Couple of quick tech updates

Talk about whatever you feel like.
User avatar
Martin Blank
Knower of Things
Knower of Things
Posts: 12575
Joined: Fri Feb 07, 2003 4:11 am
Real Name: Jarrod Frates
Gender: Male
Location: Dallas, TX

Couple of quick tech updates

Post by Martin Blank » Sat Feb 06, 2016 7:26 pm

I know I haven't been around for a while. Work and some other things have gotten in the way, and figuring out work/life balance is hard.

But I wanted to throw an update here because of some changes to the server configuration for RLF. I don't think these will cause problems for most people, but there's a chance of some outliers.

First, I changed the TLS certificate over to Let's Encrypt! to get a better, free certificate. It's only set for a few months for now (still in early roll-out phase), but I had to update it anyway as it would have expired a few hours from when I'm writing this post, so better to go with the easy, script-based method instead of the really annoying private certificate renewal process required by StartSSL.

Second, I changed the HSTS config to include the "preload" tag and submitted it for inclusion into the HSTS preload list that is used by all the major browsers now (except IE10 on Vista, but I don't consider that major) to check before even trying a connection for the first time to see if it should be encrypted.

Finally, and possibly a potential sticking issue, is that I have disabled TLSv1.0 and 1.1. I don't think this will cause too many problems (v1.2 has been supported in the major browsers, including IE10 on Vista, for some time now), but there may be some people trying to connect on pre-4.4 Android phones and a few other cases, in which case it might not work. If there are many issues with this, I'll change it back. (Windows XP is also now pretty much out, but there's essentially no XP traffic coming in, and I don't have much sympathy for those still using it voluntarily.)

I am going to be doing some other changes in the near future, probably in March, including upgrading the board to phpBB 3.1 to ensure ongoing patch support. That will mean the loss of the primary template, but there may be options to mitigate that a bit. We'll see.
If I show up at your door, chances are you did something to bring me there.

User avatar
FirebirdNC
Mad Hatteras
Posts: 1909
Joined: Tue Feb 13, 2007 3:00 pm
Real Name: Jennifer
Gender: Female
Location: Hatteras,NC

Re: Couple of quick tech updates

Post by FirebirdNC » Sun Feb 07, 2016 2:05 am

As ever fearless leader we are glad that you still keep the cave warm and lit for the Troglodytes.
~Insert clever bon mot here~

User avatar
Deacon
Shining Adonis
Posts: 44077
Joined: Wed Jul 30, 2003 3:00 pm
Gender: Male
Location: Lakehills, TX

Re: Couple of quick tech updates

Post by Deacon » Sun Feb 07, 2016 5:32 am

He does exist! He does exist!

All good changed as far as I'm concerned.

Apropos of nothing, except you two may enjoy this otherwise useless anecdote, but I called Greg yesterday out of the blue because I was considering picking up some fresh ahi steaks. I remembered that day in OBX when he made them with Dijon mustard and some pepper, and it was the best I'd ever had, but couldn't really remember what I may have been missing, and that was back when my culinary awareness was still fairly minimal. So even though he was almost about to put Harper down for a nap, he took the time and my call and said yeah that's about it. So it worked out great, and I got to take a trip down memory lane.
The follies which a man regrets the most in his life are those which he didn't commit when he had the opportunity. - Helen Rowland, A Guide to Men, 1922

User avatar
FirebirdNC
Mad Hatteras
Posts: 1909
Joined: Tue Feb 13, 2007 3:00 pm
Real Name: Jennifer
Gender: Female
Location: Hatteras,NC

Re: Couple of quick tech updates

Post by FirebirdNC » Sun Feb 07, 2016 2:31 pm

Nice! I was just looking for a file a couple of days ago and came across the folder with all the Vegas pics in it. I paused and flipped through all of them so I took that stroll as well.
~Insert clever bon mot here~

User avatar
Rorschach
The Immoral Immortal
Posts: 17606
Joined: Tue Feb 18, 2003 7:35 am
Gender: Male
Location: Glasgow, Scotland

Re: Couple of quick tech updates

Post by Rorschach » Mon Feb 08, 2016 8:56 am

FirebirdNC wrote:As ever fearless leader we are glad that you still keep the cave warm and lit for the Troglodytes.
Me too! Me too!

It's another thread which may as well be in French for all I understand it, but I've become quite used to being the resident bimbo on here. Tee hee.
To Let

User avatar
BtEO
Crazy Person
Posts: 4758
Joined: Tue Feb 18, 2003 2:28 pm
Location: England

Re: Couple of quick tech updates

Post by BtEO » Wed Feb 17, 2016 2:52 pm

Oh hey, Opera actually released a new version of their Presto based browser out of nowhere. Mainly to add support for a bunch of cypher suites that didn't exist when they made the switch to chrome's webkit engine.

But you know how I always liked to comment on problems with Opera, so for old time's sake here goes:

Firefox connects to the server with "[TLS 1.2] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" which Opera now supports[1]. But Opera still cannot connect. There're probably two separate problems.
  1. Opera was way ahead of the game supporting TLS 1.2, which means it encountered more problems. If I recall correctly as a result it reports TLS 1.0 before TLS 1.2 if both are available. Disabling TLS 1.0 in Opera gets around that but I don't know if that would break anything that doesn't play with TLS 1.2. Either way the server should only be throwing an error if TLS 1.2 is not supported — not if it's not the first option reported. I get an error:

    "Fatal Error (70) - Handshake failed because the server does not want to accept the enabled SSL/TLS protocol versions."

    from the server if TLS 1.0 is enabled regardless of whether TLS 1.2 is enabled or not.
  2. Secondly, even if I disable TLS 1.0 it still fails to connect with a different error:

    "Fatal Error (40) - Failed to connect to server. The reason may be that the encryption methods supported by the server are not enabled in the security preferences."

    Despite the same cypher suites that Firefox uses to connect being supported the negotiation with Opera doesn't get to agreeing on that or any other suite for some reason.

While I've generally moved to Firefox for most things Opera is still my RSS reader — this was a problem as some sites had switched their feeds to https and Opera couldn't access them anymore. Most notable Penny Arcade, which I can now connect to again, and which shows in Opera as "TLS v1.2 128 bit AES GCM (256 bit ECDHE_ECDSA/SHA-256)" i.e. the same thing.

User avatar
Deacon
Shining Adonis
Posts: 44077
Joined: Wed Jul 30, 2003 3:00 pm
Gender: Male
Location: Lakehills, TX

Re: Couple of quick tech updates

Post by Deacon » Wed Feb 17, 2016 8:01 pm

Currently I appear to be running off cached DNS, because other computers and devices aren't working, both on this same wifi and just direct mobile data...
The follies which a man regrets the most in his life are those which he didn't commit when he had the opportunity. - Helen Rowland, A Guide to Men, 1922

User avatar
Deacon
Shining Adonis
Posts: 44077
Joined: Wed Jul 30, 2003 3:00 pm
Gender: Male
Location: Lakehills, TX

Re: Couple of quick tech updates

Post by Deacon » Wed Feb 17, 2016 8:13 pm

Must be somewhat localized. Setting my DNS server to 8.8.8.8 allows it to resolve without issue.
The follies which a man regrets the most in his life are those which he didn't commit when he had the opportunity. - Helen Rowland, A Guide to Men, 1922

User avatar
Martin Blank
Knower of Things
Knower of Things
Posts: 12575
Joined: Fri Feb 07, 2003 4:11 am
Real Name: Jarrod Frates
Gender: Male
Location: Dallas, TX

Re: Couple of quick tech updates

Post by Martin Blank » Fri Feb 26, 2016 11:31 pm

Deacon wrote:Must be somewhat localized. Setting my DNS server to 8.8.8.8 allows it to resolve without issue.
No idea what that was about. RLF's IP address has been the same since November. Any system caching IP addresses that long has problems way out of my control.
BtEO wrote:Oh hey, Opera actually released a new version of their Presto based browser out of nowhere. Mainly to add support for a bunch of cypher suites that didn't exist when they made the switch to chrome's webkit engine.

But you know how I always liked to comment on problems with Opera, so for old time's sake here goes:

Firefox connects to the server with "[TLS 1.2] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" which Opera now supports[1]. But Opera still cannot connect. There're probably two separate problems.
  1. Opera was way ahead of the game supporting TLS 1.2, which means it encountered more problems. If I recall correctly as a result it reports TLS 1.0 before TLS 1.2 if both are available. Disabling TLS 1.0 in Opera gets around that but I don't know if that would break anything that doesn't play with TLS 1.2. Either way the server should only be throwing an error if TLS 1.2 is not supported — not if it's not the first option reported. I get an error:

    "Fatal Error (70) - Handshake failed because the server does not want to accept the enabled SSL/TLS protocol versions."

    from the server if TLS 1.0 is enabled regardless of whether TLS 1.2 is enabled or not.
  2. Secondly, even if I disable TLS 1.0 it still fails to connect with a different error:

    "Fatal Error (40) - Failed to connect to server. The reason may be that the encryption methods supported by the server are not enabled in the security preferences."

    Despite the same cypher suites that Firefox uses to connect being supported the negotiation with Opera doesn't get to agreeing on that or any other suite for some reason.

While I've generally moved to Firefox for most things Opera is still my RSS reader — this was a problem as some sites had switched their feeds to https and Opera couldn't access them anymore. Most notable Penny Arcade, which I can now connect to again, and which shows in Opera as "TLS v1.2 128 bit AES GCM (256 bit ECDHE_ECDSA/SHA-256)" i.e. the same thing.
You're correct that Opera has always been an odd beast. The accepted ciphersuites are:
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-AES256-SHA
  • AES256-GCM-SHA384
  • AES128-GCM-SHA256
  • AES128:AES256
  • 3DES
(I need to trim and reorganize this list some, and get rid of the ECDSA, since I don't have a DSA cert.)

My guess is that Opera is requesting a traditional DHE negotiation, and for whatever reason doesn't have ECDHE enabled. You may also have non-DH connections blocked. I'll tweak this over the weekend and see if that fixes it.
If I show up at your door, chances are you did something to bring me there.

User avatar
BtEO
Crazy Person
Posts: 4758
Joined: Tue Feb 18, 2003 2:28 pm
Location: England

Re: Couple of quick tech updates

Post by BtEO » Sat Feb 27, 2016 11:42 pm

Actually Opera seems to be working now, even though I still have TLS 1.0 enabled. Maybe something got cached that just needed to clear?

User avatar
Martin Blank
Knower of Things
Knower of Things
Posts: 12575
Joined: Fri Feb 07, 2003 4:11 am
Real Name: Jarrod Frates
Gender: Male
Location: Dallas, TX

Re: Couple of quick tech updates

Post by Martin Blank » Sat May 07, 2016 7:10 pm

Sorry about the certificate expiration. I'm working on a way to get all the sites on this server that use certs to update automatically once every six weeks or so.
If I show up at your door, chances are you did something to bring me there.

User avatar
Deacon
Shining Adonis
Posts: 44077
Joined: Wed Jul 30, 2003 3:00 pm
Gender: Male
Location: Lakehills, TX

Re: Couple of quick tech updates

Post by Deacon » Sat May 07, 2016 7:42 pm

That's a pretty quick turnaround. I was getting the shakes waiting for the message to tell me that no posts match the search criteria (new posts).

I would've contacted you directly but I didn't know if it was the number ending in 87 or 65 that was current, as for some reason I have two numbers in my phone :)
The follies which a man regrets the most in his life are those which he didn't commit when he had the opportunity. - Helen Rowland, A Guide to Men, 1922

gravity
Crazy Person
Posts: 8688
Joined: Fri Feb 14, 2003 1:13 pm
Gender: Female
Location: Japan

Re: Couple of quick tech updates

Post by gravity » Mon May 09, 2016 5:18 am

I was wondering why Google was giving me the 'this site is hijacked and blocked' warning the other day. I feared that everything had disappeared into the nothingness and was lost and gone forever like that chick named after an orange.
Image

Dark Byte
Crazy Person
Posts: 1
Joined: Wed Jun 18, 2003 8:06 am

Re: Couple of quick tech updates

Post by Dark Byte » Sun Aug 07, 2016 8:48 am

Looks like the certificate expired again ;)

Edit: Yeeh, my first post after registering. It only took me 13 years (I feel old)

Who is online

Users browsing this forum: Common Crawl (Research) and 0 guests