How do I change the TLS version in KM?

https://www.howsmyssl.com/ tells me K-Meleon only has TLS 1.0, when TLS 1.1 and 1.2 are both readily available.

I have looked in Configuration>>tls, which gives me

Quote

security.tls.version.max;1 and
security.tls.version.min;0

but no clues as to how I can increase the version level.

And searching this forum over the "Last Year" gives no results.

Gordon.

____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]

Go URL about:config type "tls"

security.tls.version.max must be changed to 3 (it IMHO makes sence to do so)
if You want higher value and pass the test on that page by using TLS 1.2.

Background: In ESR 24 security.tls.version.max has the default settings like 1.
This is also used by most non Mozilla.org browsers based on that GRE.
Browsers based on ESR 31 will have security.tls.version.max;3 by default.

To pass test for Insecure Cipher Suites You have to deactivate some.


To find which use for example a nightly which supports only:

    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    TLS_ECDHE_RSA_WITH_RC4_128_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_MD5

But deactivating them is IMHO a bad idea since the older deemed insecure give You a better (some at least) protection because they are governded by the implicit default setting that has the rule to always use the best available.



Edited 1 time(s). Last edit at 10/15/2014 10:40AM by guenter.

Thanks for that guenter.

I only had to disable one cipher, the rsa_fips_des_ede3_sha, and with the "upgrade" to TLS 1.2 now I have

Quote

Your SSL client is Probably Okay.

Gordon.

____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]

Quote
gordon451
I only had to disable one cipher, the rsa_fips_des_ede3_sha, and with the "upgrade" to TLS 1.2 now I have

Quote

Your SSL client is Probably Okay.

Thx for the info.


Only the idea of setting max. TLS to 1.2 is IMHO ok.

While I consider to disable rsa_fips_des_ede3_sha nonsense.


The major rule is: use the highest available. A week cipher still is better than none.

The week cipher will only be used when nothing better is available.

So I would not intentionally cripple a week cipher.

IMHO that page gave You a wrong lead. That part of the test is bad because it does not take into account that many websites do not support the highest standarts.

So the optimum settings are not disable lower grade ciphers but support and use them if nothing better is available. So a good test must check what minimum and maximum is supported and whether the maximum available is favoured.

The test utterly failed to check whether the browser used the maximum available on the page.

Instead it denigrated a browser for supporting a still common/available week cipher.



Edited 1 time(s). Last edit at 10/15/2014 02:45PM by guenter.

Quote
guenter

The test utterly failed to check whether the browser used the maximum available on the page.

The test checks the encryption protocol used by the client:

Quote

Good Your client is using TLS 1.2, the most modern version of the encryption protocol.

The only reason the SSL client gets a "Bad" is because:

Quote

Your client supports cipher suites that are known to be insecure

To put it in context with that site, the SSL client should not support any of the cipher suites that are known to be insecure.

Edit
For better understanding:
The POODLE Attack and the End of SSL 3.0



Edited 1 time(s). Last edit at 10/15/2014 04:15PM by Yogi.

Guenter, the problem aren't the ciphers, it is the protocol.

Please, all, leave the ciphers as default.

I did not advocate to temper with the ciphers. You must have missunderstood me.


In view to the current state of popular sites there is IMHO no other way but set TLS to highest level and hope for the best on endangered sites which are many.

http://en.wikipedia.org/wiki/Transport_Layer_Security#Survey_of_websites


IMHO there is no point in setting security.tls.version.min to 1 or higher.
Because than You have no security on pages that are exploitable but where nobody currently tries with the tricks described.

Quote
guenter
IMHO there is no point in setting security.tls.version.min to 1 or higher.
Because than You have no security on pages that are exploitable but where nobody currently tries with the tricks described.

It has much point.

From now, the responsability in how response the server is in the server admins.

If SSLv3 is insecure, we shouldn't let them connect.

It's true that in the next weeks we will have sites with only SSLv3 working and not working with the pref set to 1, but after the release of Firefox 35 there will be complaints and server admins should change yes or yes.

I much agree.

As K-Mmelon users we are privileged to use different profiles for different sites.

Which is hard with other browsers.

So we can use max and min plus deactivated ciphers by profile/site.

Other browser would need an addon to do this.

But even for K-Meleon users it is much extra work till all is fixed on the server side.

p.s. I create a banking profile and not do more.



Edited 1 time(s). Last edit at 10/15/2014 06:52PM by guenter.

Do you know what is sad?

That after I read you I checked my bank site and if SSLv3 is disabled it doesn't work.

Should be the first on fix it and they (banking) are the latest

Your find is really and extremely disturbing.

Especially for us that can make an extra profile for our hopfully updated banking sites, sigh.

What can we do but complain to the site owners?

p.s. I am lucky - both Deutsche Bank and Sparkasse Hannover support min,1 max3.

Plus the reduced number of ciphers that will come with 34 (tested with nightly).

I checked after You posted Your sad news.



Edited 3 time(s). Last edit at 10/15/2014 07:34PM by guenter.

In KM1.6:
Google search does NOT work anymore if SSL3 is disabled.
(Update: now it suddenly works again, funny)
Amazon seems to work.

mobile twitter and facebook don't work since about 2 days, that's why I started to investigate in the first place, and now suspect the poodle may have to do with it. With or without SSL3, no chance.

Just curious, is it their servers, or do mobile.twitter.com and m.facebook.com work for you on KM74 which can use newer methods?

(In KM1.6 the responsible prefs are named differently, but guess the effect of blocking SSL3 should be the same)

Edit:
You know what's utterly crazy?!
Youtube-searches FAIL with SSL-error only if COOKIES are blocked!
Without cookies it insists to open results in a https page, otherwise http is allowed!
http://www.youtube.com/results?search_query=test&search_sort=video_date_uploaded



Edited 3 time(s). Last edit at 10/15/2014 08:21PM by siria.

Probably cipher error as they are requesting a handsake with it unavailable in the client side.

Does K-meleon 1.6 have these ciphers?
ECDHE-RSA-RC4-SHA ---- for google.com
ECDHE-RSA-AES128-SHA ---- for mobile.twitter.com

I had the second in the prefs from 1.6 as false in my old installation. I couldn't find the other.

No, it has neither :-/
There are two similar ones that were "false", but toggling true didn't help either.

Now that google suddenly works again (or was it somehow my fault??), I'm hoping they just changed their sever settings, and that mobile twitter and FB will soon start working too again...

Not sure why, but now everything works again, in KM1.6!

I did restart the browser for other reasons, but perhaps this had an influence? Perhaps after toggling SSL3 "off" something more is involved that only gets set after a restart? Or perhaps they did update their servers?
Anyway, glad it works again, doesn't matter which reasons :-)

Quote
Yogi

Edit
For better understanding:
The POODLE Attack and the End of SSL 3.0

The addon linked there seems to work for K-Meleon.

https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/

I installed it and checked. This adds this option too.
But it is not the only one for K-Meleon.
I prefer to set up a secure profile for banking etc.

But I still think that surfing without SSL 3 is not making anything better while many sites (a fraction of a 0.3 % or so is still many) offer nothing else. It is like going completely naked because malicious people can soil Your clothes.

This will not improve until the TLS downgrade protection mechanism SCSV arrives.

p.s. For K-Meleon there is also the option to create specific profiles with the needed security settings. Which is easily done - and not so hard as with Chrome or Firfox.



Edited 1 time(s). Last edit at 10/16/2014 04:47AM by guenter.