Welcome to the Australian Ford Forums forum.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and inserts advertising. By joining our free community you will have access to post topics, communicate privately with other members, respond to polls, upload content and access many other special features without post based advertising banners. Registration is simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact us.

Please Note: All new registrations go through a manual approval queue to keep spammers out. This is checked twice each day so there will be a delay before your registration is activated.

Go Back   Australian Ford Forums > General Topics > Ford Forums Central > Site Support

Site Support If something isn't working or you have a suggestion ( a nice one !! ) let us know here.

Reply
 
Thread Tools Display Modes
Old 17-10-2017, 10:21 AM   #1
russellw
Chairman & Administrator
Donating Member3
 
russellw's Avatar
 
Join Date: Dec 2004
Location: 1975
Posts: 107,270
Community Builder: In recognition of those who have helped build the AFF community. - Issue reason: Raptor: For Continued, and prolonged service to the wider Ford Community 
Default ** IMPORTANT - EOL for TLSv1**

Good morning all. Apologies for the technical detail below but it is important that Windows XP and Windows 7 users read the information below as it will impact access to the forum.

As some will know, we moved to using SSL on the server some months ago which is why you will see a little padlock symbol in your browser navigator bar. There are several variations on the SSL protocol and at the time of implementation, the only one we disallowed was the (hacked) SSLv2.

It is now time that we started to implement some of the more up to date (and secure) protocols and remove the older ones as some of them are vulnerable to attack. To this end, we are planning to remove support for TLSv1 and SSL3 effective from the 1st November this year.

The table below, identifies which Microsoft Operating System version have inbuilt support for TLSv1.1 which will be the lowest SSL version supported once we make the change.



As you will see Windows XP does not have support for TLSv1.1 and this has two potential impacts:

1. People using Internet Explorer 6 will not be able to access AFF; and
2. People using other browsers may receive errors trying to access the site.

Windows 7 does support TLSv1.1 but it is not enabled by default and in order to use it the following steps need to be taken regardless of which browser you normally use.

Launch Internet Explorer and navigate to Tools -> Internet Options -> Advanced. Under the Security section, you will see a list of SSL protocols supported by the Operating System and you will notice that a number of them are not ticked. Make sure that they are set as per the screen shot below.




Save the settings and then your normal browser should work fine with AFF post the November change.

To check SSL settings in Google Chrome:
  • Click the Chrome menu button.
  • Click Settings.
  • Click Show advanced settings.
  • Click Change proxy settings under the Network section.
  • Click the Advanced tab.
  • Check or uncheck the options for Use SSL as per the IE screen shot above.
  • Close the Settings tab.

To set SSL in Firefox:

In Firefox you can check the minimum and maximum supported versions of TLS as follows:
In a new tab, type or paste about: config in the address bar and press Enter. Click the button promising to be careful.

In the Search box above the list, type or paste tls and pause while the list is filtered

To disable SSL3 and require TLS of a late enough version, double-click security.tls.version.min and enter the desired value:
  • 0 = SSL 3.0 okay
  • 1 = at least TLS 1.0
  • 2 = at least TLS 1.1 **this setting will be required for AFF**
To set the highest version, double-click security.tls.version.max and enter the desired value:
  • 0 = up to SSL 3.0
  • 1 = up to TLS 1.0
  • 2 = up to TLS 1.1 **at least this**
  • 3 = up to TLS 1.2
  • 4 = up to TLS 1.3


To set SSL config in Opera

Opera

Opera versions greater than 12 disable SSL3 by default, or alternatively, you may change the configuration of your browser as follows:
  1. Press Ctrl + F12.
  2. Click on “Advanced” tab.
  3. Click on “Security” on the left menu
  4. Click on “Security protocols”
  5. Uncheck “Enable SSL 3”
  6. Click “OK”


There are some other combinations that are known to have problems as they don't fully support the protocols being used. The table below identifies those that we know about and if you have one of those combinations then a browser is all that is required.





Best regards
Russ
__________________

__________________________________________________

Observatio Facta Rotae



Last edited by russellw; 17-10-2017 at 12:47 PM.
russellw is offline   Reply With Quote Multi-Quote with this Post
8 users like this post:
Old 17-10-2017, 11:29 AM   #2
solarite_guy
Donating Member
Donating Member1
 
solarite_guy's Avatar
 
Join Date: Feb 2008
Posts: 11,429
Technical Contributor: For members who share their technical expertise. - Issue reason: He continually offers Technical Advice that is based on years of experience and knowledge he has gained along the way. The advice has ranged from replies to questions across the various Threads to seeking information from OP and taking that away to undert 
Default Re: ** IMPORTANT - EOL for TLSv1**

Russ,

I have Vista 32 bit and IE9. I don't generally use IE9, instead I use Firefox 52.4.0 and Yandex 17.4.1.1026.

I can not upgrade beyond IE9

Although Vista was supposedly (?) patched to run TLS 1.1 and 1.2 IE9 was not and will not be. Also, supposedly (?) Firefox has it's own plug in runtime libraries which supposedly (?) can run 1.1 and 1.2. I guess I will find out.

I am not sure about Yandex, though it uses the Google Chrome engine.

Here is a screen shot of IE9 > Internet Settings > Advanced


Last edited by solarite_guy; 30-11-2017 at 12:47 AM.
solarite_guy is offline   Reply With Quote Multi-Quote with this Post
Old 17-10-2017, 12:04 PM   #3
russellw
Chairman & Administrator
Donating Member3
 
russellw's Avatar
 
Join Date: Dec 2004
Location: 1975
Posts: 107,270
Community Builder: In recognition of those who have helped build the AFF community. - Issue reason: Raptor: For Continued, and prolonged service to the wider Ford Community 
Default Re: ** IMPORTANT - EOL for TLSv1**

In Firefox you can check the minimum and maximum supported versions of TLS as follows:

In a new tab, type or paste about: config in the address bar and press Enter. Click the button promising to be careful.

In the Search box above the list, type or paste tls and pause while the list is filtered


To disable SSL3 and require TLS of a late enough version, double-click security.tls.version.min and enter the desired value:
  • 0 = SSL 3.0 okay
  • 1 = at least TLS 1.0
  • 2 = at least TLS 1.1 **this setting will be required for AFF**
To set the highest version, double-click security.tls.version.max and enter the desired value:
  • 0 = up to SSL 3.0
  • 1 = up to TLS 1.0
  • 2 = up to TLS 1.1 **at least this**
  • 3 = up to TLS 1.2
  • 4 = up to TLS 1.3
The Yandex browser should always try to negotiate as high up the SSL chain as it can.

Cheers
Russ
__________________

__________________________________________________

Observatio Facta Rotae



Last edited by russellw; 17-10-2017 at 12:11 PM.
russellw is offline   Reply With Quote Multi-Quote with this Post
Old 17-10-2017, 12:12 PM   #4
solarite_guy
Donating Member
Donating Member1
 
solarite_guy's Avatar
 
Join Date: Feb 2008
Posts: 11,429
Technical Contributor: For members who share their technical expertise. - Issue reason: He continually offers Technical Advice that is based on years of experience and knowledge he has gained along the way. The advice has ranged from replies to questions across the various Threads to seeking information from OP and taking that away to undert 
Default Re: ** IMPORTANT - EOL for TLSv1**

Thank you Russ.

I will give that a try.
solarite_guy is offline   Reply With Quote Multi-Quote with this Post
Old 17-10-2017, 12:23 PM   #5
mac_man_luke
FF.Com.Au Hardcore
 
mac_man_luke's Avatar
 
Join Date: Jul 2006
Location: South Australia
Posts: 2,149
Default Re: ** IMPORTANT - EOL for TLSv1**

seems a little over the top for a forum, seems like it will push quite a few people away just because they wont have the technical know how to fix the issue.
__________________
2015 Toyota Landcruiser 79 V8 SC
mac_man_luke is offline   Reply With Quote Multi-Quote with this Post
Old 17-10-2017, 12:51 PM   #6
russellw
Chairman & Administrator
Donating Member3
 
russellw's Avatar
 
Join Date: Dec 2004
Location: 1975
Posts: 107,270
Community Builder: In recognition of those who have helped build the AFF community. - Issue reason: Raptor: For Continued, and prolonged service to the wider Ford Community 
Default Re: ** IMPORTANT - EOL for TLSv1**

Quote:
Originally Posted by mac_man_luke View Post
seems a little over the top for a forum, seems like it will push quite a few people away just because they wont have the technical know how to fix the issue.
So you'd rather we leave the forum open to attacks through known vulnerabilities?

Apart from the edge cases listed above, the main issue with using TLSv1.1 is with Windows XP and IE6 both of which are more than a decade old and haven't been in support for several years.

Cheers
Russ
__________________

__________________________________________________

Observatio Facta Rotae


russellw is offline   Reply With Quote Multi-Quote with this Post
This user likes this post:
Old 17-10-2017, 01:43 PM   #7
DJR-351
I am Groot
Donating Member3
 
DJR-351's Avatar
 
Join Date: Dec 2007
Location: Burnett Heads, Qld
Posts: 6,840
Default Re: ** IMPORTANT - EOL for TLSv1**

So i guess i'm ok?

Running Windows 10/Chrome and settings below, which i haven't changed...

Last edited by DJR-351; 29-11-2017 at 08:34 PM.
DJR-351 is offline   Reply With Quote Multi-Quote with this Post
Old 17-10-2017, 02:56 PM   #8
russellw
Chairman & Administrator
Donating Member3
 
russellw's Avatar
 
Join Date: Dec 2004
Location: 1975
Posts: 107,270
Community Builder: In recognition of those who have helped build the AFF community. - Issue reason: Raptor: For Continued, and prolonged service to the wider Ford Community 
Default Re: ** IMPORTANT - EOL for TLSv1**

Quote:
Originally Posted by DJR-351 View Post
So i guess i'm ok?

Running Windows 10/Chrome and settings below, which i haven't changed...
According to that you should be but didn't you have an issue this morning when I disabled SSL3?

That might be an important clue as the two different tools I have used report differently about which protocols we have active so TLS1.2 & TLS1.1 may not be configured.

Cheers
Russ
__________________

__________________________________________________

Observatio Facta Rotae


russellw is offline   Reply With Quote Multi-Quote with this Post
Old 17-10-2017, 03:22 PM   #9
russellw
Chairman & Administrator
Donating Member3
 
russellw's Avatar
 
Join Date: Dec 2004
Location: 1975
Posts: 107,270
Community Builder: In recognition of those who have helped build the AFF community. - Issue reason: Raptor: For Continued, and prolonged service to the wider Ford Community 
Default Re: ** IMPORTANT - EOL for TLSv1**

I've made a small change to enable TLSv1 which appears to have worked fine and which should stop a repeat of the issue we had this morning.

Cheers
Russ
__________________

__________________________________________________

Observatio Facta Rotae


russellw is offline   Reply With Quote Multi-Quote with this Post
This user likes this post:
Old 17-10-2017, 04:43 PM   #10
DJR-351
I am Groot
Donating Member3
 
DJR-351's Avatar
 
Join Date: Dec 2007
Location: Burnett Heads, Qld
Posts: 6,840
Default Re: ** IMPORTANT - EOL for TLSv1**

Quote:
Originally Posted by russellw View Post
According to that you should be but didn't you have an issue this morning when I disabled SSL3?

That might be an important clue as the two different tools I have used report differently about which protocols we have active so TLS1.2 & TLS1.1 may not be configured.

Cheers
Russ
Thats right, when trying to logon i got the below message, everything ok now though...

Quote:
This site can’t provide a secure connection

www.fordforums.com.au uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
DJR-351 is offline   Reply With Quote Multi-Quote with this Post
Old 18-10-2017, 11:17 AM   #11
Maka
Au Falcon = Mr Reliable
 
Maka's Avatar
 
Join Date: Sep 2009
Location: North West Slopes & Plains NSW
Posts: 4,076
Valued Contributor: For members whose non technical contributions are worthy of recognition. - Issue reason: Embodiment of the AFF spirit in his efforts with ACP. 
Default Re: ** IMPORTANT - EOL for TLSv1**

Done, unchecked ssl 3.0 & now set to tls 1.2 (only checkbox to tick lol).

Didnt take long to fix with Russell's instructions, havent used the old pc (xp sp3) for a long time but my outlook on android is still somehow linked to it doh lol. All good now!

Thanks heaps for your help Russell, keep up the great work!

cheers, Maka
__________________
Ford AU Series Magazine Scans Here - www.fordforums.com.au/photos/index.php?cat=2792

Proud owner of a optioned keeper S1 Tickford Falcon AU XR6 VCT - "it's actually a better-balanced car than the XR8, goes almost as hard and uses about two-thirds of the fuel" (Drive.com 2007)
Maka is offline   Reply With Quote Multi-Quote with this Post
Reply


Forum Jump


All times are GMT +11. The time now is 11:04 AM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Other than what is legally copyrighted by the respective owners, this site is copyright www.fordforums.com.au
Positive SSL