SSLv3 is broken, and you shouldn’t use it any more. However, there’s still lots of old hardware with embedded web interfaces that use it, like air conditioners, UPSs and other stuff. Essentially this hardware has been abandoned by their manufacturers, and there’s no hope of there being a firmware update for it.
At the same time browsers are dropping support for SSLv3, such as Firefox 39 (released 2015-07-02), and you can’t access your devices. One option, even worse than using SSLv3, is to disable SSL entirely and use clear, unencrypted HTTP, but you don’t want that. Instead, you can use a reverse proxy. On an internal webserver, we simply added these lines (these were for Apache 2.2):
ProxyPass /olddevice/ https://olddevice.example.com/
ProxyPassReverse /olddevice/ https://olddevice.example.com/
Now when you go to https://internalwebserver/olddevice/ it will pass through your request, encrypted, to the old device and everything is fine. You can add as many as you need. Of course, you should be using TLS on this web server, or it’s all a bit of a waste of time. 🙂
In work we use LTSP to boot up thin clients. Nothing runs locally on these thin clients, they’re used for either VNC or rdesktop access. One problem we had was that if the LTSP server was rebooted, the NBD client would lose its connection to the server and never re-establish it. This mattered because we want to be able to remotely shut down thin clients overnight.
So, we came up with a quick and dirty way of copying the root filesystem image locally to the thin client. Your thin client needs to have enough free RAM to store it all (these are diskless), and in our case the image is about 290MB while the thin clients have 1GB RAM. We don’t need much RAM for the actual system just to run X and VNC/rdesktop.
ltsp-chroot, then add the following contents to a new file called
# Copy entire image from LTSP server, through NBD
case $1 in
dd if=/dev/nbd0 of=/dev/ltsp.img
nbd-client -d /dev/nbd0
mv /dev/nbd0 /dev/nbd0.orig
ln -s /dev/ltsp.img /dev/nbd0
It’s very simple. We’re adding a small script to the “INITial RAM FileSystem” that Linux uses in the early stages of booting up. It uses
dd to pull the entire root filesystem from the LTSP server, which in practice only takes a few seconds. Then it stops the nbd-client, and moves our new local copy into the place where the rest of LTSP expects to find it.
When you’ve create the file, and still within the ltsp-chroot, run:
to rebuild the initramfs.
Finally, exit from the ltsp-chroot and from the main server run
to copy the new initramfs in the TFTP server’s path.