Slash Boxes

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 12 submissions in the queue.
posted by NCommander on Wednesday July 05 2023, @02:23AM   Printer-friendly
from the ssl-negotations-are-complex dept.

So, I know its been a bit quiet here, but we're working through getting through the last few items relating to cutting over to newer infrastructure. As such, its been working through the bug list, and there's one issue I want to get some feedback on.

Back in November when the infrastructure was upgraded to Ubuntu 22.04, a few users with older devices stopped being able to connect to SoylentNews. This confused me, since we've been using the same NGINX SSL termination setup that has been in use since at least 2016. Well, I finally found the root cause, and as it turns out, Canonical bumped up the minimum OpenSSL security level, which disabled several ciphers, and broke devices not supporting TLS 1.2 or later.

By testing the site with the SSL Labs site checker, it appears anything older than Android 4.0, or iOS 5 is broken. This mostly seems to be devices that are over a decade old at this point, and won't be able to browse the vast majority of sites on the Internet as is. We discussed this internally a bit, and I'm of the opinion that its not worth re-enabling the older ciphers to allow these devices to reconnect, especially since we're working to modernize the stack, and get it as up to date as we can get it. I also believe we had very few users who were actually affected by this, however, as the editors did get a few emails about SN breaking after the site upgrade, I wanted to poll the community, and make sure this is not a more widespread issue than initially believed.

Ultimately, this is going to be part of a broader discussion on what we will and won't support on SoylentNews going forward, and this seems as good of place as any to get the ball rolling.

~ NCommander

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by gnuman on Wednesday July 05 2023, @02:37PM (3 children)

    by gnuman (5013) on Wednesday July 05 2023, @02:37PM (#1314550)

    So, I was in The Philippines the other month and was blocked. The only way I was able to access it is via VPN. The moral of the story is, why are we worried about old TLS ciphers but are blocking IPs from whole nations because?

    Starting Score:    1  point
    Moderation   +3  
       Interesting=3, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by gnuman on Wednesday July 05 2023, @08:58PM (2 children)

    by gnuman (5013) on Wednesday July 05 2023, @08:58PM (#1314616)

    Also, the blocking was done on the side of things ;)

    • (Score: 2) by kolie on Thursday July 06 2023, @04:44PM (1 child)

      by kolie (2622) on Thursday July 06 2023, @04:44PM (#1314770) Journal

      I'm fairly certain no blocking of the sort is in place. Feel free to respond with more details.

      • (Score: 0) by Anonymous Coward on Saturday July 08 2023, @10:28PM

        by Anonymous Coward on Saturday July 08 2023, @10:28PM (#1315150)

        Multiple people, including myself, have complained about countries being blocked. In my experience, it seems to mostly affect SE Asia. My suspicion is that those "block lists" Janrinok has mentioned of unknown provenance blocks those places. That's not too surprising if you apply your expectations of 1st world RIR/LIR policies to 3rd world RIRs/LIRs.