Need update TLS configuration on

  • Update feature in Vivaldi browser using Windows SCHANNEL library(instead of build-in browser's NSS library) for secure connection to Nginx server on using weak 1024 bit key exchange for DHE cipher suites and also common DH prime. These settings are not secure ( [url=]Weak Diffie-Hellman and the Logjam Attack[/url] ). On my system SCHANNEL settings hardened and reject Diffie-Hellman primes smaller than 2048-bit, which is why I can not use the auto-update. Please update your Diffie-Hellman prime on server to modern custome 2048-bit prime. ( [url=]Guide to Deploying Diffie-Hellman for TLS[/url] ) This will serve the safety of all users. SSL Server Test by Qualys SSL Labs report:

  • Moderator

    Was reported to server admins at Vivaldi by me.

  • Moderator

    Admin says that these config/ciphers are needed for Windows XP's SSL support.

  • Hmm, it's weird.
    Windows XP`s SCHANNEL support only TLS 1.0 and (following ciphersuits):

    TLS_RSA_WITH_RC4_128_MD5 (0x0004)
    TLS_RSA_WITH_RC4_128_SHA (0x0005)
    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
    TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)

    All DHE ciphersuits in this list(in which uses Diffie-Hellman key exchange) using DSS authentication, i.e. the certificates carry DSS keys. doesn't support DSS ciphersuits at all.
    Windows XP can use only TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) ciphersuit to connect server(from supported by server side).
    I test this on two Windows XP SP3 machines with all native available Windows updates.
    Example of TLS handshake when connecting to Wireshark sniffer):

    Internet Protocol Version 4, Src:, Dst:
    Transmission Control Protocol, Src Port: 1045 (1045), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 77
    Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 72
    Handshake Protocol: Client Hello
    Handshake Type: Client Hello (1)
    Length: 68
    Version: TLS 1.0 (0x0301)
    Session ID Length: 0
    Cipher Suites Length: 22
    Cipher Suites (11 suites)
    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
    Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
    Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
    Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
    Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
    Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
    Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
    Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)
    Compression Methods Length: 1
    Compression Methods (1 method)
    Extensions Length: 5
    Extension: renegotiation_info

Log in to reply

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.