Need update TLS configuration on update.vivaldi.com



  • Update feature in Vivaldi browser using Windows SCHANNEL library(instead of build-in browser's NSS library) for secure connection to update.vivaldi.com. Nginx server on update.vivaldi.com using weak 1024 bit key exchange for DHE cipher suites and also common DH prime. These settings are not secure ( [url=https://weakdh.org]Weak Diffie-Hellman and the Logjam Attack[/url] ). On my system SCHANNEL settings hardened and reject Diffie-Hellman primes smaller than 2048-bit, which is why I can not use the auto-update. Please update your Diffie-Hellman prime on update.vivaldi.com server to modern custome 2048-bit prime. ( [url=https://weakdh.org/sysadmin.html]Guide to Deploying Diffie-Hellman for TLS[/url] ) This will serve the safety of all users. SSL Server Test by Qualys SSL Labs report: https://www.ssllabs.com/ssltest/analyze.html?d=update.vivaldi.com


  • Moderator

    Was reported to server admins at Vivaldi by me.


  • Moderator

    Admin says that these config/ciphers are needed for Windows XP's SSL support.



  • Hmm, it's weird.
    Windows XP`s SCHANNEL support only TLS 1.0 and (following ciphersuits):

    TLS_RSA_WITH_RC4_128_MD5 (0x0004)
    TLS_RSA_WITH_RC4_128_SHA (0x0005)
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    TLS_RSA_WITH_DES_CBC_SHA (0x0009)
    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
    TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
    TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
    TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)

    All DHE ciphersuits in this list(in which uses Diffie-Hellman key exchange) using DSS authentication, i.e. the certificates carry DSS keys.
    update.vivaldi.com doesn't support DSS ciphersuits at all.
    Windows XP can use only TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) ciphersuit to connect server(from supported by server side).
    I test this on two Windows XP SP3 machines with all native available Windows updates.
    Example of TLS handshake when connecting to update.vivaldi.com(from Wireshark sniffer):

    Internet Protocol Version 4, Src: 192.168.xxx.xxx, Dst: 82.221.99.163
    Transmission Control Protocol, Src Port: 1045 (1045), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 77
    Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 72
    Handshake Protocol: Client Hello
    Handshake Type: Client Hello (1)
    Length: 68
    Version: TLS 1.0 (0x0301)
    Random
    Session ID Length: 0
    Cipher Suites Length: 22
    Cipher Suites (11 suites)
    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
    Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
    Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
    Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
    Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
    Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
    Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
    Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)
    Compression Methods Length: 1
    Compression Methods (1 method)
    Extensions Length: 5
    Extension: renegotiation_info


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.