Need update TLS configuration on

  • Update feature in Vivaldi browser using Windows SCHANNEL library(instead of built-in browser's NSS library) for secure connection to Nginx server on using weak 1024 bit key exchange for DHE cypher suites and also common DH prime. These settings are not secure Weak Diffie-Hellman and the Logjam Attack.

    On my system, SCHANNEL settings hardened and reject Diffie-Hellman primes smaller than 2048-bit, which is why I cannot use the auto-update.

    Please update your Diffie-Hellman prime on server to modern custom 2048-bit prime. (Guide to Deploying Diffie-Hellman for TLS.

    This will serve the safety of all users. SSL Server Test by Qualys SSL Labs report:

  • Moderator

    Was reported to server admins at Vivaldi by me.

  • Moderator

    Admin says that these config/ciphers are needed for Windows XP's SSL support.

  • Hmm, it's weird.
    Windows XP`s SCHANNEL support only TLS 1.0 and (following ciphersuits):

    TLS_RSA_WITH_RC4_128_MD5 (0x0004)
    TLS_RSA_WITH_RC4_128_SHA (0x0005)
    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
    TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
    All DHE ciphersuits in this list(in which uses Diffie-Hellman key exchange) using DSS authentication, i.e. the certificates carry DSS keys. doesn't support DSS ciphersuits at all.
    Windows XP can use only TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) ciphersuit to connect server(from supported by server side).
    I test this on two Windows XP SP3 machines with all native available Windows updates.
    Example of TLS handshake when connecting to Wireshark sniffer):
    Internet Protocol Version 4, Src:, Dst:
    Transmission Control Protocol, Src Port: 1045 (1045), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 77
    Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 72
    Handshake Protocol: Client Hello
    Handshake Type: Client Hello (1)
    Length: 68
    Version: TLS 1.0 (0x0301)
    Session ID Length: 0
    Cipher Suites Length: 22
    Cipher Suites (11 suites)
    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
    Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
    Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
    Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
    Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
    Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
    Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
    Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)
    Compression Methods Length: 1
    Compression Methods (1 method)
    Extensions Length: 5
    Extension: renegotiation_info`

  • Moderator

    TLS ciphers are fine now for

  • Moderator

Log in to reply

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.