On 05/07/2019 05:01, ferrit...@yahoo.com wrote:
Little more than a week ago I posted about the Security Certs for NS 3.8. I was not aware at that time that NS 3.9 was already available (I was using a link provided for D/L of 3.8). Since there has been other bugs/problems, I thought to provide the actual results. The location of this Qualys Client Test is https://www.ssllabs.com/ssltest/viewMyClient.html Presuming the Certs are within NS 3.8, it would appear that the "weak" certs be removed for added security. I did not receive an answer to the question if the certs are tapped from the Distribution or the Browser. So, here are the results...
This test does nothing with certificates. However, the answer as to which certificates get used depends upon the platform you are using. If Linux, it will, by default, use the standard system-wide CA certificate store (usually found in /etc/ssl/certs).
Protocols TLS 1.3 No TLS 1.2 Yes* TLS 1.1 Yes* TLS 1.0 Yes* SSL 3 Yes* SSL 2 No
These are not an accurate reflection of reality -- the test relies on support for more Javascript (and associated things) than NetSurf has.
NetSurf supports TLS1.0/1.1/1.2. SSL2/3 are disabled. TLS1.2 will always be used by preference.
Cipher Suites (in order of preference) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Forward Secrecy 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Forward Secrecy 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) WEAK 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) WEAK 256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) WEAK 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) WEAK 128 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) Forward Secrecy 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) WEAK 256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) Forward Secrecy 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) WEAK 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) WEAK 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) WEAK 256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) WEAK 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) WEAK 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) WEAK 256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) WEAK 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128 TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff) - (1) When a browser supports SSL 2, its SSL 2-only suites are shown only on the very first connection to this site. To see the suites, close all browser windows, then open this exact page directly. Don't refresh.
Qualys currently marks all CBC ciphersuites as "weak", as a result of a preponderance of padding oracle issues in implementations. If built against a modern OpenSSL, there are no currently known issues here. CBC suites will remain enabled in NetSurf until such time as they are not required for compatibility with web servers that don't support GCM.
J.
