httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL)
Date Mon, 16 Nov 2009 14:51:26 GMT
On Fri, Nov 06, 2009 at 02:00:47AM +0000, Dirk-Willem van Gulik wrote:
> What we really need is 1) a pub/priv key pair of such a cert* (or use  
> attached CSR) of some random domain (ideally expired and with a totally  
> bogus CN valye so we can post the private key publicly) and 2) obviously  
> a browser which support this (but that we can handle).

Rick got me an SGC-enabled test cert (thanks a lot!) - I've installed it 
on box which can be accessed e.g. here:

  https://dougal.manyfish.co.uk/cgi-bin/printenv

with SSLCipherSuite tweaked to enable EXPORT ciphers; it now reads:

  SSLCipherSuite ALL:!ADH:EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

The box is running the RHEL 2.2.3 with the CVE-2009-3555 patch applied, 
so should reject any client-initiated renegotiations.  Note that the 
cert has expired already (intentionally), but is otherwise valid.

I've been trying to find a real browser to do SGC against this but have 
failed - help welcome here!  I've tried old releases of Netscape 4.0x 
but they predate the Verisign root from which the cert was issued, so, 
prerequisite "enable SGC" trust bit in the root CA bundle isn't there.

It seems like the best bet to get a working SGC-enabled browser might be 
Windows 2K or similar vintage with an old "export" (non-US) version of 
MSIE (4/5?).  Can anybody dig out such a best and try loading the above 
page?  

You'd need to verify it was an export version by loading some other SSL 
site and checking the cipher used, and/or verifying that SGC works 
against one of the sites mentioned ealier:

>    https://www.chase.com
>    https://www.wellsfargo.com

Regards, Joe

Mime
View raw message