Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Dropbox TLS 1.0 & 1.1 is deprecated
Dev: we need to upgrade our projects
Manager: we don't have time for that. can you call to their helpdesk, so we can keep using our projects w/o upgrading?
Dev: ....
Manager: call them!
Dev: ...9 -
A client asked us today to disable TLS 1.0 and 1.1 across their servers.
Its not often that I say this. But this makes me proud. It's a good client. Going with the changin times. I wish all clients were like this one.
RIP TLS 1.0/1.1, took you long enough.2 -
Hi lil puppies what's your problem?
*proxy vomits*
Have you eaten something wrong....
*proxy happily eats requests and answers correctly*
Hm... Seems like you are...
*proxy vomits dozen of requests at once*
... Not okay.
Ok.... What did u you get fed you lil hellspawn.
TLS handshake error.
Thousands. Of. TLS. Handshake. Errors.
*checking autonomous system information*
Yeah... Requests come from same IP or AS. Someone is actively bombing TLS requests on the TLS terminator.
Wrong / outdated TLS requests.
Let's block the IP addresses....
*Pats HAProxy on the head*
*Gets more vomit as a thank you no sir*
I've now added a list of roughly 320 IP adresses in 4 h to an actively running HAProxy in INet as some Chinese fuckers seemingly find it funny to DDOS with TLS 1.0... or Invalid HTTP Requests... Or Upgrade Headers...
Seriously. I want a fucking weekend you bastards. Shove your communism up your arse if you wanna have some illegal fun. ;)11 -
Legacy tech be like:
"The connection to this site uses TLS 1.0 (an obsolete protocol), RSA (an obsolete key exchange), and AES_128_CBC with HMAC-SHA1 (an obsolete cipher)."2 -
My vocabulary is way to small to express my feelings when being forced to use .Net 4.0. Just spent like 2 hours searching why my Api requests failed.
Turns out it used TLS 1.0 which got rejected by the server. Then I spent another 2 hours finding out how to make it use TLS 1.2. Surprisingly it does work now (although it came out before TSL 1.2 specification). But yeah still a fucking pile of shit.1 -
IPMI...
2010....
Java Web...
Oracle JDK needed....
Oracle JDK Download requires Oracle Account..... To circumvent as I don't want a motherfugging shitty oracle account tons of googling and loading shit from not so trustful pages.
TLS 1.0 and WebJDK require Internet Explorer.....
And an even older version of Oracle JDK 8....
Broken keyboard input....
As on Laptop for Windows / Internet Explorer additionally struggling with keyboard...
Mounting SMB Share requires password change, as my password contains invalid characters....
Finally getting shit to load GParted...
Taking fucking ages to load.
Broken keyboard input, no pasting.....
Chrooting / input becomes a 15 min exercise.
Actual input necessary on chroot: 1 command.
Actual time needed to get there : 2 1/2 h.
*sigh*
When that one old machine dies noone was aware of. And this one old machine is only accessible via an IPMI... As noone even knows where that machine is.
Weekend dead. Weekend is so fucking dead and overrated.2 -
With a recent HAProxy update on our reverse proxy VM I decided to enable http/2, disable TLS 1.0 and drop support for non forward-secrecy ciphers.
Tested our sites in Chrome and Firefox, all was well, went to bed.
Next morning a medium-critical havock went loose. Our ERP system couldn't create tickets in our ticket system anymore, the ticket systems Outlook AddIn refused to connect, the mobile app we use to access our anti-spam appliance wouldn't connect although our internal blackboard app still connected over the same load balancer without any issues.
So i declared a 10min maintenance window and disabled HTTP/2, thinking that this was the culprit.
Nope. No dice.
Okay, i thought, enable TLS 1.0 again.
Suddenly the ticket system related stuff starts to work again.
So since both the ERP system and the AddIn run on .NET i dug through the .NET documentation and found out that for some fucking reason even in the newest .NET framework version (4.7.2) you have to explicitly enable TLS 1.1 and 1.2 or else you just get a 'socket reset' error. Why the fuck?!
Okay, now that i had the ticket system out of the way i enabled HTTP/2 and verified that everything still works.
It did, nice.
The anti-spam appliance app still did not work however, so i enabled one non-pfs cipher in the OpenSSL config and tested the app.
Behold, it worked.
I'm currently creating a ticket with them asking politely why the fuck their app has pfs-ciphers disabled.
And I thought disabling DEPRECEATED tech wouldn't be an issue... Wrong... -
Did some analysis on some servers that a partner of ours is hosting:
-TLS 1.0: Hmm this isn't great
-TLS_RSA_WITH_RC4_128_SHA preferred Cipher Suite for ALL TLS Versions.
I almost barfed at my desk.4 -
RANT
THE fucking pip is not working again. This time throwing sslerror ssl_certificate. Googled and came to know they removed TLS 1.0 and 1.1 support. Solution upgrade the pip. Done. Still same.
Checked their website no information.
Don't have words now.3 -
Been integrating with a third party system for the last 2 weeks, we can send them requests fine but when they post the response to us they get a generic error.
After responding very politely to an increasingly aggressive contact at their company for the entire day, where he says it is our system that is badly configured, they figured it out.
Their system only has support for sending data using TLS 1.0 and below....
So turns out he was right our system wasn't configured to work with theirs. We only allow 1.2 and above...
Top Tags
Weekly Rant
View