Re: httpd vs TLS

[Mateusz Kocielski <shm%digitalsun.pl@localhost>]

On Wed, Mar 16, 2016 at 11:19:01PM +0100, Thomas Klausner wrote:
> I wanted to update the httpd running on wip.pkgsrc.org to one that
> supports https redirects.
> 
> So I copied the httpd directory from -current to wip (running NetBSD
> 7), built there and installed it.
> 
> Then I tried connecting to https://wip.pkgsrc.org and firefox went haywire.
> 
> First I got this:
> 
> https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean?redirectlocale=en-US&redirectslug=how-resolve-weak-crypto-error-messages-firefox
> 
> then I allowed it to "connect to wip.pkgsrc.org using outdated
> security" or something, and then it switched to
> 
> "Secure Connection Failed
> 
> An error occurred during a connection to wip.pkgsrc.org. The server rejected the handshake because the client downgraded to a lower TLS version than the server supports. Error code: SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT
> 
>     The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
>     Please contact the website owners to inform them of this problem.
> 
> Learn more…
> 
> Report errors like this to help Mozilla identify and block malicious sites
> "
> 
> I've now replaced it with the NetBSD 7 version of httpd, which doesn't
> throw these warnings.
> 
> Please choose the default SSL settings for httpd in such a way that it
> can be used without throwing errors in firefox.

I believe that the problem is that we deny TLSv1

libexec/httpd/ssl-bozo.c:

--8<--
#ifndef BOZO_SSL_OPTIONS
#define BOZO_SSL_OPTIONS          \
  (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1)
#endif
-->8--
 
 Any objections to turn it on?

 Best Regrads,
 Mateusz Kocielski