VNPT has weird modems because they don't let me access with normal browser. Once the support told me to install a brower app on my phone to be able to access modem settings. But I uninstalled after and forgot it. So as susual I have to figure out why and how to fix it consistently.

When I try to access my gateway IP using Chrome, this error shows.

This site can’t provide a secure connection 192.168.1.1 uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH Unsupported protocol The client and server don’t support a common SSL protocol version or cipher suite.

The full URL I got redirected to was https://192.168.1.1/cgi-bin/index.asp. So this modem provides a HTTPS web interface but somehow that certificate is not a valid one. Normally, in case a certificate was self signed, we still have an advanced button to proceed. This time it wasn’t.

So I decided to use openssl to debug the provided TLS certificate. Of course I’m an absolute openssl noob so I had to Google how to check certificate sub command.

$ openssl s_client  -cipher -connect 192.168.1.1:443
Call to SSL_CONF_cmd(-cipher, -connect) failed
40676F97C47C0000:error:0A0000B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2745:

It failed, with weirder error, but I guess it might use some TLS standard that not allowed in browsers like Chrome. Maybe it’s just less secure. Google a bit more I found an option to allow less secure TLS standard.

openssl s_client -cipher DEFAULT@SECLEVEL=1  -connect 192.168.1.1:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = VN, ST = Hanoi, L = Hanoi, CN = VNPTT
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = VN, ST = Hanoi, L = Hanoi, CN = VNPTT
verify return:1
---
Certificate chain
 0 s:C = VN, ST = Hanoi, L = Hanoi, CN = VNPTT
   i:C = VN, ST = Hanoi, L = Hanoi, CN = VNPTT
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
   v:NotBefore: Oct 20 04:11:52 2018 GMT; NotAfter: Oct 17 04:11:52 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIJAPghsnArIG0GMA0GCSqGSIb3DQEBBQUAMD0xCzAJBgNV
BAYTAlZOMQ4wDAYDVQQIDAVIYW5vaTEOMAwGA1UEBwwFSGFub2kxDjAMBgNVBAMM
BVZOUFRUMB4XDTE4MTAyMDA0MTE1MloXDTI4MTAxNzA0MTE1MlowPTELMAkGA1UE
BhMCVk4xDjAMBgNVBAgMBUhhbm9pMQ4wDAYDVQQHDAVIYW5vaTEOMAwGA1UEAwwF
Vk5QVFQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZtfZQeDi5Ngz9
zetnwEQHk0wQOON4IgiWNgj262v1LTcQwoS5ZoYPQ37vNRrqf1AjeITTGU8KaVOn
ebmnnuUX1+AjbZ7VS4LzkkQf4DnuIe/NEhTc47jrggQJgP8JNQGMZVgLhyI0JnVC
+M60GjjvscBL1CxvmCp2LiVgoAcsMxK2FFWuVhNuH774Q0v/FIyIv0p/JNAMxWvH
SZMdqzm6BIeUD6YRm8uF2rt6/Fxoj1e1If8/BrEvS/4WE+1+cl88KxgMmHfftfqp
6/cTxfr+diUi+/7UTicnAIbckQQFy2J4/FJG54YXtEWbhA1my0hr0VI7QhJVpR10
39ENWcpTAgMBAAGjUDBOMB0GA1UdDgQWBBRbguNno7qjN3KrDegpAq9A73lSNTAf
BgNVHSMEGDAWgBRbguNno7qjN3KrDegpAq9A73lSNTAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBQUAA4IBAQAUoRcYL5vvV9JeuVksPfdd/uL/TkhLHELl3CJcBZcM
jIoZDyeq3TxZmd/mARIfCfmOrS6ugXxCu+LfyLmE7rsXqd6Bt6W6qcSSzkeDcNZF
PqJav40UpQqrfTOrQXGAWW9yDL9fJmWs2XWYwb3iGwQWsvzEHSjeiy7k9ihycTFx
t2V6IzYDzLs7bg4w3PgmtLRBx5p28o2FSVuc4/EfWEmk2wasQHLQ8mqQMiAItaR7
SmLOrZtjzfbdawgWSghjxLbO8eul1Bcrra9zjF6WHplKfX0PEYovo9JzFQ3jc6U6
EEeJ+GZcZestmR4D+eNkSTRz77x95lNPI79f8SpwtfeZ
-----END CERTIFICATE-----
subject=C = VN, ST = Hanoi, L = Hanoi, CN = VNPTT
issuer=C = VN, ST = Hanoi, L = Hanoi, CN = VNPTT
---
No client certificate CA names sent
---
SSL handshake has read 1165 bytes and written 623 bytes
Verification error: self-signed certificate
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 819B5BD98708AACDDB26ED1A8A539410A88628C954F19C1564B4D8713286A30D
    Session-ID-ctx: 
    Master-Key: 07126DE33EB0AF3441EE3943C4D5F5EF7C0D34E8F1838D23C5681FA3FC9EC11035B3653553107500DCB65BA5F507ECD7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 45 66 da 1d cd 13 9d 77-b6 2a a1 6b a7 aa 53 9d   Ef.....w.*.k..S.
    0010 - 6e 10 b8 7e 79 c8 34 32-f2 83 05 87 b1 a2 98 b0   n..~y.42........
    0020 - 36 38 34 d5 a5 41 a3 e6-b7 70 48 78 48 58 23 b4   684..A...pHxHX#.
    0030 - 05 32 93 e3 f1 7f 9e 34-78 54 e5 fc d8 d7 96 16   .2.....4xT......
    0040 - db e0 f0 44 88 80 c6 36-a6 9e 0e 46 94 36 c9 d3   ...D...6...F.6..
    0050 - ae 93 85 16 74 d2 5c dc-26 78 0f 5a 91 7c 1b 65   ....t.\.&x.Z.|.e
    0060 - e2 4f 46 ea df b4 23 fa-df d9 14 79 6b 3c 9b 44   .OF...#....yk<.D
    0070 - 79 3b 30 cf 55 d2 ed 5d-bf 16 4f 8b c3 2e 8e 67   y;0.U..]..O....g
    0080 - 96 a4 40 1d cb 74 4c 2b-5a 37 06 02 ec 2f 91 8b   ..@..tL+Z7.../..
    0090 - 9e 3b 55 ee 24 19 58 d4-96 1b d5 14 e1 58 41 ba   .;U.$.X......XA.

    Start Time: 1711637744
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
---

I only care about this part, it is TLSv1 and Chrome doesn’t support it.

SSL-Session:
    Protocol  : TLSv1

I tried finding an option in chrome://flags to turn it off (or on) but there isn’t option related to TLSv1, only 1_3.
At this point I think I have no way to connect to my modem. But suddenly, I remember Firefox, the one I opened to download Chrome (or maybe Zalo) and never touch again.

And yes, there’s a configuration security.tls.version.enable-deprecated in about:config . After turning it on, I can access the modem settings successfully.

The lesson is, don’t uninstall Firefox. You will need it one day, it is the best browser we have but we don’t deserve.