Tricking Windows 10 into talking to an old SBC

Deliberately circumventing browser security is NOT a good idea.

OK, with that mandatory common-sense warning out of the way, those of you who know why we’re doing this are welcome to continue reading.

Today was the *second* occasion in the last fortnight where I’ve needed to talk to a customer’s SBC that was still running a relatively ancient version of firmware – and none of my browsers would let me circumvent modern-day security practices to access these “unsecure” sites. The Catch-22 is of course that the only way to upgrade their inbuilt web-server to use currently secure protocols is via their present-day obsolete web-server, which your browser is “correctly” shielding you from.

These are the sorts of messages you’ll encounter if you try to browse to a Sonus or AudioCodes SBC that’s been neglected, languishing on old firmware, and unless you’re mighty lucky, you’re not going to get anywhere:

IE

Can't connect securely to this page

This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website's owner.

This page can't be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https:// <blah> again. If this error persists, it is possible that this site uses an
unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

Chrome

This site can't provide a secure connection
<blah> uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol
The client and server don’t support a common SSL protocol version or cipher suite.

Firefox

Secure Connection Failed
An error occurred during a connection to <blah>. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
• The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
• Please contact the website owners to inform them of this problem.

Quick Fixes

SSL 3.0

If you’re lucky, you might be able to just get away with re-enabling SSL 3.0 in IE:

(This only worked for me in one of my scenarios, where the SBC firmware was only maybe 12 months old)

Try http!

OK, this won’t work with a Sonus, but you might get lucky and find an AudioCodes will let you in via http! (The AC SBCs default to accepting connections on http *and* https).

Windows 7

This seems to be a popular go-to for lots of people:

I’ve resorted to an old laptop with Windows 7 running IE11 to access web interface on those.

— Jeffrey Nitta (@nittajef) November 13, 2017

security.tls.version.fallback-limit = 1

This one’s suggested on a Firefox support forum. It didn’t work for me, but you might have more luck.

In order to change your Firefox Configuration please do the following steps :

In the Location bar, type about:config and press Enter.

The about:config “This might void your warranty!” warning page may appear.

Click I’ll be careful, I promise! to continue to the about:config page.

Change security.tls.version.fallback-limit = 1

Firefox Portable

A few people suggested trying Firefox Portable, a standalone build of Firefox that can be run from a memory stick (Wikipedia). They don’t appear to keep their own repo of old versions, and I didn’t know whether I could trust any of the sites that were, so I moved on.

Try an old build of Firefox

If you’re still at a loss after trying all of the above, hopefully the Firefox archive will be your salvation. Having reviewed the detailed release history on Wikipedia, these two major releases caught my eye:

Firefox 40.0 Released August 11, 2015

Support for Windows 10

Firefox 44.0 Released January 26, 2016

Firefox has removed support for the RC4 decipher.

That led me to settle on the last bugfix update immediately prior to the removal of RC4:

Firefox 43.0.4 Released January 6, 2016 https://ftp.mozilla.org/pub/firefox/releases/43.0.4/win64/en-GB/ and the file “Firefox Setup 43.0.4.exe”.

My fix: Installing Firefox 43.0.4

It should come as no surprise to learn that Firefox defaults to “check for updates” enabled on install, and despite me thinking I’d gotten to that in time, it was already updating itself!

See if you’re quicker than me to turn this off:

Hamburger / Options / Advanced / Update: “Never check for updates (not recommended: security risk)”

My suggestion here is to either disconnect from the Internet when you run Setup, or move quickly. If you weren’t quick enough and it’s already wanting to update itself, just decline the UAC prompt:

At this point you’ll still have the remainder of this session left to talk to your SBC and get its firmware to current.

I installed & uninstalled Firefox repeatedly while preparing this post, and it looks like it leaves its settings behind when it’s removed. That means that even if it upgrades on you (after you’ve said not to), a fresh uninstall & reinstall will leave you with a version that won’t update on you.

Tada! Hopefully from this point it will be plain sailing.

References

I thank my colleagues for their suggestions, as well as everyone who responded to my Tweet:

Anyone have tips for browser or settings for an *old* @sonusnet SBC 1k/2k? I keep getting “Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP”.

Enabling SSL 3.0 & TLS 1.0 didn’t work. Firefox settings tweaked: nogo.

— Greig Sheridan (@greiginsydney) November 13, 2017

Revision History

5th December 2017: This is the initial post.

– G.

One Comment

Lee Ford

7th December, 2017 at 00:14

Hi Greig,

I’ve never had the pleasure of logging to a Sonus, but on the AudioCodes side you can change the cipher suite used via the CLI.

I did write a quick blog post about it.

https://www.lee-ford.co.uk/unable-to-browse-to-audiocodes-mediant-via-https/

– Lee

Reply to this comment

greiginsydney.com

… and I thought I saw a 2