Amiga.org
Amiga computer related discussion => Amiga Software Issues and Discussion => Topic started by: Drummerboy on November 13, 2015, 03:35:48 AM
-
Hello,
Anyone know if exist an update SSL Certificate for AOS 3.X?. I frecuently navigate on my A1200 OS 3.0, using Ibrowse, but some sites show this message (as Twitter or Wikipedia): "SSL Connect error. Ther remote server is using an encryption protocol not supported by IBrowse.", and some time ago, work without problems.
Any suggest or comment are welcome.
Regards.
-
AFAIK Oliver Roberts has been working on an update to AmiSSL for years, but he's hamstrung by the rest of the "IBrowse team (https://github.com/jens-maus/amissl/blob/master/AUTHORS)" until they get their act together. That's paraphrasing pretty badly, but more specific info should already exist on the forum somewhere. ;)
-
For what it's worth, it's not an SSL certificate that needs to be updated, but the AmiSSL suite altogether (i believe IBrowse uses AmiSSL, it's been so long I can't remember.) It only supports up to SSLv3, which has been deprecated industry-wide as it has numerous exploitable flaws, including an error in the block-ciphers which cannot be fixed as it is ingrained in the protocol itself.
Within the next year TLSv1 will be deprecated, as well, even though it supports good ciphers like AES128-SHA256. The idea is that since it is based upon SSLv3 (SSL is the Netscape secure sockets implementation, TLS is the resultant standard) it won't be long before it will be compromised, as well.
SSLv2 and SSLv3 are done. MD5- and RC4- based ciphers are easily exploitable. SHA1 hashed ciphers are now proven weak due to the (relative) ease of finding collisions. As well, SSL certificates with SHA1 signatures will be tossed within the next six months (it's already virtually impossible to get a SHA1-signed certificate from the major vendors.)
tl;dr: AmiSSL needs to be updated to support TLSv1.2.
-
@LoadWB,
Thanks for the data!.
-
For what it's worth, it's not an SSL certificate that needs to be updated, but the AmiSSL suite altogether (i believe IBrowse uses AmiSSL, it's been so long I can't remember.) It only supports up to SSLv3, which has been deprecated industry-wide as it has numerous exploitable flaws, including an error in the block-ciphers which cannot be fixed as it is ingrained in the protocol itself.
...
tl;dr: AmiSSL needs to be updated to support TLSv1.2.
An SSL update is not just urgently required for IBrowse, but also e.g. for YAM.
Currently it is not possible to access securepop and securesmtp servers
with YAM 2.9p1 - all attempts result in error messages.
I may also point you to the discusion drummerboy started at AmigaWorld.net (http://amigaworld.net/modules/newbb/viewtopic.php?topic_id=40718&fforum=27#773824), where I came to this conclusion:
"So what we would urgently need for our classic AmigaOS 3.x systems is something based on at least TLS 1.2 / OpenSSL v1.0.2d."