Wich Web Browser On CentOS6 ?

Home » CentOS » Wich Web Browser On CentOS6 ?
CentOS 14 Comments

Hello

I have more and more troubles using firefox in professional environment with CentOS6. The latest version is 45.7.0 But I can’t use it anymore to access some old server hardware (IDRAC7 of DELL C6100) because of
“/SSL_ERROR_WEAK_SERVER_CERT_KEY/”. I had to install an old Firefox32 version to administrate these servers.

Today I upgrade the firmware of 2 DELL switch and now Firefox cannot connect to them anymore saying:
/An error occurred during a connection to xxx.xxx.xxx.xxx. The server rejected the handshake because the client downgraded to a lower TLS version than the server supports//
//SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT

/Is there a CentOS6 recommended web browser allowing continuous connections to olds and new base level (and local) system administration services ?

Thanks

Patrick

14 thoughts on - Wich Web Browser On CentOS6 ?

  • Hm,

    an Idee is to use a docker instance. I do that at my office, because need JAVA 1.6 in the browser.

    Sincerely

    Andy

    Am Freitag, den 10.02.2017, 12:26 +0100 schrieb Patrick Begou:

  • Can you try: (in Firefox’s about:config):
    possible workaround for SSL_ERROR_WEAK_SERVER_CERT_KEY
    security.ssl3.dhe_rsa_aes_128_sha
    security.ssl3.dhe_rsa_aes_256_sha

    possible workaround for SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT
    security.tls.version.max 3 -> 1

    You might want to revert for safer browsing, after.

    maybe different profiles with differents security setup?

    Cheers

    Tru

  • Tru Huynh wrote:
    These are yet set to true. With this setting I get SSL_ERROR_NO_CYPHER_OVERLAP and I cannot connect to the switch. Of course I can re-activate the old firmware version of the switch, but it has a bug I would like to solve too…..

    I know that to remains compatible with old config could have security problems but all of these devices use dedicated ports (IDRAC, Out of band port management) on a private network which could be easily isolated. The idea is to have a browser dedicated to this administration (instead of several versions/profiles)

    Thanks all for your suggestion to find a solution or detailing your local work around….

    Patrick

  • This situation arises because older, dare I say old, equipment released with embedded software and using http/https as the administrative front end were shipped with minimally compliant x-509
    certificates. Often self-signed with 1kb keys and md5 signature hashes. Not to mention many are past their expiry dates.

    However, given the revelations of state sanctioned snooping on network traffic browsers are being pushed to implement increased compliance checking for the overall security of users. Firefox is simply implementing what various ‘authorities’ are recommending as secure practices with respect to authentication using pki and x-509
    certificates.

    The present situation is a PIA. It could be a lot more user-friendly if FF so chose. They could have easily allowed one to turn off these advanced compliance checks for specific IP and DNS addresses so that the intended benefit remained but the interference with existing infrastructure was minimised.

    But, FF is on its own chosen path to oblivion and the idea of compromise is totally absent from their project plan.

  • IMHO FireFox is doing the right thing. Compromises in policy is how system compromises often happen.

    If you can change the setting to be more forgiving of certain bad vendors, then so can malware.

    What we really need to do is demand better from the manufacturers of products we use in a “professional environment” – and it is extremely important we demand better from them now, during the dawn of IoT.

  • you get ‘better’ from vendors by maintaining paid support contracts, doing frequent firmware updates, and regular hardware updates. the hardware in question here is likely over 5 years old (I know this too well, I have a rack full of 3-6 year old hardware in my lab at work, all of which is off support due to it being test/dev, and corporate budgetary constraints).

    Chrome is even worse as far as making it impossible to connect to older embedded services like the various IPMI remote consoles, etc.

  • FYI you can download any previous release of Firefox from the URL below, and it will run right out of its own directory without being ‘installed’
    per se. So you could find one that is compatible and keep it separate from the one you use for regular browsing. You’d probably want to run it as a different user on your box, and/or a separate profile.

    http://ftp.mozilla.org/pub/firefox/releases/

    Or if you don’t want to worry about which user and profile you’re in, you could try an equivalent release of SeaMonkey.

    http://ftp.mozilla.org/pub/seamonkey/releases/

    Either way it would enable you to have a more secure, up-to-date browser for regular use while also having one that is compatible with the other systems you need to use.

  • Yes David, I’m using a release 32 of Firefox to reach my olds C6100
    IDRAC7 interface. The problem is for latest Firefox versions as they require libgtk-3 not available in CentOS6/RHEL6 distribution.

    Today I use a very very bad solution to reach my switch with latest firmware version from the latest Firefox available in CentOS: I disable https and use http…. Even if it is on a private network, in a dedicated vlan behind a firewall… I don’t like this.

    Patrick

    David Nelson a

  • I did once build pm on CentOS6 as poc, but after switched to the distributed binaries. 26.x is the end of line for CentOS6, and I haven’t tried building 27.x. Maybe I’ll try that, addressing the library situation with custom or static versions.

  • It is a bit difficult for an end user to insist that a vendor improve a ten year old piece of equipment. Sure, that might be as simple as a firmware update. But why not insist that people buy new product instead and thereby add to the bottom line? Which way do see most commercial firms going?

    FF is a consumer item that is being shipped with a supposedly Enterprise Linux distribution. This leads to problems that are created by the divergence between the target audience and Enterprise users. Enterprises tend to have a much more robustly secured gateware to the wider Internet than consumers. Which for that audience makes a lot of the more esoteric security enhancements rather useless. If an intruder can carry out a MTM attack on your internal LAN then nothing FF can do is going to have much of an effect.

    A professional organisation would not simply cut administrators off from the devices that they are required to manage. Nor would it dictate how a company spends its money on hardware. A bunch of self-righteous zealots might. Which may account for the fact that FF
    (all versions) market share is now less than 10%.[1]

    [1]
    https://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0&qptimeframe=M&qpsp!6&qpfilter=ColumnName%09LK%09Fire*

LEAVE A COMMENT