-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 1/11/2014 1:39 p.m., Marcus Kool wrote: > > > On 10/31/2014 10:12 PM, Amos Jeffries wrote: On 1/11/2014 12:09 > p.m., Marcus Kool wrote: >>>> With OpenSSL 1.0.1e-fips : >>>> >>>> openssl s_client -connect www.taxdisc.service.gov.uk:443 >>>> fails (tries TLS1.2) openssl s_client -connect >>>> www.taxdisc.service.gov.uk:443 -ssl3 works >>>> >>>> The webmail server of my ISP works like this: it uses only >>>> TLS1.0, so no TLS1.1 or TLS1.2, but when with openssl >>>> s_client -connect WEBMAIL:443 -tls1_2 the connection is >>>> automagically downgraded to TLS1.0. taxdisc does not do >>>> this. Taxdisc does not negotiate, so the client must guess >>>> the desired protocol (SSL3 or TLS1.0) and use that. >>>> >>>> I do not know all details about TLS and downgrading rules but >>>> the server seems broken to me. > > > It is clearly not supporting TLS at all. TLS mandates that > endpoints offer the highest TLS version they support, and the > mutual highest is used. SSLv3 is not on that scale of TLS 1.0+ > versions. > > Client implementations usually treat rejection of all TLS versions > down to 1.0 as a signal that SSL handshake is required instead, > abort and retry with SSLv3-only... > >> Indeed, but taxdisc supports both SSL3 _and_ TLS1.0 ... >> Unfortunately, taxdisc (TLS1.0) and the client (TLS1.2) cannot >> negotiate to use TLS1.0. > >> Although "openssl s_client -connect >> www.taxdisc.service.gov.uk:443 -tls1_2" fails, the taxdisc server >> sends 7 bytes with value 0. So the negotiation goes wrong, but >> the question remains what exactly in the handshake is not >> understood or undefined. Probably because the TLS/1.0 handshakes which "work" require RC4-MD5 encryption algorithm. MD5 has been broken for a very long time. Until POODLE SSLv3 was possibly more secure. I cant confirm that because none of the tools I work with will use SSLv3 anymore :-P Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUVC93AAoJELJo5wb/XPRjILYIAL9xnBgVIe0AnyUSYdzF8lzq 2WZ2RQ/T4AeYg/cagv2Lc01T/hrhS0pORUboHo82Kt2GhXbtXGsEbZPyt21eqPTa nhP3C8eIT45xcHhuRZcICO43Cyg6drym+YiCOiCPOeaHfmWGYz/UpI/kZDkuyJga TZCOW95qhA59pkjuwmwoACtQRKXvjBxYWibpQs5ZQrKhSNL6NYRp49CRwIUjWdLl +I2i7CIfwHEdWWlV/yEG69SKjy3S/M111U6gfgIQlO8noL9llwU35D8AEH0X6e9w WfOd0u4Gdtk45rlAQ9b7RSXwD6F3xCJ4/K5rphghzwQtZF/h1Oa7K8TRLsUx/FA= =GzuE -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
