This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Support
Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IDEA: Older hardware - fix terrible TLS implementation - support Local Only

spudatoe
Strollin' around
‎05-21-2022 12:10 PM
Status: New idea

https://support.hpe.com/hpesc/public/docDisplay?docId=a00100228en_us&docLocale=en_US
https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/

Those two links have ruined my life, seriously, i can no longer access expensive to replace, but otherwise perfectly working hardware on my own local private network using FF since the ridulous decision to remove TLS 1.* entirely.

I'm not the only one. Many of us are having issues with devices we can no longer access and configure from the browser. The management facilities on switches, ilo,servers, printers.. etc that are working perfectly well.
@2Big4YourBoots - can't access their own router!

.For me, i have old, but extremely expensive server hardware that is unable to be replaced for finanical reasons (i dont have work due to disability).
. Also a printer Management module can no longer be accessed.

.I don't run any kind of business with my two servers, purely storage and hobby, and rarely used on internet except for windows updates.

.But accessing them via ILO3 (which only supports tls1.0 and tls 1.1) and no longer possible via browser.

.This makes powering them up, shutting them down and monitoring hardware/health remotely impossible for me, and physically painful.

.HP will not update ILO3 to support tls1.2. ILO3 cannot be upgraded or updated to iLO4.

.i suggest the Moz implement a "DMZ" for local network (and same subnet hardware), where FORCED, (for the so called "benefit of users") rules are able to turned off.

.Maybe firefox could generate it's own safety cert/exclusion key - which is emailed to the users verified email address for specific trusted hardware on a local network, as in my example.


EVERYONE .Please do advise if there are known working fixes, workarounds, add-ons, software etc for accessing my own hardware with  TLS 1.0

 

Comment
4 Comments
Status changed to: New idea
Jon
Community Manager
Community Manager
‎05-23-2022 05:57 AM
‎05-23-2022 05:57 AM

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

jscher2000
Leader
‎05-25-2022 06:03 PM
‎05-25-2022 06:03 PM

I don't know whether this is likely to be implemented, so let me mention a workaround.

Currently, the lowest allowed TLS protocol version is a global setting. One option would be to create a separate profile for less secure access. Here are the steps:

New Profile

Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.

Take a quick glance at the page and make a mental note of which Profile has this notation: This is the profile in use and it cannot be deleted. That is your current default profile.

Click the "Create a New Profile" button, then click Next. Assign a name like LegacyTLS, ignore the option to relocate the profile folder, and click the Finish button.

Firefox will switch your default profile to the new one, so click the Set as Default Profile button for your regular one to avoid an unwanted surprise at your next startup.

Scroll down to LegacyTLS and click its Launch profile in new browser button.

Firefox should open a new window that looks like a brand new, uncustomized installation. (Your existing Firefox window(s) should not be affected.) Please ignore any tabs enticing you to connect to a Sync account to avoid crossing over settings.

You can launch this profile any time for your legacy hardware. Considering using a different theme for more easily spotting which window is which.

Re-enabling Older Protocols

Naturally, this is not recommended for use on the web.

(A) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.

More info on about:config: Configuration Editor for Firefox. Please keep in mind that changes made through this back door aren't fully supported and aren't guaranteed to continue working in the future.

(B) In the search box in the page, type or paste security.tls.version and pause while the list is filtered

Firefox should display four matching preferences.

(C) Double-click the security.tls.version.enable-deprecated preference to switch the value from false to true. When Firefox encounters a server that can't use TLS 1.2, it should offer to drop down.

If that doesn't work:

(C) Double-click the security.tls.version.min preference to display an editing field, and change the value to 1 or 2 as needed, then press Enter or click the blue check mark button to save the change.

  • 1 => Firefox can drop down to TLS 1.0
  • 2 => Firefox can drop down to TLS 1.1
  • 3 => Firefox can drop down to TLS 1.2
  • 4 => Firefox can only use TLS 1.3 [impractical]

 

 

spudatoe
Strollin' around
‎05-31-2022 08:32 AM
‎05-31-2022 08:32 AM

@jscher2000  Thank you! I shall give your suggestions a try!  Thank you so much!

PS...
i'm sorry that i was late in replying. I'm not ignorant, but somehow MS (hotmail) and Thunderbird colluded and put all connect.mozilla.org in the junk mail :'(

Kaarlo
New member
‎04-29-2024 01:09 PM
‎04-29-2024 01:09 PM

Have had this problem for many years now. Each and every FF breaks things with hardware management. Now fighting with FF68x/Centos6 problem. I'm supposed to Fix a problem using iLO3 webstart (need a console to a system some kilometers away). And somehow again the working system is dead .. should clone a working VM and use the working clone but I do trust people that they do not break things (have been disappointed like gazillion times so far).

Due to all kind of problems started to create my own FF version which would include disabling security in private networks. You know these 10.0.0.0/8 etc.? .. My humble and personal opinion is that FF developers do not know this concept. Why? because the version I started with did not even compile. Some hidden information was found from IRC channel logs but the whole source tree was borken and took some time to fix it (40+ years exp with this kinda stuff).

FF keeps constantly informing version updates. Have used many methods blocking it and disabling it in many instances. Weirdly while running FF/Mozilla in containers (all versions,earlier tricky 32-bit only) some of the versions managed to autoupdate itself inside a container. ha!

 

(The Erwise Guy)

Copyright © 2024 Khoros, LLC