Mark H Weaver <address@hidden> writes:
When I try to connect to https://gnupg.org/ with IceCat 38.6.0, I get
the following error:
Secure Connection Failed
An error occurred during a connection to gnupg.org. Cannot communicate
securely with peer: no common encryption algorithm(s). (Error code:
ssl_error_no_cypher_overlap)
Epiphany is able to connect successfully.
At first I thought that perhaps the web server at gnupg.org was poorly
configured, but apparently that's not the case. It seems to have an
excellent TLS configuration.
I eventually found that the problem was caused by these lines in
data/settings.js in the gnuzilla source, which end up in
browser/app/profile/icecat.js in the IceCat source tarballs:
// Avoid logjam attack
pref("security.ssl3.dhe_rsa_aes_128_sha", false);
pref("security.ssl3.dhe_rsa_aes_256_sha", false);
pref("security.ssl3.dhe_dss_aes_128_sha", false);
pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
These lines disable several important cipher suites, despite the fact
that Logjam was fixed in every reputable system over 8 months ago.
For now, users can work around this problem by going into about:config
and changing these settings to "true". I'm also going to remove these
customizations from the IceCat build in GNU Guix.
After doing this, I discovered that the last two of those preferences
above don't even exist anymore. In other words, the lines above
actually *created* the "security.ssl3.dhe_dss_aes_128_sha" and
"security.ssl3.dhe_rsa_des_ede3_sha" preferences, although apparently
there's no code that actually looks at those settings.
I used an online checker to verify that after this change, my IceCat
browser is safe against the Logjam attack.
Finally, note that the relevant code that needed to be patched here is
NSS, which is bundled with IceCat itself and used by default. So, the
only way that a user compiling IceCat could become vulnerable to Logjam
is if they explicitly asked to use an external copy of NSS that was old
and had not been patched.
I think those lines should be removed from upstream IceCat.
What do you think?
Regards,
Mark
--
http://gnuzilla.gnu.org