77

I need to access the web interface of a router standing here in the office. The problem is that it only supports SSLv3 and I cannot find a browser that allows me to connect to it. In order to update the router, I also need to be able to login to it.

I tried to SSH into it, but it does not work. Maybe it is using some non-standard port.

Running a (limited?) port scan using 'fing' I see it has the following standard ports open:

  • 515 (LPD printer)
  • 1723 (PPTP)

What browser can I use, or what other options do I have?

Unable to Connect Securely

Firefox cannot guarantee the safety of your data on 192.168.1.1:10443 
because it uses SSLv3, a broken security protocol.
Advanced info: ssl_error_unsupported_version
tomsv
  • 893
  • 1
  • 7
  • 8
  • 6
    I am well aware that you have already accepted an answer but I just wanted to point out how you can get an older version of FireFox. http://filehippo.com/download_firefox/history – MonkeyZeus Dec 21 '15 at 19:07
  • 3
    After you're done updating the router, don't forget to put your browser's security settings back! – user2357112 Dec 22 '15 at 07:39
  • 20
    @MonkeyZeus You're better off going to the [official release archive](https://ftp.mozilla.org/pub/firefox/releases/) than using third-party sites. – Bob Dec 22 '15 at 15:09

8 Answers8

86

Internet Explorer 11 supports it, but you have to go to Advanced options Tab to enable it.

enter image description here

JOW
  • 2,317
  • 2
  • 17
  • 24
63

The equivalent solution for Firefox is to open the about:config tab and set

security.tls.version.min

to 0.

Source.

Helpful link to test your browser's SSL/TLS settings.

Dmitry Grigoryev
  • 10,122
  • 1
  • 26
  • 56
  • Have you successfully tried that? I couldn't get that to work on my current Firefox v43.0.1. I don't think that flag works anymore. (IExplore was able to connect to this: `openssl s_server -cert cert.pem -key key.pem -www -accept 8443 -ssl3` Firefox was not. Cert/key generated like [this](https://www.cryptologie.net/article/314/analyze-a-tls-handshake/).) – StackzOfZtuff Dec 21 '15 at 14:13
  • 2
    @StackzOfZtuff It works for me on the ESR version of Firefox. I added a link to my answer which I used to test it. – Dmitry Grigoryev Dec 21 '15 at 14:24
  • Excellent! I didn't know SSL-Labs could test for that. (Unfortunately doesn't work from behind from behind strict firewalls. They seem to use non-443 ports such as 10200, 10300, 10301, 10302, 10303, 10443, 10443, 10444, 10444, 10445, 10445) – StackzOfZtuff Dec 21 '15 at 15:09
  • 5
    If Firefox reports `ssl_error_weak_server_ephemeral_dh_key`, setting both `security.ssl3.dhe_rsa_aes_128_sha` and `security.ssl3.dhe_rsa_aes_256_sha` to `false` helps. This is not the exact error message the OP mentioned, but maybe this info is useful in some way. – tmh Dec 21 '15 at 15:17
  • 3
    @tmh: that's for LogJam not SSLv3/TLS – StackzOfZtuff Dec 21 '15 at 19:51
  • 2
    (Firefox 43) I also have to add the hostname to `security.tls.insecure_fallback_hosts`. It's a comma separated list like "myoldbank.example.com,sslv3.example.com" – jingyu9575 Dec 22 '15 at 05:42
  • 3
    And `insecure_fallback_hosts` doesn't, as far as my research shows, accept IP addresses. Only hostnames. – Ben Voigt Dec 22 '15 at 23:23
  • 1
    Don't forget to set it back when you're done.. – Jonas Czech Dec 25 '15 at 18:32
  • It seems that in Firefox 34, SSLv3 support was completely removed ([changelog](https://www.mozilla.org/en-US/firefox/39.0/releasenotes/)). This seems contradictory with earlier comments about needing `insecure_fallback_hosts` on Firefox 43, but I just tried on Firefox 45 (setting both `insecure_fallback_hosts` and `security.tls.version.min`, but that didn't seem to work, keeps saying `SSL_ERROR_UNSUPPORTED_VERSION`) – Matthijs Kooijman Jan 09 '17 at 09:54
  • Digging a bit further, it seems that under Debian Linux, the openssl library (which Firefox uses) has completely disabled SSLv3 support (at compiletime) since the 1.0.2d-2 version ([changelog](http://metadata.ftp-master.debian.org/changelogs/main/o/openssl/unstable_changelog)). This also means that, on recent Debian versions, SSLv3 will not work irregardless of the browser used. – Matthijs Kooijman Jan 09 '17 at 10:04
26

Chrome allows this functionality. Referenced here.

In Google Chrome, you can use the --ssl-version-max and --ssl-version-min command line flags to select a specific protocol verison. The accepted values are: "ssl3", "tls1", "tls1.1", or "tls1.2". How to set command line flags on Chrome.

How to set command line flags on Chrome:

Windows

Exit any running-instance of chrome. Find the shortcut you normally use to launch chrome. Create a copy of it Right click on the new shortcut, and select Properties At the very end of the Target: text box, add a space and then the desired command line flags. It should end in something like ...\chrome.exe" --foo --bar=2 Double click the new shortcut to launch chrome with the new command line flags.

Mac OS X

Quit any running instance of chrome. Launch /Applications/Utilities/Terminal.app At the command prompt enter: /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --foo --bar=2

Linux

Exit any running instance of chrome. Execute in a console: google-chrome --foo --bar=2

(If you are using a different named chrome/chromium build, change the command accordingly)

Chrome OS

Put the device into dev mode so you can get a root shell Modify /etc/chrome_dev.conf (read the comments in the file for more details) Restart the UI via: sudo restart ui

Do remember this may lower the security state of your browser. It is not recommended to use these downgrades for normal browsing.

Community
  • 1
  • 3
    As I first skimmed over this I thought `--foo` and `--bar=2` were the actual options required to lower the minimum SSL version. – David Z Dec 24 '15 at 21:26
  • Sorry but it is not working. `google-chrome --ssl-version-min=ssl3 --ssl-version-max=ssl3 ` returns *ERR_SSL_VERSION_OR_CIPHER_MISMATCH* – Emmanuel Oct 11 '16 at 10:17
11

Three of the answers presently contributed require lowering the security level of your browser, possibly leaving you open to various attacks if you do this in your primary browser, subsequently use that browser for other web sites, or simply forget to revert this change (or multiple changes).

Legacy and insecure SSL/TLS features (SSLv2 and SSLv3, SHA1RSA signatures, RC4 and 3DES ciphers, MD5 MAC, export ciphers, non PFS ciphers, <1024 DH parameters) are progressively being disabled by default and/or removed from browsers, and for good reason.

A separate problem that @AndreKR helpfully flags is that of browser compatibility, in which case a legacy browser in a dedicated VM is probably the most robust solution.

If you cannot replace the device, use dedicated VM or a dedicated browser. The next best option is a TLS proxy to allow the use of a contemporary secure browser. Enabling one, (or two, or three ...) insecure features in a browser is not a secure and sustainable solution, and when the inevitable happens and a required feature is removed entirely? (SSLv3 support for Chrome, Opera, Firefox).

A secure alternative is to proxy the connections through something that supports both old/legacy and new protocols & ciphers, there are many options (including the rather heavyweight solution of an Apache reverse proxy).

The following more lightweight solution should work on both *nix and Windows systems. This will require that you generate a key/cert — not necessarily a problem since the next thing that's going to happen is that contemporary browsers will reject SHA1-signed certificates. This way you can use a SHA-2 signed RSA-2048 certificate and contemporary TLS for access to the device.

For this example:

socat proxy

Using socat:

CERT="cert=mydevice.crt,key=mydevice.key"
SSLSRV="cipher=AES256-SHA,method=TLS1.2,verify=0"
SSLCLI="cipher=AES128-SHA,method=SSL3,verify=0"

socat \
 OPENSSL-LISTEN:11443,bind=127.0.0.1,reuseaddr,fork,$CERT,$SSLSRV  \ 
 OPENSSL:192.168.1.123:443,$SSLCLI

and connect to https://127.0.0.1:11443/

Notes

Amend your local hosts file to prevent certificate name mismatch warnings from your browser if needed, since you need an internal certificate for this anyway you can generate a certificate with the expected internal name (unlike many devices which I have encountered which tend to use odd or unfriendly names for certificates).

For TLSv1.2 support you will need OpenSSL-1.0.1 or later, and socat-1.7.3.0 or later. The cipher and method options can be adjusted according to requirements, as can the server or client certificate verification.

This solution extends to even similar problems, such as SSLv2 only devices, or with 512-bit certificates or a hobbled set of ciphersuites, though you will need to make sure that OpenSSL was not built with no-ssl2 or no-ssl3 and has the relevant ciphersuite enabled.

If I was an auditor I'd rather see documented access method (along with an upgrade plan!) than an ad hoc solution which is an accident waiting to happen.

Community
  • 1
mr.spuratic
  • 7,977
  • 26
  • 37
  • 3
    You would advocate this process even if you lowered the security of the browser just to update the router, then put the settings back? I'm not seeing the risk. – schroeder Dec 24 '15 at 04:43
  • 2
    Risk and effort depend on the nature and number of devices, organisation security policy, and whether you need to restart your browser. A one-line shell script that reduces the "human element" of a risk is a justifiable alternative. (Ignoring the elephant in the room that is best summed up in zxq9's large hammer comment.) – mr.spuratic Dec 24 '15 at 10:46
  • 1
    MD5 is must-not for signatures but only should-not for HMAC (including pre-1.2 PRF). I haven't seen or heard any signs of dropping 3DES, although AES is preferred; did you mean original DES aka 1DES, which did fall soon after the 'export' 40-bit ciphers? – dave_thompson_085 Dec 26 '15 at 23:36
  • 3DES (three-key TDEA) as 112-bit equivalent: Qualys have been [recommending it be used only for backward compatibility since last year](https://www.ssllabs.com/projects/best-practices/). The three-key form is now the lowest acceptable strength approved by NIST ([SP800-131A R1 (PDF)](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf)). Whether it might be next on the chopping block is conjecture on my part... – mr.spuratic Dec 27 '15 at 13:03
  • 1
    > *if you do this in your primary browser, subsequently use that browser for other web sites, or simply forget to revert this change (or multiple changes).* Note that this wouldn't be a problem if the browser continued to prompt for these older protocols, and downgraded only for the prompted page/domain, rather than forcing you to go to global settings!!! – Kaz Dec 14 '21 at 06:49
6

Older versions of Firefox or Chrome are available in PortableApps format too, so you can have one or more independent installations of an older browser version and/or one with unsafe but necessary settings enabled for such purposes.

rackandboneman
  • 975
  • 4
  • 9
  • This is by far the best solution. I have no idea why the overly complicated answers that drastically reduce the browser's security are the accepted and most-upvoted. – SilverbackNet Aug 27 '18 at 23:06
4

I experienced the same issue with a old legacy router running on an old but stable version of DD-WRT. I am still using this router on my internal network and also the router is not connected to the internet. After I accidentally changed a setting to only get access to the web gui via HTTPS, I was blocked from accessing it with all the updated browsers that I had installed on my systems! I searched on google and found this page, sadly none of the explained sollutions mentioned here helped to access the router. I was still locked out, bummer offcourse. I could do a factory reset of the router but loosing the config was also a bit of a problem for me.

After some Trial and error and futher reading, I downloaded a very old version of FireFox portable. I found it on: https://sourceforge.net/projects/portableapps/files/Mozilla%20Firefox%2C%20Portable%20Ed./

After unpacking the download and starting the old version of FireFox I could enter the router again via the webgui and could manage it again. Disabled HTTPS on it and I can enter it again with other updated browsers.

Maybe you can leave the old version of FireFox Portable on your system and only use it to manage the old system.

Cenobyte
  • 41
  • 1
2

It's possible to tweak browser security settings to allow obsolete versions of SSL to work, but that sounds like a really bad idea to me. I think a better idea would be to download an older browser and run it as needed for that particular site.

It appears SSLv3 support was removed in Firefox 34:

SSLv3 will be disabled by default in Firefox 34

So you could run a separate instance of Firefox 33 just for accessing that particular router:

Linux

This will download Firefox 33 and run it with a separate profile so it won't affect any existing Firefox configuration you may have:

wget https://ftp.mozilla.org/pub/firefox/releases/33.0/linux-x86_64/en-US/firefox-33.0.tar.bz2
tar -xvf firefox-33.0.tar.bz2
cd firefox
mkdir profile
# Disable automatic updates and default browser check
echo "user_pref(\"app.update.enabled\", false);
user_pref(\"browser.shell.checkDefaultBrowser\", false);" > profile/user.js
./firefox --profile profile

I've got a gist with some more versions here: https://gist.github.com/bmaupin/731fc12a178114883ff6e7195a133563

Windows

You can download a portable version of Firefox 33 here: https://sourceforge.net/projects/portableapps/files/Mozilla%20Firefox%2C%20Portable%20Ed./Mozilla%20Firefox%2C%20Portable%20Edition%2033.0/

bmaupin
  • 121
  • 4
0

I had the same issue where I could not get to my configuration page of my router I had the SSL enabled in the options of IE and still could not get to the page because there was not a link on the page in IE to accept and move forward.

After playing with firefox and chrome the solution was to use IE but I had to run this command below at the command line first to get the link to display after the warning in IE. Hope this helps someone else after I ran around in circles for an hour.

Open cmd and run the following then open IE to the router page. 

certutil -setreg chain\minRSAPubKeyBitLength 512
techraf
  • 9,149
  • 11
  • 44
  • 62
ChrisD.
  • 1