Alice Wonder a écrit : > On 02/10/2017 12:34 PM, James B. Byrne wrote: >> >> On Fri, February 10, 2017 06:26, Patrick Begou wrote: >>> Hello >>> >>> I have more and more troubles using firefox in professional >>> environment with >>> CentOS6. The latest version is 45.7.0 But I can't use it anymore to >>> access some >>> old server hardware (IDRAC7 of DELL C6100) because of >>> "/SSL_ERROR_WEAK_SERVER_CERT_KEY/". I had to install an old Firefox32 >>> version >>> to administrate these servers. >>> >>> Today I upgrade the firmware of 2 DELL switch and now Firefox cannot >>> connect to them anymore saying: /An error occurred during a >>> connection to xxx.xxx.xxx.xxx. The server rejected >>> the handshake because the client downgraded to a lower TLS version >>> than the server supports// //SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT >>> >>> /Is there a CentOS6 recommended web browser allowing continuous >>> connections to olds and new base level (and local) system >>> administration services ? >>> >> >> This situation arises because older, dare I say old, equipment >> released with embedded software and using http/https as the >> administrative front end were shipped with minimally compliant x-509 >> certificates. Often self-signed with 1kb keys and md5 signature >> hashes. Not to mention many are past their expiry dates. >> >> However, given the revelations of state sanctioned snooping on network >> traffic browsers are being pushed to implement increased compliance >> checking for the overall security of users. Firefox is simply >> implementing what various 'authorities' are recommending as secure >> practices with respect to authentication using pki and x-509 >> certificates. >> >> The present situation is a PIA. It could be a lot more user-friendly >> if FF so chose. They could have easily allowed one to turn off these >> advanced compliance checks for specific IP and DNS addresses so that >> the intended benefit remained but the interference with existing >> infrastructure was minimised. >> >> But, FF is on its own chosen path to oblivion and the idea of >> compromise is totally absent from their project plan. >> >> > > IMHO FireFox is doing the right thing. Compromises in policy is how > system compromises often happen. > > If you can change the setting to be more forgiving of certain bad > vendors, then so can malware. In this situation the working solution is the worst one: disabling https and re-enabling http on these devices. > > What we really need to do is demand better from the manufacturers of > products we use in a "professional environment" - and it is extremely > important we demand better from them now, during the dawn of IoT. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >