no TLS 1.2 support in .6137

[Dolfi]

Hi,

at least you support TLS 1.1 (.5997 only supports TLS 1.0 ) but support for TLS 1.2 (and an option to disable SSL 3, TLS 1.0 and 1.1) is still missing.
I preferred to see the productive version fixed but at least add that to the upcoming ones.

IMHO this is a priority "1" (or "A") task!


Thank you,
Dolfi

 

[avatar]

Working on it.

It's rather complex to do. The problem is that we can't detect if server support TLS 1.2 or not.
And if we simply switch to TLS 1.2 and server does not support it, it will reset the connection.

We'll find a solution but we need time to properly implement it.

 

[Dolfi]

Working on it.

Great, thx!

It's rather complex to do. The problem is that we can't detect if server support TLS 1.2 or not.
And if we simply switch to TLS 1.2 and server does not support it, it will reset the connection.

You might to think that over. See the list of your supported browsers!
Most of them negotiate (best!) security /w server.

Why would AG be different? AG is a "bloody client" as any other.

Regards, Dolfi

 

[avatar]

You might to think that over. See the list of your supported browsers!
Most of them negotiate (best!) security /w server.

They are handling connection reset in the right way (downgrading protocol 1.2->1.1->1.0 until the connection is established).
We should do the same I think but let's wait for our driver dev's answer, he understands the situation better than me.

 

[Dolfi]

They are handling connection reset in the right way (downgrading protocol 1.2->1.1->1.0 until the connection is established)

Wasn't that another USP to popup your balloon saying "that site is bloody insecure"*?
Not that it helped me on my S5Proxy, but the regular user gained, didn't he?


* link leading to a static site explaining TLS versions (single time effort to set up)

 

[avatar]

Wasn't that another USP to popup your balloon saying "that site is bloody insecure"*?
Not that it helped me on my S5Proxy, but the regular user gained, didn't he?


* link leading to a static site explaining TLS versions (single time effort to set up)

Not sure about this. 99.9% of websites don't use SSL at all.
So complaining on sites with some old SSL version and ignoring 99.9% sites with plain HTTP is rather strange.

 

[Dolfi]

Not sure about this. 99.9% of websites don't use SSL at all.
So complaining on sites with some old SSL version and ignoring 99.9% sites with plain HTTP is rather strange.

maybe not yet.
Besides that non-secure sites are irrelevant: The user (is stupid/unknowledgable AND/or) opens an insecure site knowing it is insecure.
Even your security aware customer opens a HTTPS site and is not aware that AG weakens his very newest browsers security and encryption.

At least you should
a) use/provide best security towards the actual website to customers
b) tell customers the seclevel website provides (again. USP, if you just did it).

 

[Dolfi]

Hi avatar,

according to SSLLabs the new .6137 (file date 11.12.14) does support TLS 1.2 and TLS 1.0 (but not 1.1?? - would not understand why 1.0 is supported but not 1.1?)
It also stopped supporting SSLv2/v3 which is good (one still can set an exception for oooooutdated servers).


Regards, Dolfi

 

[avatar]

We definitely do not support TLS 1.2 now.

Do you have an upstream proxy?

 

[Dolfi]

It has to be you, bc:

- VPN disabled
- AM disabled
- AG does not use proxy
- FF does not use proxy

Also, as soon as AGs HTTPS scanning is disabled the exact same page says
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 Yes
whereas when AG does HTTPS scanning (only change to before is setting that checkmark) it says
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 Yes
SSL 3 No



Would you be helped by a packet log (libpcap format)? Or which files are responsible? I could send you my version of .6137



Regards, Dolfi

 

[avatar]

No need, I know what protocol we use for handshake.

Maybe there's an error in ssllabs test

 

[vasily_bagirov]

An update on the topic: a new beta was just released: v.5.10.1199.6229

TLS 1.2 support is introduced there, although Adguard switches to 1.2 only if previous TLS versions are not supported by server.

 

[mysteriously]

Thanks for the info