no TLS 1.2 support in .6137

Discussion in 'Quality Control' started by Dolfi, Dec 12, 2014.

  1. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    Hi,

    at least you support TLS 1.1 (.5997 only supports TLS 1.0 :() but support for TLS 1.2 (and an option to disable SSL 3, TLS 1.0 and 1.1) is still missing.
    I preferred to see the productive version fixed but at least add that to the upcoming ones.

    IMHO this is a priority "1" (or "A") task!


    Thank you,
    Dolfi
     
    Last edited by a moderator: Dec 12, 2014
  2. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,898
    Working on it.

    It's rather complex to do. The problem is that we can't detect if server support TLS 1.2 or not.
    And if we simply switch to TLS 1.2 and server does not support it, it will reset the connection.

    We'll find a solution but we need time to properly implement it.
     
  3. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    Great, thx!
    You might to think that over. See the list of your supported browsers!
    Most of them negotiate (best!) security /w server.

    Why would AG be different? AG is a "bloody client" as any other.

    Regards, Dolfi
     
  4. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,898
    They are handling connection reset in the right way (downgrading protocol 1.2->1.1->1.0 until the connection is established).
    We should do the same I think but let's wait for our driver dev's answer, he understands the situation better than me.
     
  5. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    Wasn't that another USP to popup your balloon saying "that site is bloody insecure"*?
    Not that it helped me on my S5Proxy, but the regular user gained, didn't he?


    * link leading to a static site explaining TLS versions (single time effort to set up)
     
  6. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,898
    Not sure about this. 99.9% of websites don't use SSL at all.
    So complaining on sites with some old SSL version and ignoring 99.9% sites with plain HTTP is rather strange.
     
  7. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    maybe not yet.
    Besides that non-secure sites are irrelevant: The user (is stupid/unknowledgable AND/or) opens an insecure site knowing it is insecure.
    Even your security aware customer opens a HTTPS site and is not aware that AG weakens his very newest browsers security and encryption.

    At least you should
    a) use/provide best security towards the actual website to customers
    b) tell customers the seclevel website provides (again. USP, if you just did it).
     
  8. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    Hi avatar,

    according to SSLLabs the new .6137 (file date 11.12.14) does support TLS 1.2 and TLS 1.0 (but not 1.1?? - would not understand why 1.0 is supported but not 1.1?)
    It also stopped supporting SSLv2/v3 which is good (one still can set an exception for oooooutdated servers).


    Regards, Dolfi
     
  9. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,898
    We definitely do not support TLS 1.2 now.

    Do you have an upstream proxy?
     
  10. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    It has to be you, bc:
    TLS.1.2b.jpg
    - VPN disabled
    - AM disabled
    - AG does not use proxy
    - FF does not use proxy

    Also, as soon as AGs HTTPS scanning is disabled the exact same page says
    TLS 1.2 Yes
    TLS 1.1 Yes
    TLS 1.0 Yes
    SSL 3 Yes
    whereas when AG does HTTPS scanning (only change to before is setting that checkmark) it says
    TLS 1.2 Yes
    TLS 1.1 No
    TLS 1.0 Yes
    SSL 3 No



    Would you be helped by a packet log (libpcap format)? Or which files are responsible? I could send you my version of .6137



    Regards, Dolfi
     
    Last edited by a moderator: Dec 17, 2014
  11. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,898
    No need, I know what protocol we use for handshake.

    Maybe there's an error in ssllabs test
     
  12. vasily_bagirov

    vasily_bagirov Administrator Staff Member Administrator

    Joined:
    Jul 1, 2014
    Messages:
    6,342
    An update on the topic: a new beta was just released: v.5.10.1199.6229

    TLS 1.2 support is introduced there, although Adguard switches to 1.2 only if previous TLS versions are not supported by server.
     
  13. mysteriously

    mysteriously Beta Tester & Translator

    Joined:
    May 4, 2014
    Messages:
    508
    Thanks for the info