at 10:15 AM, Gautam Naha <[hidden email]> wrote:
Hi 

Could some body let me know if there is any  thing else that needs to be done on disabling sslv3 / tlsv1.

I have used sslEngineConfigurator.setEnabledProtocols(new String[]{"TLSv1.1","TLSv1.2"}) and tested OK with openssl  to check if sslv3 and tlsv1 were indeed disabled.

But the issue is when browsers like Firefox try to access the webpage and it throws a message like "Connection Interrupted" and cannot show the web page. To my understanding the browser should be able to negotiate the highest level of tls (i.e tls1.1 and tls1.2) with the server and web page should have been displayed. I do not want the user to change any setting in browser as this should work automatically.

The only browser that works OK is Chrome.

Please can somebody advice if there is some other stuff that needs to be done.
FYI , Firefox browser is ver 24.0 .

thanks
Gautam

Reply | Threaded
Open this post in threaded view
|

Re: Disabling sslv3 and tlsv1

oleksiys
Administrator
In reply to this post by Gautam Naha
Hi,

can you try more recent FireFox, the one I have 33.1 works fine, same
for Safari.

WBR,
Alexey.

On 02.12.14 10:15, Gautam Naha wrote:

> Hi
>
> Could some body let me know if there is any  thing else that needs to
> be done on disabling sslv3 / tlsv1.
>
> I have used sslEngineConfigurator.setEnabledProtocols(new
> String[]{"TLSv1.1","TLSv1.2"}) and tested OK with openssl  to check if
> sslv3 and tlsv1 were indeed disabled.
>
> But the issue is when browsers like Firefox try to access the webpage
> and it throws a message like "Connection Interrupted" and cannot show
> the web page. To my understanding the browser should be able to
> negotiate the highest level of tls (i.e tls1.1 and tls1.2) with the
> server and web page should have been displayed. I do not want the user
> to change any setting in browser as this should work automatically.
>
> The only browser that works OK is Chrome.
>
> Please can somebody advice if there is some other stuff that needs to
> be done.
> FYI , Firefox browser is ver 24.0 .
>
> thanks
> Gautam

Reply | Threaded
Open this post in threaded view
|

Re: Disabling sslv3 and tlsv1

Gautam Naha
Thanks to all.

It seems the browser doesn't have tls1.1 and tls1.2 enabled and hence it was failing as those are the only ones enabled in the web server.

thanks
Gautam

On 2 December 2014 at 12:51, Oleksiy Stashok <[hidden email]> wrote:
Hi,

can you try more recent FireFox, the one I have 33.1 works fine, same for Safari.

WBR,
Alexey.


On 02.12.14 10:15, Gautam Naha wrote:
Hi

Could some body let me know if there is any  thing else that needs to be done on disabling sslv3 / tlsv1.

I have used sslEngineConfigurator.setEnabledProtocols(new String[]{"TLSv1.1","TLSv1.2"}) and tested OK with openssl  to check if sslv3 and tlsv1 were indeed disabled.

But the issue is when browsers like Firefox try to access the webpage and it throws a message like "Connection Interrupted" and cannot show the web page. To my understanding the browser should be able to negotiate the highest level of tls (i.e tls1.1 and tls1.2) with the server and web page should have been displayed. I do not want the user to change any setting in browser as this should work automatically.

The only browser that works OK is Chrome.

Please can somebody advice if there is some other stuff that needs to be done.
FYI , Firefox browser is ver 24.0 .

thanks
Gautam