httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL)
Date Fri, 06 Nov 2009 03:09:07 GMT
Dirk-Willem van Gulik wrote:
> Dirk-Willem van Gulik wrote:
>> Actually Steve - you may know - what besides the obvious
>> extendedKeyUsage=nsSGC,msSGC
>> in the extension file needs to go into a sub-ca below a
>> self-signed-root-chain to make the browsers dance ? Or have they
>> hardcoded in some specific CA or similar ? Or is there a test case in
>> opnessl which is useful here ? As that would let us do decent tests
>> script.
> Hmm - just found
> which seems to be one of the few places on the web; which suggest that
> sepcial tagging in the browser is happening on a per-CA level.
> Is that indeed the case. That would suggest that we do need the help of
> a CA to do proper testing.

Some of it is coming back to me now ;-)

If any old CA (including user installed ones) could do SGC and/or Step Up then
there wouldn't be much point as the whole idea was to restrict who could use
strong cryptography, prompted by the export laws of the time.

You needed EKU extensions in each intermediate CA and the EE certificate in the
chain (it was optional in the root) *and* the root CA had to be authorised to do
SGC/Step Up.

As I recall you could flip a bit/byte in the NSS certificate database to do
this, I think that is documented somewhere. Caused quite a fuss at the time when
this was discovered. In these more enlightened times you may be able to do the
same with NSS tools.

I recall doing experiments with MS CryptoAPI to enable SGC: that was many
versions of Windows and MSIE ago though. You couldn't just flip a bit with that:
it was hard coded to one root.

I also remember that Netscape (as it was then) would only do Step up while MSIE
would do Step Up or SGC depending on whether the nsSGC or msSGC EKUs were
present in the chain.

SGC doesn't actually renegotiate in the normal sense at all. It just sends
another client hello before completing the first handshake. That was why OpenSSL
needed to be modified to support it: it was a technical violation of the protocol.

Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute:
OpenSSL Core team:

View raw message