FireFox and home server

[www.GymRatZ.co.uk]

Does anyone have a "fix" for creating an I.P. address or site/url
exemption for firefox (and Brave etc) with regards to bypassing the "not
secure, you are NOT going there" browser message

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

I have a Hewlet Packard DL360 G7 server hosting a development site but
now I can't get into the ILO 3 server resource monitor software because
FF and Brave refuse to connect to the old TLS encryption protocol and
they have now removed the option to add an exception.
https://support.mozilla.org/en-US/kb/secure-connection-failed-firefox-did-not-connect?as=u&utm_source=inproduct
On my work PC I can still log into the system (via site-to-site VPN)
even though it's FireFox 113.* presumably because I'd already added an
exception for the IP address on an earlier version.

ILO 3 runs on its own dedicated/isolated network port and O.S.
(dedicated "system" web server) which can't be updated other than BIOS
and the server is way past any new updates and the port can only be
accessed from the L.A.N.

Wondering if anyone has a workaround or whether there's another browser
that isn't so tetchy about connecting to old systems?

This is a side DIY to the current balcony fibreglassing job I'm in the
middle of doing.
:)

Cheers - Pete

[Andy Burns]

www.GymRatZ.co.uk wrote:

> Does anyone have a "fix" for creating an I.P. address or site/url
> exemption for firefox (and Brave etc) with regards to bypassing the "not
> secure, you are NOT going there" browser message
>
> Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Not a URL specific exception, but a global one in about:config
try lowering the value of
security.tls.version.fallback-limit
probably put it back to current value when done
or upgrade your ILO firmware

[The Natural Philosopher]

On 13/06/2023 18:01, www.GymRatZ.co.uk wrote:
> Does anyone have a "fix" for creating an I.P. address or site/url
> exemption for firefox (and Brave etc) with regards to bypassing the "not
> secure, you are NOT going there" browser message
>
> Error code: SSL_ERROR_NO_CYPHER_OVERLAP
>

https://kinsta.com/blog/ssl_error_no_cypher_overlap/

has some data. It looks like you may be able to fiddle in 'about:config'

<...>

> ILO 3 runs on its own dedicated/isolated network port and O.S.
> (dedicated "system" web server) which can't be updated other than BIOS
> and the server is way past any new updates and the port can only be
> accessed from the L.A.N.

Mm. perhaps you need an equally outdated browser to access it.
And XP window on virtual box?

>
> Wondering if anyone has a workaround or whether there's another browser
> that isn't so tetchy about connecting to old systems?
>

Well obviously less up to date browser versions.

https://ftp.mozilla.org/pub/firefox/releases/

> Cheers - Pete

--
Future generations will wonder in bemused amazement that the early
twenty-first century’s developed world went into hysterical panic over a
globally average temperature increase of a few tenths of a degree, and,
on the basis of gross exaggerations of highly uncertain computer
projections combined into implausible chains of inference, proceeded to
contemplate a rollback of the industrial age.

Richard Lindzen

[John Rumm]

On 13/06/2023 18:01, www.GymRatZ.co.uk wrote:

Does it have a http server you could visit instead?

--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

[The Natural Philosopher]

On 14/06/2023 09:15, Jethro_uk wrote:

> I can strongly advise being prepared to have some sort of virtualisation
> solution to run an older browser in. Maybe a docker container ?
>
> Browser security is only going to get more strict from hereon in.

I do suggest scanning the about:config magic box for ways to downgrade
TLS security. I haven't time to research it myself


--
If you tell a lie big enough and keep repeating it, people will
eventually come to believe it. The lie can be maintained only for such
time as the State can shield the people from the political, economic
and/or military consequences of the lie. It thus becomes vitally
important for the State to use all of its powers to repress dissent, for
the truth is the mortal enemy of the lie, and thus by extension, the
truth is the greatest enemy of the State.

Joseph Goebbels

[The Natural Philosopher]

On 14/06/2023 09:33, Jethro_uk wrote:

> From casual experience, Chrome hasn't allowed this for a year.

What has it got to do with Chrome?
This thread is about Firefox.

--
In theory, there is no difference between theory and practice.
In practice, there is.
-- Yogi Berra

[The Natural Philosopher]

On 14/06/2023 10:46, Jethro_uk wrote:

> Firefox tends to match Chrome so I would be totally unsurprised to find
> it has the same restrictions.
>
> I really CBA to remember the exact details, as it's a day off, but last
> year we stopped being able to access an old Dell iDRAC, as it hadn't been
> updated and only used TLS 1.1 and neither FF or Chrome would connect.
> Which would have meant a trip to the data centre to upgrade, since it
> couldn't be done out of band. However we switched to a newer data centre,
> so were spared the day out in Derby.
>

I had similar problems with thunderbird and sending SMTP mail to my server.

I discovered a hidden switch in it that allowed it to accept older TLS
versions.



--
"If you don’t read the news paper, you are un-informed. If you read the
news paper, you are mis-informed."

Mark Twain

[Theo]

Ottavio Caruso <ottavio2006...@yahoo.com> wrote:

> Am 13/06/2023 um 17:01 schrieb www.GymRatZ.co.uk:
> > Does anyone have a "fix" for creating an I.P. address or site/url
> > exemption for firefox (and Brave etc) with regards to bypassing the "not
> > secure, you are NOT going there" browser message
> >
> > Error code: SSL_ERROR_NO_CYPHER_OVERLAP
> >
> > I have a Hewlet Packard DL360 G7 server hosting a development site but
> > now I can't get into the ILO 3 server resource monitor software because
> > FF and Brave refuse to connect to the old TLS encryption protocol and
> > they have now removed the option to add an exception.
> > https://support.mozilla.org/en-US/kb/secure-connection-failed-firefox-did-not-connect?as=u&utm_source=inproduct
> > On my work PC I can still log into the system (via site-to-site VPN)
> > even though it's FireFox 113.* presumably because I'd already added an
> > exception for the IP address on an earlier version.
>

> Just make your own security certificate.
>
> Google it, for Gods sake.

The problem is not the certificate, it's that the server is using an old
type of crypto, which the current browser no longer supports.
It may be possible to replace the certificate with one using a different
form of crypto that's not too outdated (if the server supports multiple
types) but it may be everything is just too old.

It may be possible to convince Firefox to enable older ciphers, eg point 3
from here:
https://blog.runcloud.io/ssl-error-no-cypher-overlap/

But if that doesn't work, another option is a TLS bridging proxy
that will decrypt and then re-encrypt your traffic:
https://en.wikipedia.org/wiki/TLS_termination_proxy


Theo

[Andy Burns]

Jethro_uk wrote:


> Can it serve a TLS2 cert ?

certs are not related to the SSL/TLS version used.

ILO3 is quite old, but it can generate a CSR

[Theo]

Ottavio Caruso <ottavio2006...@yahoo.com> wrote:

> Am 14/06/2023 um 12:01 schrieb Theo:
> > t's that the server is using an old
> > type of crypto, which the current browser no longer supports.
>

> What OS in on the server?

ILO 3.

Theo

[Andy Burns]

Ottavio Caruso wrote:

> What is the server?

He said, its the ILO (out of band management) on a HP/compaq server ...

[Mike Humphrey]

On Tue, 13 Jun 2023 18:01:49 +0100, www.GymRatZ.co.uk wrote:

> Does anyone have a "fix" for creating an I.P. address or site/url
> exemption for firefox (and Brave etc) with regards to bypassing the "not
> secure, you are NOT going there" browser message
>
> Error code: SSL_ERROR_NO_CYPHER_OVERLAP
>

Portableapps.com Firefox Legacy has old versions available. These can run
completely standalone without affecting any other versions you've got
installed. I've used this in a similar situation. Just don't access
anything else with this version, use your regular browser - there are
some serious security issues with versions that old.

Mike

[Theo]

Ottavio Caruso <ottavio2006...@yahoo.com> wrote:
> Am 14/06/2023 um 15:55 schrieb Theo:
> > ILO 3.
>
> Can you ssh into it? A command line?
>
> Can you not use an old PC or a second hand Raspberry PI to use as a
> home/print server?

ILO is the baseboard management interface (BMC) for an HP rack server, and
lives on its motherboard. It allows you to power up/down the unit, manage
power/fan speeds, change BIOS settings, remote access to the VGA, connect
virtual DVD drives. Effectively it replaces any need to connect a monitor
and keyboard to the unit, which may be on the other side of the world.

There may be a command line interface, but it doesn't allow you to do things
like remote VGA.

There is no replacement for that if you want to achieve those management
functions, because only the ILO chip is hooked into the server in that way.
The trouble is that the server may be 10+ years old and still useful, but
the ILO firmware is out of support (or maybe only getting security updates).

For machines without BMC remote management (ILO/iDRAC/etc) I use
https://pikvm.org/ as an IP-KVM which gives you remote HDMI / keyboard /
mouse / media / power butotns, but it doesn't give access to some features
like internal hardware status. And you need a Pi plus an HDMI capture board
(which start at about £30, or a purpose built board is £140).

A Raspberry Pi is not the same as a big-iron Xeon server with dozens of
x86 cores and hundreds of GB of RAM, which is what these often are.

(such servers can be had quite cheaply in some cases, if the power bill for
running them 24/7 exceeds the cost of buying a newer server, and if you only
run them sporadically that's not a problem for you. But you have to deal
with stuff like the ILO being out of date)

Theo

[Andy Burns]

Ottavio Caruso wrote:

> Am 14/06/2023 um 15:55 schrieb Theo:
>> ILO 3.
>
> Can you ssh into it? A command line?

You can get into ILO config by pressing F9 (or maybe F8) at boot time,
there you can change the network/user settings for it, and I think
generate CSR or load certs ... but ILO3 is ancient

You may be able to run the ILO Configuration Utility from within a
supported O/S, but the oldest i can see is for ILO4

See pages 48/49 of this
<https://enos.itcollege.ee/~edmund/storage/praktikumid/riistvara-laborid/iLO/iLO3_user-guide.pdf>

[www.GymRatZ.co.uk]

Thanks for the pointer Andy.
I tried changing config fallback and minimum encryption level etc none
of which made any difference yesteday, but even though I still have
yesterdays browser window and tabs open, on re-visiting this thread and
re-trying to log in FF has now given me the extra page for certificate
inspection (are you sure? are you sure you're sure?, we don't advise
going there! etc) and adding an exception to the site so for the moment
at least my home PC and FF can re-access the ILO3 service.

End of life for the Gen7 was 5 years ago and the latest firmware
(installed) is iLO Firmware Version 1.94 Dec 06 2020 so not much hope of
that getting updated again.

It's not the end of the world if I completely lose access to ILO but
it's extremely useful for checking server temp. fan speeds, current and
historical power consumption etc.

Cheers
Pete

[www.GymRatZ.co.uk]

Thanks Mike,
I'll take a look.

Cheers
Pete

[The Natural Philosopher]

On 15/06/2023 12:53, www.GymRatZ.co.uk wrote:
> but even though I still have yesterdays browser window and tabs open, on
> re-visiting this thread and re-trying to log in FF has now given me the
> extra page for certificate inspection (are you sure? are you sure you're
> sure?, we don't advise going there! etc) and adding an exception to the
> site so for the moment at least my home PC and FF can re-access the ILO3
> service.

Well, however you managed to hack that, it is at least a Result, as they
say.


--
"And if the blind lead the blind, both shall fall into the ditch".

Gospel of St. Mathew 15:14

[www.GymRatZ.co.uk]

On 13/06/2023 18:01, www.GymRatZ.co.uk wrote:

> Does anyone have a "fix" for creating an I.P. address or site/url
> exemption for firefox (and Brave etc) with regards to bypassing the "not
> secure, you are NOT going there" browser message
>
> Error code: SSL_ERROR_NO_CYPHER_OVERLAP
>
> I have a Hewlet Packard DL360 G7 server hosting a development site but
> now I can't get into the ILO 3 server resource monitor software because

Thanks all for the help and advice and for those that helped explain the
difference between ILO "on board" server that sits independantly to the
actual server (running on Ubuntu) :)

Having fiddled about yesterday with FireFox config as suggested by Andy,
dropping security minimum/fallback etc down from default to a lower
setting didn't appear to make a difference yesterday, but today the same
browser even without closing it down is now granting access to the
server interface by giving the option of adding an exception so
something happened overnight and access has been restored for the time
being.

For those wondering about the server:
2 years ago I wanted to "play around" with Magento2 e-commerce site but
it's super heavy on resources and the monthly cost of renting a suitable
server or "instance", "droplet" or whatever they're called with enough
capacity to do the job was prohibitively expensive so I found that a 10
year old enterprise class server, built to my spec. could be had for a
tiny (spec. to cost) price.

Found a site called "BargainHardware" and created a server with the
following spec.:


2 x Xeon (24 cores), 96GB DDR RAM, 512GB Raid SSD (384GB 3 + 1), dual
PSU. for £300!(VAT claimed back).

Power consumption? Average power over the last 24 hours is 60w (data
provided by ILO3) so around £3.00 per week to keep it running. Full
spec. and component costs (2 years ago) as follows:


Chassis
1 x HP ProLiant DL360 G7 4xSFF Hot-Swap SAS & Hot-Swap PSU 1U Barebones
Server £15.00

Processor(s)
2 x Intel Xeon X5660 2.80Ghz Hexa (6) Core CPU £16.00

Heatsink(s)
2 x HP ProLiant DL360 G6, DL360 G7 Heatsink £8.00

Fan(s)
1 x HP ProLiant DL360 G6, DL360 G7 Fan Module £2.00
(already has 1 fan module as standard for single CPU)

Memory (RAM)
6 x 16GB - DDR3 1600MHz (PC3-12800R, 2Rx4) £150.00

RAID
1 x HP|P410i 1GB FBWC|CBOPT £24.00

Hard Drive(s) & SSD(s)
4 x 128GB SATA SFF 6G SSD £52.00

Hard Drive Caddy(s) & Blank(s)
4 x HP ProLiant G5, G6, G7 SFF Hot-Swap Caddy £20.00

Power Supply(s)
2 x HP Common Slot HS PSU 460W Platinum Plus £4.00

Power Cable(s)
2 x UK Plug to C13 (Kettle Lead) Power Cable £4.00


Grand Total (Excl.Tax) £300.99
Vat £60.20
Grand Total (Incl.Tax) £361.19

"Bargain Hardware" describes the business quite well I feel.
They were also excellent to deal with. Interestingly, scarcity of
components makes them more expensive as does newer spec. so there is a
sweet spot between too old and still in current service that yields
amazing value. Memory was the only exception as I wanted to fully
populate at maximum speed possible which meant having to use 16GB
modules hence making up a whopping 50% of the cost of the server.

Only downside... being a small form factor server the fans can get quite
noisy on hot days, sounds like a swarm of bees living in the garage. Far
too noisy to have in the house/attic etc. Never seen the fans go past
40% when ambient temp was around 30 degrees but nice to know it's still
got plenty of cooling headroom.
:)

[www.GymRatZ.co.uk]

On 14/06/2023 00:29, John Rumm wrote:

>> This is a side DIY to the current balcony fibreglassing job I'm in the
>> middle of doing.
>> :)
>
> Does it have a http server you could visit instead?

No it doesn't John but in going back in to check I found something I'd
changed in FF about:config has now taken effect and I'm once again able
to access the interface from the home P.C. possibly until the next
browser update or locking down I guess.

Cheers
Pete

[The Natural Philosopher]

About: config persists through upgrades unless the configured feature
ceases to exist;

> Cheers
> Pete
>
>

--
“I know that most men, including those at ease with problems of the
greatest complexity, can seldom accept even the simplest and most
obvious truth if it be such as would oblige them to admit the falsity of
conclusions which they have delighted in explaining to colleagues, which
they have proudly taught to others, and which they have woven, thread by
thread, into the fabric of their lives.”

― Leo Tolstoy