Modern browsers and legacy network devices

[Tripredacus]

I ran into a situation last night that took me by surprise, and frankly it was not something I had even thought of being possible. It seems partly a "planned obsolescense" scenario regarding network devices and it could definitely cause someone a real headache should they not have access to an older computer.

The example here is that I had noticed that my home computer was no longer online. I can see if my home pc is online because I have an IM account that is always signed in, partly so I can "IM Myself" links or things to look at later, but it also allows me to see the online status at home when I am not there. Yesterday, my home pc disconnected just before 10am and all day I had the worst thoughts pop into my head... "did i forget to pay the electric bill?" "did a sinkhole swallow my house?" things like that.

When I got home, all was seemingly fine, my home pc was still turned on. Then I see my cell phone can't connect to my wireless network. I go to attempt to access the router from my PC's browser, but it times out. So I just reset the router by unplugging the power and plugging it back in. After a few minutes, my phone reconnects to the wireless, and my wired computers can access the internet. I decided to log into the router and see if there was anything in the log files showing any errors or whichever and then ran into the issue this thread is about.

Neither Palemoon nor Chrome would allow me to even connect to the router. It showed me this message:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Only IE9 was able to connect to the internal page of the router, although it did show a "not secure" message and allowed me past.

I can definately see a situation where a person could have set up their home network at some point, and cycled out their old computer to a new one, could encounter a situation where they wouldn't be able to log into their network hardware, and this can be a big headache.

If anyone knows a way to get a modern browser to allow connection to a secure site that generates this error, post it here.

For those interested: the router is configured for SSL internal page only, and external IP login is disabled. It cannot be administered remotely nor via wireless clients.

PS: the log files didn't show anything from before the power was reset.

[jaclaz]

Well, you don't need a *modern* browser to access an old router (or any site where a *modern* browser shows the stupid "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" error).

99.99% QTWEB would do just fine.

SInce it is "inherently portable", it shouldn't be an issue to just use it when needed:

http://www.qtweb.net/

jaclaz

[siria]

How can this happen, so suddenly? Without any change in the hardware, nor any change in the software??
Completely confused. And am used to sit here struggling all the time with the opposite problem, old system on modern web, but that's at least somehow logical ;-) And wonder if the various SSL+TLS pref settings couldn't help perhaps, or the clock is delayed, whatever.

[dencorso]

We have been progressively disabling unsafe ciphers in recent years... I bet if you enable SSL 2.0 and 3.0 and TLS 1.0 on IE and then try to access the router again using IE it'll connect without complaining. Just a guess, but I'm pretty confident I hit jackpot. Try it please, and let me know.

[jaclaz]

1 hour ago, siria said:

How can this happen, so suddenly? Without any change in the hardware, nor any change in the software??
Completely confused. And am used to sit here struggling all the time with the opposite problem, old system on modern web, but that's at least somehow logical ;-) And wonder if the various SSL+TLS pref settings couldn't help perhaps, or the clock is delayed, whatever.

It wasn't "suddenly".

The router (for *whatever* reason) needed a reset.

AFTER doing that (successfully BTW) Trip decided to have a look at the router settings (something that possibly  he hadn't done in weeks or months) and the automagic smart updating of his "modern" browsers bit him.

Clearly the (oldish) router web frontend used a "normal" protocol BUT his browsers were considering that as "old" and "unsafe" (even if the connection is "local") and prevented him to access the router page.

jaclaz

[siria]

Thanks, now it starts making sense again! So the router reset had nothing to do with the prob at all, and before and after all works fine, web connection and router config page. The only issue is that in the long meantime since the previous config access, (probably) some more obsolete ciphers or SSL/TLS-versions were disabled in the browser prefs, which must temporarily be enabled again for the router config...

[Tripredacus]

On 10/5/2018 at 1:59 PM, siria said:

How can this happen, so suddenly? Without any change in the hardware, nor any change in the software??
Completely confused. And am used to sit here struggling all the time with the opposite problem, old system on modern web, but that's at least somehow logical ;-) And wonder if the various SSL+TLS pref settings couldn't help perhaps, or the clock is delayed, whatever.

Additionally, it is precisely that the hardware had not changed, but the software had. Over time, there was no reason to log into the router. It worked fine after I had it set up the way I wanted. The browsers do update over time, Chrome there can't be much done about, and Palemoon I do only as needed which is very rarely. Even so, at some point in between the last time I had to log into the router (I believe it is technically Draft N, to show its age) and the other day, the browsers had updated to a point where they would no longer allow the connection.

On 10/5/2018 at 2:39 PM, dencorso said:

We have been progressively disabling unsafe ciphers in recent years... I bet if you enable SSL 2.0 and 3.0 and TLS 1.0 on IE and then try to access the router again using IE it'll connect without complaining. Just a guess, but I'm pretty confident I hit jackpot. Try it please, and let me know.

If I didn't make it clear before, IE9 had no problem connecting to the router's internal page. It complained about the security certificate but it had a button to let me view the page anyways. That was how I went in to check the logs. It was only the other two browsers that refused to connect with it. I don't mind about the warning page IE gives. I will see about those settings and see what happens.

[jumper]

> Chrome there can't be much done about
You might be able to block the update server's domain name in hosts.

[Tripredacus]

Everything was already enabled except SSL 2.0. Enabling that doesn't make the warning go away.

Quote

The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website has expired or is not yet valid.
The security certificate presented by this website was issued for a different website's address.

There doesn't actually seem to be a way to view the certificate, you just have to trust that the browser is right.
(you can view the cert after continuing to view the page, but not while at the warning screen).

It seems that none of the reasons above that IE9 shows is the reason for why you cannot connect to it with Palemoon or Chrome. That, instead, seems to be because SHA1 support has been removed from those browsers but is still present in IE9. IE9 identifies the encryption as sha1RSA, but does not seem to have a way to indicate which version of TLS or SSL that the router's web server is using.

If this was present in the newer browsers, you would get a message similar to what IE9 gives, it would give to you a warning and you could still continue. But without the SHA1 support, the browser can't actually read the data from the router's internal website at all, which is the actual reason why the site doesn't work with Pale moon or Chrome.

https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/

https://forum.palemoon.org/viewtopic.php?t=6262

Now imagine if I had Windows Updates enabled, I likely would then have an IE10 or whatever that didn't support SHA1 either and I'd have to find a computer with an older operating system (or older browser versions) to log into my router.

[Tripredacus]

Similarly, TLS 1.0 and 1.1 will be taking a hike from updated browsers:

https://twitter.com/agl__/status/1051933087699881984

The links to the specific articles if you don't want to use twitter:

https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/
https://security.googleblog.com/2018/10/modernizing-transport-security.html
https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/
https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/

So at some point in the future, expect more instances of browsers not being able to connect to network hardware. Besides the wireless router example that I used, also think about people using old DSL or cable modems as other examples.