[squid-users] SSL bump fails accessing .gov.uk servers
Marcus Kool
marcus.kool at urlfilterdb.com
Sat Nov 1 00:39:59 UTC 2014
On 10/31/2014 10:12 PM, Amos Jeffries wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 1/11/2014 12:09 p.m., Marcus Kool wrote:
>> With OpenSSL 1.0.1e-fips :
>>
>> openssl s_client -connect www.taxdisc.service.gov.uk:443
>> fails (tries TLS1.2) openssl s_client -connect
>> www.taxdisc.service.gov.uk:443 -ssl3 works
>>
>> The webmail server of my ISP works like this: it uses only TLS1.0,
>> so no TLS1.1 or TLS1.2, but when with openssl s_client -connect
>> WEBMAIL:443 -tls1_2 the connection is automagically downgraded to
>> TLS1.0. taxdisc does not do this. Taxdisc does not negotiate, so
>> the client must guess the desired protocol (SSL3 or TLS1.0) and use
>> that.
>>
>> I do not know all details about TLS and downgrading rules but the
>> server seems broken to me.
>
>
> It is clearly not supporting TLS at all. TLS mandates that endpoints
> offer the highest TLS version they support, and the mutual highest is
> used. SSLv3 is not on that scale of TLS 1.0+ versions.
>
> Client implementations usually treat rejection of all TLS versions
> down to 1.0 as a signal that SSL handshake is required instead, abort
> and retry with SSLv3-only...
Indeed, but taxdisc supports both SSL3 _and_ TLS1.0 ...
Unfortunately, taxdisc (TLS1.0) and the client (TLS1.2) cannot negotiate to
use TLS1.0.
Although "openssl s_client -connect www.taxdisc.service.gov.uk:443 -tls1_2"
fails, the taxdisc server sends 7 bytes with value 0.
So the negotiation goes wrong, but the question remains what exactly
in the handshake is not understood or undefined.
Marcus
>> Firefox knows how to deal with it and Squid not yet.
>
> ... for now anyway. Firefox will be dropping SSLv3 support Nov 25th.
>
> Amos
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUVCVsAAoJELJo5wb/XPRj1rIIAIacxp8gQYhtIA49/+k9c2D9
> cO+vnAhADOsIqg2qwtZKRXCYcpAba/s8IeiiouvcowTV54+6GCZ3yyP7uIztwEY3
> x+Li2/VKdRYOSLf6QgFo4JU8y5garf9cMrqZw7eFS+Qo9GaYu+BZOcrtlzbAAehN
> DqABCRdHkJ+ZtVIC7obVX1fXTnuPlIC3W/QHzc6uGHp75Qs/QAAaV8ugYBMfPpX9
> 5G6gYSG5qMwQ1XMJ5nc14vFQxTxjrpydl4BKn0WhNLrGaDCWGZiOQYKi7ERlorNs
> 7yHzjROpWIxapmUChccHifrFEQIR0vo3vAq5StPad3a3aMMp5SW/scpbGFgW8jw=
> =mtZp
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list