eww + w3m / GnuTLS TLSv1 support ?

eww + w3m / GnuTLS TLSv1 support ?

[Jason Vas Dias]

Good day -

  I need to access the website of a modem which ONLY supports
  TLS Version 1.0 - the only CURL options that work for it
  are :
    $ curl -ik --tlsv1.0 --basic -u$USER':'$PASS 'https://192.168.1.1'
  ( options '--tlsv1.'{1,2,3} NO NOT WORK AT ALL ! )
  OpenSSL s_client also works with ONLY the '-tls1' option
  (but does not do the HTTP Basic Auth as curl does).
  
  I only have access to my up-to-date Fedora 34 Linux x86_64 host,
  or my Android Phone on the WiFi network it serves with hostapd.

  It has been the case for a while that Firefox / Chrome for Linux
  do not permit me to use TLS-v1 - only Windows 10's Internet Explorer
  used to work, when run from a Qemu/KVM Windows VM under Linux - but now,
  with latest Windows 10 update, even this support has been removed.

  So my only home internet connection router's operations / management
  web-page is now completely inaccessable to me from any of 6 modern browsers
  I have installed on Linux or Windows :
    ( latest Firefox, latest Chrome, w3m , eww, lynx, MS-Edge, MS-IE ) -
  none of them support TLSv1.0 .

  It would be great if W3M or EWW (which I think both use GnuTLS ?)
  could somehow allow users to set the TLS version to use - then
  at least I'd be able to view the router configuration, if not
  make changes (that woud require JavaScript, but that's another
  issue) .

  Can W3M or EWW be made to use 'curl' or 'openssl s_client' under
  the hood for the HTTPS connection ? I think that might be easiest
  option to develop something quickly that works ...

  An attempt to make Emac's GnuTLS connect the the TLSv1 only website
  fails :
  (defvar my-tls-stream nil)
  (set-variable my-tls-stream (open-gnutls-stream "tls" "tls-buffer" "192.168.1.1" "https"))^X+^E

  my-tls-stream:
  gnutls.el: (err=[-8] A packet with illegal or unsupported version \
  was received.)  boot: (:priority NORMAL:%DUMBFW :hostname \
  192.168.1.1 :loglevel 0 :min-prime-bits nil :trustfiles \
  (/etc/pki/tls/certs/ca-bundle.crt /etc/ssl/cert.pem) \
  :crlfiles nil :keylist nil :verify-flags nil :verify-error nil \
  :callbacks nil)
   Entering debugger...

  Unfortunately the modem is not rooted and while I can SSH to the
  modem, which can be done ONLY using SSH settings:
    -o
  KexAlgorithms=diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
 
  I cannot make any configuration changes with the SSH login non-root
  session - only the web page can interact with daemons that run as root..

  The only way of making configuration changes is via the JavaScript
  TLSv1.0 website , for which I need a text-mode HTML Forms supporting
  browser with basic JavaScript support (I have nodejs, it should not be too
  difficult to get EWW or W3M to run JavaScript scripts? ).

  It seems more fun & useful to extend EWW / W3M to support
  TLS version & protocol configuration & to be able to run
  JavaScript 'XmlHttpTransaction's via nodejs than to try to
  build an old version of Firefox / Mozilla / SeaMonkey / Chrome that
  supports TLSv1.0 - I might be into doing a little work on that.

  Is there any work going on in that direction ?
  If so , please let me know - any tips how to get W3M or EWW to
  browse a website only over TLSv1 or using 'curl' or 'libcurl' C API
  with specified options as underlying  transport would be much appreciated.

Thank You & Best Regards,
Jason Vas Dias

 
  
  
 

Re: eww + w3m / GnuTLS TLSv1 support ?

[Herbert J. Skuhra]

On Sun, Feb 13, 2022 at 02:58:15PM +0000, Jason Vas Dias wrote:
> Good day -
> 
>   I need to access the website of a modem which ONLY supports
>   TLS Version 1.0 - the only CURL options that work for it
>   are :
>     $ curl -ik --tlsv1.0 --basic -u$USER':'$PASS 'https://192.168.1.1'
>   ( options '--tlsv1.'{1,2,3} NO NOT WORK AT ALL ! )
>   OpenSSL s_client also works with ONLY the '-tls1' option
>   (but does not do the HTTP Basic Auth as curl does).
>   
>   I only have access to my up-to-date Fedora 34 Linux x86_64 host,
>   or my Android Phone on the WiFi network it serves with hostapd.
> 
>   It has been the case for a while that Firefox / Chrome for Linux
>   do not permit me to use TLS-v1 - only Windows 10's Internet Explorer
>   used to work, when run from a Qemu/KVM Windows VM under Linux - but now,
>   with latest Windows 10 update, even this support has been removed.
> 
>   So my only home internet connection router's operations / management
>   web-page is now completely inaccessable to me from any of 6 modern browsers
>   I have installed on Linux or Windows :
>     ( latest Firefox, latest Chrome, w3m , eww, lynx, MS-Edge, MS-IE ) -
>   none of them support TLSv1.0 .

Have you tried to set 

security.tls.version.enable-deprecated to true

in Firefox (about:config)?

This still works with Firefox 97.0 and an old(er) SNOM 300 SIP phone.

I have created a separate Firefox profile for this use case.

Maybe other solutions like stunnel, etc. might work too.

-- 
Herbert

Re: eww + w3m / GnuTLS TLSv1 support ?

[Jason Vas Dias]

Yes, I did try that , and :
   security.tls.version_min                      :     1                (was 3)
 security.tls.version.enable-deprecated     :      false           (was true)

After I did this, I did get an 'Enable TLSv1.1 / TLSv1.2' button on FIRST
re-load of the page, but pressing this and re-loading had no effect. Still,
I have no option to accept the page's self-signed certificate or proceed,
but still  I get only
'Error code: SSL_ERROR_UNSUPPORTED_VERSION'
responses.

I then did try setting :

 security.tls.hello_downgrade_check       :     false           (was true)
 network.http.spdy.enforce-tls-profile       :     false          (was true)

Still no joy with Firefox 96, Chrome Unstable, EWW, W3M -
ideally, it would be nice if EWW or W3M would let me set
the TLS protocol version to use, with some variable setting -
that is really why I was posting to the emacs-devel list.

And I am curious as to if there is an Emacs package that
enables an 'inferior-nodejs-process' mode, like Slime's
'inferior-lisp-process' ,  that W3M and|or EWW could use
, to serve the HTML DOM XML for loaded pages,
and to run JavaScript with the DOM model in place
like a browser does - is work done / going on in this
direction ? Otherwise it might be nice project to take on ...

I did raise a Firefox bug about this also :

https://bugzilla.mozilla.org/show_bug.cgi?id=1755196

I am looking into setting up an Apache Module proxy that uses
libcurl to request the router webpage and serve it on my local
host, that seems to be the only way to fix this problem quickly ...

Thanks, Best Regards,
Jason Vas Dias
On 13/02/2022, Herbert J. Skuhra <herbert@gojira.at> wrote:
> On Sun, Feb 13, 2022 at 02:58:15PM +0000, Jason Vas Dias wrote:
>> Good day -
>>
>>   I need to access the website of a modem which ONLY supports
>>   TLS Version 1.0 - the only CURL options that work for it
>>   are :
>>     $ curl -ik --tlsv1.0 --basic -u$USER':'$PASS 'https://192.168.1.1'
>>   ( options '--tlsv1.'{1,2,3} NO NOT WORK AT ALL ! )
>>   OpenSSL s_client also works with ONLY the '-tls1' option
>>   (but does not do the HTTP Basic Auth as curl does).
>>
>>   I only have access to my up-to-date Fedora 34 Linux x86_64 host,
>>   or my Android Phone on the WiFi network it serves with hostapd.
>>
>>   It has been the case for a while that Firefox / Chrome for Linux
>>   do not permit me to use TLS-v1 - only Windows 10's Internet Explorer
>>   used to work, when run from a Qemu/KVM Windows VM under Linux - but
>> now,
>>   with latest Windows 10 update, even this support has been removed.
>>
>>   So my only home internet connection router's operations / management
>>   web-page is now completely inaccessable to me from any of 6 modern
>> browsers
>>   I have installed on Linux or Windows :
>>     ( latest Firefox, latest Chrome, w3m , eww, lynx, MS-Edge, MS-IE ) -
>>   none of them support TLSv1.0 .
>
> Have you tried to set
>
> security.tls.version.enable-deprecated to true
>
> in Firefox (about:config)?
>
> This still works with Firefox 97.0 and an old(er) SNOM 300 SIP phone.
>
> I have created a separate Firefox profile for this use case.
>
> Maybe other solutions like stunnel, etc. might work too.
>
> --
> Herbert
>
>

Re: eww + w3m / GnuTLS TLSv1 support ?

[Eli Zaretskii]

> From: Jason Vas Dias <jason.vas.dias@gmail.com>
> Date: Sun, 13 Feb 2022 16:48:00 +0000
> Cc: emacs-devel@gnu.org
> 
> Still no joy with Firefox 96, Chrome Unstable, EWW, W3M -
> ideally, it would be nice if EWW or W3M would let me set
> the TLS protocol version to use, with some variable setting -
> that is really why I was posting to the emacs-devel list.

AFAIU, in Emacs you should be able to request SSLv1 via the :priority
setting of gnutls-boot.  E.g., try to customize
gnutls-algorithm-priority to include "VERS-TLS1.1".

Re: eww + w3m / GnuTLS TLSv1 support ?

[Jason Vas Dias]

Thanks, Eli -

  I did try setting :

  (set-variable gnutls-algorithm-priority
   "LEGACY:VERS-TLS1.3:VERS-TLS1.2:VERS-TLS1.1:VERS-TLS1.0"
  )
  (set-variable my-tls-stream (open-gnutls-stream "tls" "tls-buffer"
"192.168.1.1" "https")
  )

 but still no joy :

gnutls.el: (err=[-50] The request is invalid.) boot: (:priority
LEGACY:VERS-TLS1.3:VERS-TLS1.2:VERS-TLS1.1:VERS-TLS1.0 :hostname
192.168.1.1 :loglevel 0 :min-prime-bits nil :trustfiles
(/etc/pki/tls/certs/ca-bundle.crt /etc/ssl/cert.pem) :crlfiles nil
:keylist nil :verify-flags nil :verify-error nil :callbacks nil)
gnutls-negotiate: GnuTLS error: #<process tls>, -50

  On browsers, once I have got one to accept trying to use
  TLSv1.0 , which ATM stiil seems not to be possible,
  the next thing is I have to add the router's self-signed
  certificate to the browser's trust store, usually through some
  Advanced -> Add Security Exception "Site Security Exception List" -
  is there such a list for GnuTLS ? Or a way of specifying the
  equivalent of curls' '-k': 'do not validate certificate trust chain' option ?

Thanks, All the best,
Jason

On 13/02/2022, Eli Zaretskii <eliz@gnu.org> wrote:
>> From: Jason Vas Dias <jason.vas.dias@gmail.com>
>> Date: Sun, 13 Feb 2022 16:48:00 +0000
>> Cc: emacs-devel@gnu.org
>>
>> Still no joy with Firefox 96, Chrome Unstable, EWW, W3M -
>> ideally, it would be nice if EWW or W3M would let me set
>> the TLS protocol version to use, with some variable setting -
>> that is really why I was posting to the emacs-devel list.
>
> AFAIU, in Emacs you should be able to request SSLv1 via the :priority
> setting of gnutls-boot.  E.g., try to customize
> gnutls-algorithm-priority to include "VERS-TLS1.1".
>

Re: eww + w3m / GnuTLS TLSv1 support ?

[Herbert J. Skuhra]

On Mon, 14 Feb 2022 13:34:04 +0100, Jason Vas Dias wrote:
> 
> Thanks, Eli -
> 
>   I did try setting :
> 
>   (set-variable gnutls-algorithm-priority
>    "LEGACY:VERS-TLS1.3:VERS-TLS1.2:VERS-TLS1.1:VERS-TLS1.0"
>   )
>   (set-variable my-tls-stream (open-gnutls-stream "tls" "tls-buffer"
> "192.168.1.1" "https")
>   )
> 
>  but still no joy :
> 
> gnutls.el: (err=[-50] The request is invalid.) boot: (:priority
> LEGACY:VERS-TLS1.3:VERS-TLS1.2:VERS-TLS1.1:VERS-TLS1.0 :hostname
> 192.168.1.1 :loglevel 0 :min-prime-bits nil :trustfiles
> (/etc/pki/tls/certs/ca-bundle.crt /etc/ssl/cert.pem) :crlfiles nil
> :keylist nil :verify-flags nil :verify-error nil :callbacks nil)
> gnutls-negotiate: GnuTLS error: #<process tls>, -50
> 
>   On browsers, once I have got one to accept trying to use
>   TLSv1.0 , which ATM stiil seems not to be possible,
>   the next thing is I have to add the router's self-signed
>   certificate to the browser's trust store, usually through some
>   Advanced -> Add Security Exception "Site Security Exception List" -
>   is there such a list for GnuTLS ? Or a way of specifying the
>   equivalent of curls' '-k': 'do not validate certificate trust chain' option ?

What operating system and version do you use? What Emacs and GnuTLS
version?

I cannot reproduce any of your issues. Here gnutls-algorithm-priority
is nil (default) and when I try to connect to my Snom phone with eww
the Network Security Manager shows a warning and prompts me to confirm
the low security connection. 

And in Firefox I only had to set
security.tls.version.enable-deprecated to true. Maybe try to get an
offical binary from: https://ftp.mozilla.org/pub/firefox/releases/

--
Herbert

Re: eww + w3m / GnuTLS TLSv1 support ?

[Jason Vas Dias]

[-- Attachment #1: Type: text/plain, Size: 2648 bytes --]

Enclosed is a patch to gnutls.el to allow users
to specify the default 'verify_flags' used by
gnutls_negotiate / gnutls_boot_parameters.

But still, I am getting error:

(set-variable my-tls-stream (open-gnutls-stream "tls" "tls-buffer"
"192.168.1.1" "https"))
gnutls.el: (err=[-50] The request is invalid.) boot: (:priority
LEGACY:VERS-TLS1.3:VERS-TLS1.2:VERS-TLS1.1:VERS-TLS1.0 :hostname
192.168.1.1 :loglevel 0 :min-prime-bits nil :trustfiles
(/etc/pki/tls/certs/ca-bundle.crt /etc/ssl/cert.pem) :crlfiles nil
:keylist nil :verify-flags 251 :verify-error nil :callbacks nil)

I was now able to specify "verify-flags 251" by customizing
the new 'gnutls-verify-flags' variable (was 256) .

I'll have to dig in to precisely what flags 'curl -k --tlsv1.0'
uses to duplicate for Emac's gnutls ...



On 14/02/2022, Jason Vas Dias <jason.vas.dias@gmail.com> wrote:
> Thanks, Eli -
>
>   I did try setting :
>
>   (set-variable gnutls-algorithm-priority
>    "LEGACY:VERS-TLS1.3:VERS-TLS1.2:VERS-TLS1.1:VERS-TLS1.0"
>   )
>   (set-variable my-tls-stream (open-gnutls-stream "tls" "tls-buffer"
> "192.168.1.1" "https")
>   )
>
>  but still no joy :
>
> gnutls.el: (err=[-50] The request is invalid.) boot: (:priority
> LEGACY:VERS-TLS1.3:VERS-TLS1.2:VERS-TLS1.1:VERS-TLS1.0 :hostname
> 192.168.1.1 :loglevel 0 :min-prime-bits nil :trustfiles
> (/etc/pki/tls/certs/ca-bundle.crt /etc/ssl/cert.pem) :crlfiles nil
> :keylist nil :verify-flags nil :verify-error nil :callbacks nil)
> gnutls-negotiate: GnuTLS error: #<process tls>, -50
>
>   On browsers, once I have got one to accept trying to use
>   TLSv1.0 , which ATM stiil seems not to be possible,
>   the next thing is I have to add the router's self-signed
>   certificate to the browser's trust store, usually through some
>   Advanced -> Add Security Exception "Site Security Exception List" -
>   is there such a list for GnuTLS ? Or a way of specifying the
>   equivalent of curls' '-k': 'do not validate certificate trust chain'
> option ?
>
> Thanks, All the best,
> Jason
>
> On 13/02/2022, Eli Zaretskii <eliz@gnu.org> wrote:
>>> From: Jason Vas Dias <jason.vas.dias@gmail.com>
>>> Date: Sun, 13 Feb 2022 16:48:00 +0000
>>> Cc: emacs-devel@gnu.org
>>>
>>> Still no joy with Firefox 96, Chrome Unstable, EWW, W3M -
>>> ideally, it would be nice if EWW or W3M would let me set
>>> the TLS protocol version to use, with some variable setting -
>>> that is really why I was posting to the emacs-devel list.
>>
>> AFAIU, in Emacs you should be able to request SSLv1 via the :priority
>> setting of gnutls-boot.  E.g., try to customize
>> gnutls-algorithm-priority to include "VERS-TLS1.1".
>>
>

[-- Attachment #2: gnutls.el.patch --]
[-- Type: text/x-patch, Size: 2073 bytes --]

diff -up ./gnutls.el.old ./gnutls.el
--- ./gnutls.el.old	2022-02-14 12:59:06.442427021 +0000
+++ ./gnutls.el	2022-02-14 13:34:59.580342409 +0000
@@ -222,6 +222,27 @@ trust and key files, and priority string
 (declare-function gnutls-boot "gnutls.c" (proc type proplist))
 (declare-function gnutls-errorp "gnutls.c" (error))
 (defvar gnutls-log-level)               ; gnutls.c
+(defcustom gnutls-verify-flags 256
+  "Set the default verify flags used - default is 256.
+VERIFY-FLAGS is a numeric OR of verification flags only for
+`gnutls-x509pki' connections.  See GnuTLS' x509.h for details;
+here's a recent version of the list.
+
+    GNUTLS_VERIFY_DISABLE_CA_SIGN = 1,
+    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT = 2,
+    GNUTLS_VERIFY_DO_NOT_ALLOW_SAME = 4,
+    GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT = 8,
+    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 = 16,
+    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
+    GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64,
+    GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS = 128,
+    GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT = 256
+
+It must be omitted, a number, or nil; if omitted or nil it
+defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT (256)."
+  :group 'gnutls
+  :type '(choice (const nil) number)
+)
 
 (cl-defun gnutls-negotiate
     (&rest spec
@@ -247,7 +268,7 @@ For the meaning of the rest of the param
                   :crlfiles crlfiles
                   :keylist keylist
                   :min-prime-bits min-prime-bits
-                  :verify-flags verify-flags
+                  :verify-flags (or verify-flags gnutls-verify-flags)
                   :verify-error verify-error
                   :verify-hostname-error verify-hostname-error))
          ret)
@@ -356,7 +377,7 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_
                 :trustfiles ,trustfiles
                 :crlfiles ,crlfiles
                 :keylist ,keylist
-                :verify-flags ,verify-flags
+                :verify-flags ,(or verify-flags gnutls-verify-flags)
                 :verify-error ,verify-error
                 :callbacks nil)))
 

Re: eww + w3m / GnuTLS TLSv1 support ?

[chad]

[-- Attachment #1: Type: text/plain, Size: 632 bytes --]

On Sun, Feb 13, 2022 at 9:58 AM Jason Vas Dias <jason.vas.dias@gmail.com>
wrote:

>   I need to access the website of a modem which ONLY supports
>   TLS Version 1.0 [...] https://192.168.1.1 [...]
>

Orthogonal to eww/gnutls support: in your position, I would (curse a bit
and) look into a local https proxy, starting with mitmproxy or tinyproxy.
I've been able to use solutions like this in the past, but that past is now
distant, and I don't know what's current. I see downstream you ask about
some nodeJS options; there's probably a relevant node project that you
could set up inside your local network.

Hope that helps,
~Chad

[-- Attachment #2: Type: text/html, Size: 1102 bytes --]

Re: eww + w3m / GnuTLS TLSv1 support ?

[Jason Vas Dias]

OK, I finally fixed it for firefox & whole OpenSSL or GnuTLS
using stack on Fedora 34+ :  as root:
  #  update-crypto-policies --set DEFAULT:DEFAULT
but that on its own did not work without making the
changes to /usr/share/crypto-policies/policies/DEFAULT.pol
in the attached patch file, then restarting firefox with
the about:config options:
 security.tls.version.enable-deprecated	true	
 security.tls.version.min	                1
Now I can access TLSv1 websites, and my modem,
with firefox - and also with GnuTLS / Emacs - wahoo!
The best website to test this with is :
 https://tls-v1-0.badssl.com:1010/

Thanks to all who responded !

On 14/02/2022, chad <yandros@gmail.com> wrote:
> On Sun, Feb 13, 2022 at 9:58 AM Jason Vas Dias <jason.vas.dias@gmail.com>
> wrote:
>
>>   I need to access the website of a modem which ONLY supports
>>   TLS Version 1.0 [...] https://192.168.1.1 [...]
>>
>
> Orthogonal to eww/gnutls support: in your position, I would (curse a bit
> and) look into a local https proxy, starting with mitmproxy or tinyproxy.
> I've been able to use solutions like this in the past, but that past is now
> distant, and I don't know what's current. I see downstream you ask about
> some nodeJS options; there's probably a relevant node project that you
> could set up inside your local network.
>
> Hope that helps,
> ~Chad
>

Re: eww + w3m / GnuTLS TLSv1 support ?

[Jason Vas Dias]

[-- Attachment #1: Type: text/plain, Size: 1800 bytes --]

Oops, here is the required crypto policy patch - I don't
understand why this is required, it is just merging the FEDORA32
policy module settings with the DEFAULT policy, which I thought
was the intent of the 'update-crypto-policies --set DEFAULT:FEDORA32',
but this does not seem to work without the patch also being done
afterwards.

On 15/02/2022, Jason Vas Dias <jason.vas.dias@gmail.com> wrote:
> OK, I finally fixed it for firefox & whole OpenSSL or GnuTLS
> using stack on Fedora 34+ :  as root:
>   #  update-crypto-policies --set DEFAULT:DEFAULT
> but that on its own did not work without making the
> changes to /usr/share/crypto-policies/policies/DEFAULT.pol
> in the attached patch file, then restarting firefox with
> the about:config options:
>  security.tls.version.enable-deprecated	true	
>  security.tls.version.min	                1
> Now I can access TLSv1 websites, and my modem,
> with firefox - and also with GnuTLS / Emacs - wahoo!
> The best website to test this with is :
>  https://tls-v1-0.badssl.com:1010/
>
> Thanks to all who responded !
>
> On 14/02/2022, chad <yandros@gmail.com> wrote:
>> On Sun, Feb 13, 2022 at 9:58 AM Jason Vas Dias <jason.vas.dias@gmail.com>
>> wrote:
>>
>>>   I need to access the website of a modem which ONLY supports
>>>   TLS Version 1.0 [...] https://192.168.1.1 [...]
>>>
>>
>> Orthogonal to eww/gnutls support: in your position, I would (curse a bit
>> and) look into a local https proxy, starting with mitmproxy or tinyproxy.
>> I've been able to use solutions like this in the past, but that past is
>> now
>> distant, and I don't know what's current. I see downstream you ask about
>> some nodeJS options; there's probably a relevant node project that you
>> could set up inside your local network.
>>
>> Hope that helps,
>> ~Chad
>>
>

[-- Attachment #2: crypto-policy-TLSv1.0.patch --]
[-- Type: text/x-patch, Size: 1583 bytes --]

--- default-DEFAULT.pol	2022-02-15 12:24:04.591907040 +0000
+++ policies/DEFAULT.pol	2022-02-15 12:24:17.217815512 +0000
@@ -15,9 +15,11 @@
 mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
 
 group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \
-    FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
+    FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 \
+    FFDHE-1536+ FFDHE-1024+
 
-hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224
+hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 \
+       SHA1
 
 sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA2-256-FIDO \
        ECDSA-SHA3-384 ECDSA-SHA2-384 \
@@ -32,7 +34,8 @@ sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECD
        RSA-SHA3-256 RSA-SHA2-256 \
        RSA-SHA3-384 RSA-SHA2-384 \
        RSA-SHA3-512 RSA-SHA2-512 \
-       ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224
+       ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224 \
+       ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA1+
 
 tls_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC \
     AES-128-GCM AES-128-CCM AES-128-CBC
@@ -52,16 +55,20 @@ key_exchange = ECDHE RSA DHE DHE-RSA PSK
 protocol = TLS1.3 TLS1.2 DTLS1.2
 ike_protocol = IKEv2
 
-min_tls_version = TLS1.2
-min_dtls_version = DTLS1.2
+min_tls_version = TLS1.0
+#2
+min_dtls_version = DTLS1.0
+#2
 
 # Parameter sizes
-min_dh_size = 2048
+min_dh_size = 1023
+#2048
 min_dsa_size = 2048
 min_rsa_size = 2048
 
 # GnuTLS only for now
-sha1_in_certs = 0
+sha1_in_certs = 1
+#0
 
 # SHA1 is still prevalent in DNSSec
 sha1_in_dnssec = 1