Tricking Windows 10 into talking to an old SBC

 

Deliberately circumventing browser security is NOT a good idea.

OK, with that mandatory common-sense warning out of the way, those of you who know why we’re doing this are welcome to continue reading.

Today was the *second* occasion in the last fortnight where I’ve needed to talk to a customer’s SBC that was still running a relatively ancient version of firmware – and none of my browsers would let me circumvent modern-day security practices to access these “unsecure” sites. The Catch-22 is of course that the only way to upgrade their inbuilt web-server to use currently secure protocols is via their present-day obsolete web-server, which your browser is “correctly” shielding you from.

These are the sorts of messages you’ll encounter if you try to browse to a Sonus or AudioCodes SBC that’s been neglected, languishing on old firmware, and unless you’re mighty lucky, you’re not going to get anywhere:

 

IE

Can't connect securely to this page
This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website's owner.

IE-CantConnectSecurelyToThisPage

This page can't be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https:// <blah> again. If this error persists, it is possible that this site uses an
unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

IE-ThisPageCantBeDisplayed

 

Chrome

This site can't provide a secure connection
<blah> uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol The client and server don’t support a common SSL protocol version or cipher suite.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

 

Firefox

Secure Connection Failed
An error occurred during a connection to <blah>. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
• The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
• Please contact the website owners to inform them of this problem.

FF-SecureConnectionFailed

 

Quick Fixes

SSL 3.0

If you’re lucky, you might be able to just get away with re-enabling SSL 3.0 in IE:

IE-UseSSL3.0

(This only worked for me in one of my scenarios, where the SBC firmware was only maybe 12 months old)

 

Try http!

OK, this won’t work with a Sonus, but you might get lucky and find an AudioCodes will let you in via http! (The AC SBCs default to accepting connections on http *and* https).

AC-WebSecuritySettings

 

Windows 7

This seems to be a popular go-to for lots of people:


 

security.tls.version.fallback-limit = 1

This one’s suggested on a Firefox support forum. It didn’t work for me, but you might have more luck.

In order to change your Firefox Configuration please do the following steps :

  1. In the Location bar, type about:config and press Enter.
  2. The about:config “This might void your warranty!” warning page may appear.
  3. Click I’ll be careful, I promise! to continue to the about:config page.
  4. Change security.tls.version.fallback-limit = 1

 

Firefox Portable

A few people suggested trying Firefox Portable, a standalone build of Firefox that can be run from a memory stick (Wikipedia). They don’t appear to keep their own repo of old versions, and I didn’t know whether I could trust any of the sites that were, so I moved on.

 

Try an old build of Firefox

If you’re still at a loss after trying all of the above, hopefully the Firefox archive will be your salvation. Having reviewed the detailed release history on Wikipedia, these two major releases caught my eye:

Firefox 40.0 Released August 11, 2015

  • Support for Windows 10

Firefox 44.0 Released January 26, 2016

  • Firefox has removed support for the RC4 decipher.

That led me to settle on the last bugfix update immediately prior to the removal of RC4:

Firefox 43.0.4 Released January 6, 2016 https://ftp.mozilla.org/pub/firefox/releases/43.0.4/win64/en-GB/ and the file “Firefox Setup 43.0.4.exe”.

 

My fix: Installing Firefox 43.0.4

It should come as no surprise to learn that Firefox defaults to “check for updates” enabled on install, and despite me thinking I’d gotten to that in time, it was already updating itself!

Firefox-DownloadingUpdate

See if you’re quicker than me to turn this off:

Hamburger / Options / Advanced / Update: “Never check for updates (not recommended: security risk)”

FF-NeverCheckForUpdates

My suggestion here is to either disconnect from the Internet when you run Setup, or move quickly. If you weren’t quick enough and it’s already wanting to update itself, just decline the UAC prompt:

UACPrompt-FirefoxUpdater

At this point you’ll still have the remainder of this session left to talk to your SBC and get its firmware to current.

I installed & uninstalled Firefox repeatedly while preparing this post, and it looks like it leaves its settings behind when it’s removed. That means that even if it upgrades on you (after you’ve said not to), a fresh uninstall & reinstall will leave you with a version that won’t update on you.

Tada! Hopefully from this point it will be plain sailing.

YourFirefixIsOutOfDate

 

References

I thank my colleagues for their suggestions, as well as everyone who responded to my Tweet:

 

Revision History

5th December 2017: This is the initial post.

 

– G.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

... and please just confirm for me that you're not a bot first: Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.