Search squid archive

Re: SSL bump fails accessing .gov.uk servers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/31/2014 10:12 PM, Amos Jeffries wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 1/11/2014 12:09 p.m., Marcus Kool wrote:

With OpenSSL 1.0.1e-fips :

openssl s_client -connect www.taxdisc.service.gov.uk:443
fails (tries TLS1.2) openssl s_client -connect
www.taxdisc.service.gov.uk:443 -ssl3   works

The webmail server of my ISP works like this: it uses only TLS1.0,
so no TLS1.1 or TLS1.2, but when with openssl s_client -connect
WEBMAIL:443 -tls1_2 the connection is automagically downgraded to
TLS1.0.  taxdisc does not do this. Taxdisc does not negotiate, so
the client must guess the desired protocol (SSL3 or TLS1.0) and use
that.

I do not know all details about TLS and downgrading rules but the
server seems broken to me.



It is clearly not supporting TLS at all. TLS mandates that endpoints
offer the highest TLS version they support, and the mutual highest is
used. SSLv3 is not on that scale of TLS 1.0+ versions.

Client implementations usually treat rejection of all TLS versions
down to 1.0 as a signal that SSL handshake is required instead, abort
and retry with SSLv3-only...


Indeed, but taxdisc supports both SSL3 _and_ TLS1.0 ...
Unfortunately, taxdisc (TLS1.0) and the client (TLS1.2) cannot negotiate to
use TLS1.0.

Although "openssl s_client -connect www.taxdisc.service.gov.uk:443 -tls1_2"
fails, the taxdisc server sends 7 bytes with value 0.
So the negotiation goes wrong, but the question remains what exactly
in the handshake is not understood or undefined.

Marcus


Firefox knows how to deal with it and Squid not yet.


... for now anyway. Firefox will be dropping SSLv3 support Nov 25th.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUVCVsAAoJELJo5wb/XPRj1rIIAIacxp8gQYhtIA49/+k9c2D9
cO+vnAhADOsIqg2qwtZKRXCYcpAba/s8IeiiouvcowTV54+6GCZ3yyP7uIztwEY3
x+Li2/VKdRYOSLf6QgFo4JU8y5garf9cMrqZw7eFS+Qo9GaYu+BZOcrtlzbAAehN
DqABCRdHkJ+ZtVIC7obVX1fXTnuPlIC3W/QHzc6uGHp75Qs/QAAaV8ugYBMfPpX9
5G6gYSG5qMwQ1XMJ5nc14vFQxTxjrpydl4BKn0WhNLrGaDCWGZiOQYKi7ERlorNs
7yHzjROpWIxapmUChccHifrFEQIR0vo3vAq5StPad3a3aMMp5SW/scpbGFgW8jw=
=mtZp
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux