Found a problem with the website or forum? Submit a new ticket here. Also, track progress of existing issues currently being fixed.
by IceG 10 Apr 2017, 19:21
I am getting the messages

This site can’t provide a secure connection

http://www.gprejects.com uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

when accessing the site using Google Chrome under Windows XP.

Trying IE on the same machine just refuses any connection.
by DemocalypseNow 10 Apr 2017, 21:29
IceG wrote:I am getting the messages

This site can’t provide a secure connection

http://www.gprejects.com uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

when accessing the site using Google Chrome under Windows XP.

Trying IE on the same machine just refuses any connection.

Are you using Windows XP SP2 or lower? Our SSL certificates use SHA-2 cryptography, but XP SP2 and lower only supports SHA-1, which is no longer considered secure and has been deprecated at a hugely accelerated rate in the past few years. If you care about that sort of thing, the reasons for it being so insecure are quite interesting, but I'll assume you don't care and get to the point.

We have an A+ rating for SSL security from Qualys. This is because of the restriction on accepted ciphers with our SSL/TLS connections (hence ERR_SSL_VERSION_OR_CIPHER_MISMATCH). Windows XP SP3 supports our SSL authentication. Earlier versions only accept SHA-1, which Microsoft officially does not support in any way shape or form.

Modifying those restrictions already in place to accommodate systems which do not support SHA-2 weakens security for everyone else. StatCounter numbers from Dec 2016 show only 2.24% of web visitors still use XP, and while I don't have stats for percentages for SP versions, it is widely accepted the vast majority of these XP systems are on SP3. Therefore I have no plans to modify settings at our end to accommodate these machines, especially as their use will be on a permanent downward trajectory.

In terms of fixing it at your end, I would recommend not touching XP with a 10 foot pole. It hasn't been supported in some time, and is a bit like securing your house with nothing but a Yale lock that has been stuck in the latch position for 3 years. Failing that (upgrading an entire OS is a pain), get the system upgraded to SP3 just to get the site to work. If it's a work computer, tell your IT department they should all be fired for being the most incompetent monkeymen on earth. I know the feeling - my dayjob still has machines running XP, despite working in a data-critical industry. For them it's just cheapness - they still have CRT monitors in active use. It's an embarrassment.


Of course, everything I've written is redundant if you're running SP3. Then I'm clueless as to what is wrong.

Novitopoli wrote:Everytime someone orders at Pizza Hut, an Italian dies.
Novitopoli wrote:Juve's Triplete: Calciopoli, doping & Mafia connections.

Image Image
by IceG 11 Apr 2017, 22:40
Thanks for your explanation and for your ongoing support efforts.

I am running on SP3 so hmmmm.

Clicking on More details gave me the response:

"The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure."

It is an old domestic laptop that is just used because it still works - there is nothing vital on it so we don't worry about the lack of support and security updates. As you say, many business systems are still running XP; in my industry for very good reasons as the cost of porting and testing is so high - hence MS still actually do support XP in certain, ahem, "special" business sectors.

I raised the ticket in case it was indicative of something your end and in case others were getting the same message. You seem pretty confident there is no issue so no biggy.
by DemocalypseNow 12 Apr 2017, 09:34
IceG wrote:Thanks for your explanation and for your ongoing support efforts.

I am running on SP3 so hmmmm.

Clicking on More details gave me the response:

"The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure."

It is an old domestic laptop that is just used because it still works - there is nothing vital on it so we don't worry about the lack of support and security updates. As you say, many business systems are still running XP; in my industry for very good reasons as the cost of porting and testing is so high - hence MS still actually do support XP in certain, ahem, "special" business sectors.

I raised the ticket in case it was indicative of something your end and in case others were getting the same message. You seem pretty confident there is no issue so no biggy.

I appreciate it though - shows that my SSL cipher settings could do with a little more refinement.

Novitopoli wrote:Everytime someone orders at Pizza Hut, an Italian dies.
Novitopoli wrote:Juve's Triplete: Calciopoli, doping & Mafia connections.

Image Image
by dr-baker 14 Apr 2017, 13:45
Well, I'm glad it wasn't me having that problem - this conversation went straight over my head!

watka wrote:I find it amusing that whilst you're one of the more openly Christian guys here, you are still first and foremost associated with an eye for the ladies!
dinizintheoven wrote:GOOD CHRISTIANS do not go to jail. EVERYONE ON FORMULA ONE REJECTS should be in jail.
MCard LOLA
by DemocalypseNow 14 Apr 2017, 17:19
Having looked at the issue further, I have found more precise reasons for the issue in question. Long story short, not a single single available cipher suite supported by XP reaches the minimum standard for secure browsing. All have since been rendered obsolete by various attacks. The minimum required level is AES, which even at Service Package 3, XP does not support.

I learned a bit more about encryption trying to resolve this 'bug' though - quite interesting stuff.

Novitopoli wrote:Everytime someone orders at Pizza Hut, an Italian dies.
Novitopoli wrote:Juve's Triplete: Calciopoli, doping & Mafia connections.

Image Image
by IceG 16 Apr 2017, 23:21
Asking for academic interest as this is a non-critical issue.

What are you trying to achieve using this level of security/protection? This is the only site/forum that I cannot access from the obsolete machine in question; I can access many secure payments systems and my online financial services provider (obviously I avoid doing so given the poor state of the machines security) which presumably have significantly more critical security needs than an F1 forum?

If I am being dumb, please tell me.
by DemocalypseNow 17 Apr 2017, 12:50
IceG wrote:Asking for academic interest as this is a non-critical issue.

What are you trying to achieve using this level of security/protection? This is the only site/forum that I cannot access from the obsolete machine in question; I can access many secure payments systems and my online financial services provider (obviously I avoid doing so given the poor state of the machines security) which presumably have significantly more critical security needs than an F1 forum?

If I am being dumb, please tell me.

This is down to me being dumb, not the other way around! From a user perspective you are right, this does not make any sense, and is exceedingly dumb. As I mentioned, my SSL config is clearly not up to scratch - to compensate for lack of knowledge, I went too aggressive rather than too soft with the configuration.

I've made some amendments now that I hope make a difference. Just to satisfy my curiosity, would you also mind giving FormulaRejects a visit for me? It uses a slightly different config from GPR as the two sites have certificates from different Certificate Authorities.

Novitopoli wrote:Everytime someone orders at Pizza Hut, an Italian dies.
Novitopoli wrote:Juve's Triplete: Calciopoli, doping & Mafia connections.

Image Image
by DemocalypseNow 17 Apr 2017, 22:32
IceG wrote:I can see FormulaRejects as long as I don't specify https:// and drop the www

Still getting refused at GPrejects

That's actually rather odd - I deliberately went for a config that should have allowed legacy systems. I wonder what it is, if it's not the cipher suites....

Novitopoli wrote:Everytime someone orders at Pizza Hut, an Italian dies.
Novitopoli wrote:Juve's Triplete: Calciopoli, doping & Mafia connections.

Image Image
by DemocalypseNow 20 Apr 2017, 17:41
IceG wrote:I've tried a few more times, still no joy.

Are you making changes or shall we leave it there?

I would leave it there for now. I can't seem to find an acceptable configuration that will allow it to work, despite enabling connection over TLS 1.0, which isn't ideal but should still have worked with XP machines. I'm at a loss to understand how to fix it without simply switching SSL off entirely.

Novitopoli wrote:Everytime someone orders at Pizza Hut, an Italian dies.
Novitopoli wrote:Juve's Triplete: Calciopoli, doping & Mafia connections.

Image Image

Who is online

Users browsing this forum: No registered users and 1 guest