Gaia Portal cannot load showing ERR_SSL_VERSION_OR_CIPHER_MISMATCH error in the browser
||R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R77, R77.10, R77.20
|Platform / Model
Vulnerability scan shows that machine running Gaia OS is vulnerable to CVE-2013-2566 - SSL RC4 Cipher Suites are supported by Gaia Portal.
Web browsers with disabled RC4 cipher are not able to connect to Gaia Portal.
Example from Google Chrome browser when connecting to Gaia Portal:
This site can't provide a secure connection
X.X.X.X uses an unsupported protocol.
And when clicking on DETAILS:
The client and server don't support a common SSL protocol version or cipher suite.
This is likely to be caused when the server needs RC4, which is no longer considered secure.
The CRIME attack requires executing attacker agent component inside the victim's web browser.
Attack may be mitigated by disabling SSL/TLS compression in the web browser or a on the web server.
All web browsers' vendors have released versions that disable SSL/TLS compression. Therefore, this vulnerability is not relevant today.
Some vulnerability scanners may report Gaia Portal to be vulnerable to CVE-2012-4929 / CVE-2012-4930 / CVE-2013-2566.
However, since this attack requires a non-patched browser, and all browsers are patched today, such reports are false positive.
Web browser vendors deprecate the use of RC4 Cipher Suites based on RFC 7465 - Prohibiting RC4 Cipher Suites:
Note: To view this solution you need to