Tiny Core Linux

General TC => General TC Talk => Topic started by: gordon64 on August 13, 2015, 11:51:36 PM

Title: [SOLVED] 64 bit web browser tests for poodle attack
Post by: gordon64 on August 13, 2015, 11:51:36 PM

Hi I am not a security expert, but I went to this URL to check
https://zmap.io/sslv3

64 bit web browsers I found safe, claiming that

Quote

Good News! Your browser does not support SSLv3

epiphany
firefox-latest's local TCZ called firefox-official
opera-12


64 bit found not so safe claiming that

Quote

Warning! Your browser supports SSLv3

fifth

Browsers not tested or unable to see the result etc
firefox-nightly ....too old. IMHO no-one should be on it.
links and elinks.....both display the web site but give no indication, probably because they are text browsers.

I have yet to find a way to start fifth with a command that disables sslv3 but if anyone knows pls advise.

thanks for reading

EDIT
I made a .local/bin file with contents

Quote

#!/bin/sh
tce-load -i fifth
fifth --ssl-version-min=tls1

but attempting to use it gives error as

Quote

fifth: unrecognized option '--ssl-version-min=tls1'

Title: Re: 64 bit web browser tests for poodle attack
Post by: curaga on August 14, 2015, 06:33:10 AM

Fifth has no config options for SSL, it uses the defaults of openssl. Ideally we'd compile openssl without ssl3, so no app would use it.

Title: Re: 64 bit web browser tests for poodle attack
Post by: gordon64 on August 14, 2015, 07:08:40 PM

curaga

I hope I don't embarrass you, but it turns out that you are the upstream maintainer of fifth.

Congratulations on your software and skills and thankyou for the tips.

Naturally I will look at re-compiling on 64 bit, Juanito's build script calls for curl-dev which has a dependency of openssl* and the running dependency has curl with a dependency of openssl*.
I shall see if modding those dep files and see if I can re-compile without openssl* support. Plus will try without curl support as well.

thanks again for your time.

Quote

Ideally we'd compile openssl without ssl3

I have failed to compile new certificates, slightly off topic, new certificates works with existing openssl but when I attempted to use them for new openssl....not knowing about sslv3, at time of build, the new certificates failed.

Title: Re: 64 bit web browser tests for poodle attack
Post by: curaga on August 15, 2015, 04:54:06 AM

No, you can't compile Fifth without openssl. I mean we should compile openssl.tcz with sslv3 disabled. Some other distros are doing so.

Title: Re: 64 bit web browser tests for poodle attack
Post by: gordon64 on August 15, 2015, 07:45:14 AM

Thanks

on 64 bit just re-compiled openssl with extra compile option "no-ssl3"
recompiled fifth, with slight dep modification and fifth now passes the sslv3 test, tested locally.

OFFTOPIC
but my attempt to add new certificates and test a re-compiled elinks, built with new openssl, I called it elinks2 is not showing a display page for a https URL, so I have failed to get it all corrrect.

Juanito is aware of some of my failures. I fail more than I succeed.  :-[

cheers

Title: Re: 64 bit web browser tests for poodle attack
Post by: gordon64 on August 16, 2015, 12:09:05 AM

completely offtopic I have certificates now working by going to this URL

https://cert-test.sandbox.google.com/

if certs work, you get

Quote

SHA-256 certificate test successful.

Please mark post as solved thanks