[squid-users] OT: why does openssl-1.0.1f not like https://www.bnz.co.nz/?

Amos Jeffries squid3 at treenet.co.nz
Thu Nov 13 02:04:21 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 13/11/2014 11:55 a.m., Jason Haar wrote:
> Hi there
> 
> I just found I cannot connect to https://www.bnz.co.nz/ using curl
> on Ubuntu (7.35 compiled against openssl-1.0.1f), whereas 
> https://www.kiwibank.co.nz/ works fine. I first thought it was due
> to my messing around with ssl-bump, but it happens when I don't go
> through squid too
> 
> I have a CentOS-6 server with curl-7.19 (compiled against 1.0.1e)
> and it works fine. The same happens with "openssl s_client": it
> works on CentOS but not on Ubuntu - so I think it's the root cause
> (unless I call it with either "-ssl3" or "-tls1" - explicitly
> asking for protocols seems to get around the issue with 1.0.1f). It
> looks like www.bnz.co.nz doesn't negotiate SSL/TLS correctly?

Sounds to me like they are using SSLv3 in their server.

> 
> Any SSL guru out there willing to explain why newer command line
> tools don't like www.bnz.co.nz (whereas browsers do - but I hear
> it's because they "double try" in certain error conditions and
> basically workaround this kind of issue)

Lookup "SSLv3 POODLE" for what is happening in that area.

FYI: The browsers all announced deadlines of their next regular update
cycle[1][2][3] for dropping or disabling SSLv3 support. It's a dead
duck walking right now, should be buried by the end of this year.

[1] MSIE 6+ - (not sure exactly if this made it into the Patch Tuesday
set on 12 Nov)
  <https://support.microsoft.com/kb/3009008>

[2] Firefox 34 - 25 Nov

<https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/>

[3] Chrome 39,40 - 'next few months'

<https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4>

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUZBGeAAoJELJo5wb/XPRj8ywH/0OMZzuTDHpVGGWpHR19AlTi
Qvl/XYbhoDGdSjeLqpkvMT3vrElk2ukznOV1cNxjZY8GL1vgmxObJl3fSu2mBW1O
pHh3j5WJDnNyXS9l1+9FyGRZo38Y0wZ56jjGRwPfhWr4rB5qDHNQU0w5MxXL3noS
rCm/yuQgeX791Jv9pe9toq4nGSpBCc0SmNIKLZiQnsS8qZKbKlZYEeh7x4V2TiME
6niFKHaQP58+xiJrlGQL/1GFZkem0Hu4U09tr+4Ru6PNWnumgd19/doznRk2dS6r
JX3F5+HdwZVbkfgjFEWcIaHaTq+YAOI1iMNq4CDjNaevjkSUIFgEYf6BCAhY3nM=
=GWhN
-----END PGP SIGNATURE-----

More information about the squid-users mailing list