Re: eww + w3m / GnuTLS TLSv1 support ?

[Jason Vas Dias <jason.vas.dias@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1800 bytes --]

Oops, here is the required crypto policy patch - I don't
understand why this is required, it is just merging the FEDORA32
policy module settings with the DEFAULT policy, which I thought
was the intent of the 'update-crypto-policies --set DEFAULT:FEDORA32',
but this does not seem to work without the patch also being done
afterwards.

On 15/02/2022, Jason Vas Dias <jason.vas.dias@gmail.com> wrote:
> OK, I finally fixed it for firefox & whole OpenSSL or GnuTLS
> using stack on Fedora 34+ :  as root:
>   #  update-crypto-policies --set DEFAULT:DEFAULT
> but that on its own did not work without making the
> changes to /usr/share/crypto-policies/policies/DEFAULT.pol
> in the attached patch file, then restarting firefox with
> the about:config options:
>  security.tls.version.enable-deprecated	true	
>  security.tls.version.min	                1
> Now I can access TLSv1 websites, and my modem,
> with firefox - and also with GnuTLS / Emacs - wahoo!
> The best website to test this with is :
>  https://tls-v1-0.badssl.com:1010/
>
> Thanks to all who responded !
>
> On 14/02/2022, chad <yandros@gmail.com> wrote:
>> On Sun, Feb 13, 2022 at 9:58 AM Jason Vas Dias <jason.vas.dias@gmail.com>
>> wrote:
>>
>>>   I need to access the website of a modem which ONLY supports
>>>   TLS Version 1.0 [...] https://192.168.1.1 [...]
>>>
>>
>> Orthogonal to eww/gnutls support: in your position, I would (curse a bit
>> and) look into a local https proxy, starting with mitmproxy or tinyproxy.
>> I've been able to use solutions like this in the past, but that past is
>> now
>> distant, and I don't know what's current. I see downstream you ask about
>> some nodeJS options; there's probably a relevant node project that you
>> could set up inside your local network.
>>
>> Hope that helps,
>> ~Chad
>>
>

[-- Attachment #2: crypto-policy-TLSv1.0.patch --]
[-- Type: text/x-patch, Size: 1583 bytes --]

--- default-DEFAULT.pol	2022-02-15 12:24:04.591907040 +0000
+++ policies/DEFAULT.pol	2022-02-15 12:24:17.217815512 +0000
@@ -15,9 +15,11 @@
 mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
 
 group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \
-    FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
+    FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 \
+    FFDHE-1536+ FFDHE-1024+
 
-hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224
+hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 \
+       SHA1
 
 sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA2-256-FIDO \
        ECDSA-SHA3-384 ECDSA-SHA2-384 \
@@ -32,7 +34,8 @@ sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECD
        RSA-SHA3-256 RSA-SHA2-256 \
        RSA-SHA3-384 RSA-SHA2-384 \
        RSA-SHA3-512 RSA-SHA2-512 \
-       ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224
+       ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224 \
+       ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA1+
 
 tls_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC \
     AES-128-GCM AES-128-CCM AES-128-CBC
@@ -52,16 +55,20 @@ key_exchange = ECDHE RSA DHE DHE-RSA PSK
 protocol = TLS1.3 TLS1.2 DTLS1.2
 ike_protocol = IKEv2
 
-min_tls_version = TLS1.2
-min_dtls_version = DTLS1.2
+min_tls_version = TLS1.0
+#2
+min_dtls_version = DTLS1.0
+#2
 
 # Parameter sizes
-min_dh_size = 2048
+min_dh_size = 1023
+#2048
 min_dsa_size = 2048
 min_rsa_size = 2048
 
 # GnuTLS only for now
-sha1_in_certs = 0
+sha1_in_certs = 1
+#0
 
 # SHA1 is still prevalent in DNSSec
 sha1_in_dnssec = 1