TLS 1.3 test page doesn't work?

Board for discussions around the Basilisk web browser.

Moderator: Basilisk-Dev

Sampei Nihira

TLS 1.3 test page doesn't work?

Unread post by Sampei Nihira » 2018-08-15, 08:27

Hi.
The website below not work on Basilisk and Pale Moon 28:

https://suche.org/sslClientInfo

Please verify.
TH.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: TLS 1.3 test page doesn't work?

Unread post by Moonchild » 2018-08-15, 08:39

Code: Select all

10:35:47.799 None of the “sha384” hashes in the integrity attribute match the content of the subresource. 1 sslClientInfo
i.e.: webmaster error. If they provide integrity hashes, they must not edit their script afterwards. Although this may be by design to detect if SRI is supported.

Code: Select all

XML Parsing Error: not well-formed
Location: https://suche.org/SslHandshakeInfo
Line Number 1, Column 1076:  
SslHandshakeInfo:1:1076
TypeError: req.responseXML is null[Learn More]  
dF8eao4xCC3Q9xGTR1dULu5X2FQ.js:1:8596
Scripting error: spits out malformed XML. the parser refuses it, so there's nothing to display further on.
Last edited by Moonchild on 2018-08-15, 08:55, edited 2 times in total.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: TLS 1.3 test page doesn't work?

Unread post by Moonchild » 2018-08-15, 08:54

Further investigation shows the XML being the problem:

Code: Select all

<e id='69 obsoleted='1'' pfs='weak' keySize='128' name='TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA'/>
<e id='136 obsoleted='1'' pfs='weak' keySize='256' name='TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA'/>
Because they are apparently in the "AES is the only good cypher" camp and want to mark Camellia "obsolete", their script generates invalid XML due to nested quotes (obsoleted='1' inside a single-quoted id attribute). In addition, forward secrecy (pfs) for those suites is not "weak"! So even if it worked, their results are clearly extremely biased. I would take any results you get from it with a few drams of salt.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Smokey20

Re: TLS 1.3 test page doesn't work?

Unread post by Smokey20 » 2018-08-17, 02:06

It works fine on Fx52.9 ESR and on Vivaldi and even Edge.

But you say that site is a test site for TLS 1.3? Qualys says the site uses TLS 1.2 and doesn't give any comment about TLS 1.3. On Fx 52.9 ESR and Vivaldi TLS 1.2 is used at the site and Basilisk is using TLS 1.2 there also (I get errors trying to tell what Edge uses there...probably TLS 1.2). Basilisk and Vivaldi use TLS 1.3 but not there (Fx 52.9 ESR has been blocked by Mozilla from using TLS 1.3 anywhere). So how is it a test site for TLS 1.3 when it is limited to TLS 1.2 for all browsers?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: TLS 1.3 test page doesn't work?

Unread post by Moonchild » 2018-08-17, 05:37

Smokey20 wrote:It works fine on Fx52.9 ESR and on Vivaldi and even Edge.
Please read my previous post again. I explained why this site doesn't work -- it's a problem on their end due to their own "special classification" of Camellia. Since Firefox doesn't support Camellia anymore (due to an arbitrary decision made a while back) the script doesn't run into its own error there. I'm assuming the same goes for webkit and edge likely jumping on the AES-exclusive wagon.

Part of me hopes that the known weakening vulnerabilities of AES get exploited sometime, punishing the mainstream browsers for putting all their eggs in a known-weaker basket.
Last edited by Moonchild on 2018-08-17, 05:40, edited 1 time in total.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Smokey20

Re: TLS 1.3 test page doesn't work?

Unread post by Smokey20 » 2018-08-17, 07:18

Moonchild wrote:
Smokey20 wrote:It works fine on Fx52.9 ESR and on Vivaldi and even Edge.
Please read my previous post again. I explained why this site doesn't work -- it's a problem on their end due to their own "special classification" of Camellia.
Yes, you did explain and it didn't sink in...sorry. This brings up, for me, something I find frustrating about Basilisk. I loved Pale Moon Commander when I was using Pale Moon. I really liked being able to see the cipher suites and choose which to use. (I was used to detailed security settings because I used the original Opera for many years). I can't see the cipher suites used in Basilisk. I wasn't sure whether Camellia was being used or not. I would love a Basilisk Commander.

Oh, I suppose I can find the cipher suites in about:config. I recall Mozilla put them there in Fx...hid them basically. Yep, I see them But having the cipher suites presented so neatly in Pale Moon Commander (and in the original Opera) spoiled me!

Locked