Re: [squid-users] SSLBump SSL error

From: Henrik Nordstr�m <henrik_at_henriknordstrom.net>
Date: Sun, 05 Feb 2012 23:45:04 +0100

sön 2012-02-05 klockan 17:52 +0000 skrev Alex Crow:

> One example I know can reproduce this every time is:
>
> https://applyonline.abbeynational.co.uk/olaWeb/OLALogonServlet?action=prepare&application=OnlineBankingRegistrationServlet&js=on

that's a broken server the initial client hello handshake to be SSL2
compatible, but then requires immediate protocol upgrade to SSL3 or
TLSv1, but fails if the initial handshake is SSL3 or TLSv1. OpenSSL in
somewhat current versions by default disable all use pf SSLv2 due to
numerous weaknesses in the SSLv2 protocol and is as result normally
sending an SSL3 client hello handshake.

It's likely to hit problems some newer browsers as well, as SSL/TLS
security is being tightened up.

A workaround is to set ciphers to 'ALL:!COMPLEMENTOFDEFAULT' which
somehow magically enables SSLv2 again. But it's not a very good idea as
it may also enable some SSLv2 related attacks.

Regards
Henrik
Received on Sun Feb 05 2012 - 22:45:46 MST

This archive was generated by hypermail 2.2.0 : Sat Feb 11 2012 - 12:00:02 MST