ssl errors for some people on kong

[erosson]

"The client and server don't support a common SSL protocol version or cipher suite. This is usually caused when the server needs SSLv3 support, which has been removed." - Huh, guess that "Poodle" exploit broke the game.. ? (google poodle or padded oracle on downgraded legacy encryption)

SSLv3 Removed...

i cant play this game on chrome, it said that there's problem because the client and server dont support the same SSL.

[erosson]

every report of this says they're using chrome (or doesn't say). the latest chrome removed sslv3; cloudflare's also removed sslv3. google has a few references to this being a virus. but with how many people are reporting this... that's a whole bloody lot of viruses. doesn't mean it's impossible, but we need to keep looking.

Pasted them all this response:

Still investigating this problem. Could you tell me what browser version you're using, and if this page - https://zmap.io/sslv3/sslv3test.html - thinks your browser supports SSLv3? It'll help me figure this out; thanks!

[jrynd]

Could also be a transparent proxy a la Lenovo's SuperFish...which is basically indistinguishable from a virus.

[erosson]

This is a really good point, thanks! I'm now sending people with this problem to https://www.howsmyssl.com/ and https://filippo.io/Badfish/ - waiting and seeing how they respond.

User responses to https://zmap.io/sslv3/sslv3test.html I've read have all said "good news, no sslv3".

[erosson]

everyone who's responded (5-10 folks, I think?) have said https://www.howsmyssl.com/ and https://filippo.io/Badfish/ say they're good. Not sure what to try next, except for #401. everyone who's gone to https://swarmsim.github.io has no problems either.

My best guess now is that this is somehow SNI-related, since cloudflare/www.swarmsim.com sees this error but swarmsim.github.io does not (https://support.cloudflare.com/hc/en-us/articles/203274000-Does-CloudFlare-s-free-Universal-SSL-have-limitations-) - but everyone reporting this error is using the latest Chrome, and SNI's been in Chrome for ages.

[erosson]

My best guess now is that this is somehow SNI-related

Yes: https://www.cloudflare.com/ssl

Google Chrome: Supported on Vista and later by default

So no winxp support. It's winxp users seeing this! I knew old browsers would fail, but didn't think that an old os would affect anything. Should've read more carefully.

I could just recommend everyone seeing this error use firefox, which works fine... but really, it's worth $20/month to just make this go away: https://www.cloudflare.com/plans

After upgrading, a winxp vm from http://modern.ie verifies this is a) caused by winxp and b) now fixed.

[jrynd]

The reason is that Chrome on Windows doesn't use its own SSL libraries; it uses the Windows SSL libraries so it can have access to the same certificate store as IE (in hopes that it will "just work" with intranet site).

On Fri, Feb 27, 2015 at 9:36 PM, Evan Rosson notifications-at-github.com |github/send to gmail| 8rru51pjst@sneakemail.com wrote:

My best guess now is that this is somehow SNI-related

Yes: https://www.cloudflare.com/ssl

Google Chrome: Supported on Vista and later by default

So no winxp support. It's winxp users seeing this! I knew old browsers would fail, but didn't think that an old os would affect anything. Should've read more carefully.

I could just recommend everyone seeing this error use firefox, which works fine... but really, it's worth $20/month to just make this go away: https://www.cloudflare.com/plans

After upgrading, a winxp vm from http://modern.ie verifies this is a) caused by winxp and b) now fixed.

— Reply to this email directly or view it on GitHub https://github.com/erosson/swarm/issues/337#issuecomment-76505895.