• Wed 10 June 2015
  • misc

A couple of weeks ago we went on our annual camping trip. A staple of this trip for the past few years has been some wireless gear made by Ubiquiti which we use to establish a link to the dining hall, and thus improve the wifi coverage in our cabin to usable levels.

Specifically, this equipment is Nanostation 2 Loco and Picostation units. These devices are getting a little old, and the most recent software upgrade for them was published in March 2013. So, they're end of life / end of support (though still purchasable), but continuing to perform their job admirably.

Along came September 2014 and the POODLE attack, and SSLv3 has gone from being retro-but-tolerated to downright unfashionable.

Unfortunately, despite running lighttpd 1.4.28 (or so the headers say) which should be capable of TLS, the Ubiquiti devices seem to support only SSLv3:

merlot:~ rs$ openssl s_client -connect -status | grep Protocol
depth=0 /C=US/ST=CA/L=San Jose/O=Ubiquiti Networks Inc./OU=Technical Support/CN=UBNT/
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=CA/L=San Jose/O=Ubiquiti Networks Inc./OU=Technical Support/CN=UBNT/
verify return:1
Protocol  : SSLv3
merlot:~ rs$

and if you try to force them to do TLS, they say no thanks:

merlot:~ rs$ openssl s_client -connect -status -tls1
72506:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/SourceCache/OpenSSL098/OpenSSL098-52.8.3/src/ssl/s3_pkt.c:300:
merlot:~ rs$

Now, this might not have been such a big deal except that Firefox, which I pretty much only use for configuring these gizmos (preferring to use Safari and Chrome for most of my daily work) right about then started bugging me to let it upgrade. Once it saw Internet connectivity, it eventually took matters into its own hands and upgraded itself on restart... which was a big problem since the new Firefox doesn't do SSLv3. I was reduced to digging around for an old version of Opera that was tucked away from a project two years ago in order to configure the remaining APs, and pray that Opera didn't try a similar auto-update and completely lock me out of my herd of APs...

It would be awfully nice if Ubiquiti would do one last update to the software for these devices to fix that little problem.

It'd also be nice if one could tell Firefox to "go ahead and do SSLv3 for this particular host, because it's old embedded stuff" though I can see why they wouldn't want to do that.

Most of all, it would be nice if Firefox understood that "no means no" and there are sometimes valid reasons to keep software with vulnerable crypto in them around. At least it's better than running in the clear.

Update 20150815: You can fix Firefox to do this, which is a bit dangerous if you use Firefox a lot (I only fire it up to talk to things that don't play well with Safari or Chrome). In about:config, set security.tls.version.min to 0. More at