Need update TLS configuration on update.vivaldi.com
-
Update feature in Vivaldi browser using Windows SCHANNEL library(instead of built-in browser's NSS library) for secure connection to update.vivaldi.com. Nginx server on update.vivaldi.com using weak 1024 bit key exchange for DHE cypher suites and also common DH prime. These settings are not secure Weak Diffie-Hellman and the Logjam Attack.
On my system, SCHANNEL settings hardened and reject Diffie-Hellman primes smaller than 2048-bit, which is why I cannot use the auto-update.
Please update your Diffie-Hellman prime on update.vivaldi.com server to modern custom 2048-bit prime. (Guide to Deploying Diffie-Hellman for TLS.
This will serve the safety of all users. SSL Server Test by Qualys SSL Labs report:
-
Hmm, it's weird.
Windows XP`s SCHANNEL support only TLS 1.0 and (following ciphersuits):TLS_RSA_WITH_RC4_128_MD5 (0x0004) TLS_RSA_WITH_RC4_128_SHA (0x0005) TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) TLS_RSA_WITH_DES_CBC_SHA (0x0009) TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064) TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062) TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003) TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006) TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012) TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063) All DHE ciphersuits in this list(in which uses Diffie-Hellman key exchange) using DSS authentication, i.e. the certificates carry DSS keys. update.vivaldi.com doesn't support DSS ciphersuits at all. Windows XP can use only TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) ciphersuit to connect server(from supported by server side). I test this on two Windows XP SP3 machines with all native available Windows updates. Example of TLS handshake when connecting to update.vivaldi.com(from Wireshark sniffer): Internet Protocol Version 4, Src: 192.168.xxx.xxx, Dst: 82.221.99.163 Transmission Control Protocol, Src Port: 1045 (1045), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 77 Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 72 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 68 Version: TLS 1.0 (0x0301) Random Session ID Length: 0 Cipher Suites Length: 22 Cipher Suites (11 suites) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064) Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062) Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003) Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012) Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 5 Extension: renegotiation_info`
-
-