Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL)

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


dirkx at webweaving

Nov 5, 2009, 5:38 PM

Post #1 of 9 (260 views)
Permalink
Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL)
So with Joe his patch doing the right thing it seems (would be nice if
we could get Ben or the OpenSSL guys to confirm that) - that we propably
only have the step up 'Server Gated Certs'* let to check.

Does anyone have such a beast for testing ?

or Rick - could you help us here ?

Thanks,

Dw.

*: these are basically server certs with a special flag; causing
export-grade browsers to reconnect with the export restrictions
lifted and then re-negotiating a longer session key.


shenson at oss-institute

Nov 5, 2009, 5:52 PM

Post #2 of 9 (257 views)
Permalink
Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL) [In reply to]
Dirk-Willem van Gulik wrote:
> we propably
> only have the step up 'Server Gated Certs'* let to check.
>
> Does anyone have such a beast for testing ?
>

There are two separate types used by Mozilla (Step up?) and Microsoft SSL/TLS
(SGC?) implementations IIRC. One completes the handshake then starts a new
session the second cuts it half way through.

Been many years since I looked at those though. I recall having to alter the
state machine to accommodate the Microsoft flavour. (Checks code, yes look for
SGC comments in there)

Steve.
--
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org


dirkx at webweaving

Nov 5, 2009, 6:00 PM

Post #3 of 9 (256 views)
Permalink
Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL) [In reply to]
Andrews, Rick wrote:

> https://www.chase.com
> https://www.wellsfargo.com
>
> But I suppose you'll need to locate an old international browser that
> does step up, right? Most modern browsers will start with strong crypto
> and don't need to step up.

What we really need is 1) a pub/priv key pair of such a cert* (or use
attached CSR) of some random domain (ideally expired and with a totally
bogus CN valye so we can post the private key publicly) and 2) obviously
a browser which support this (but that we can handle).

As we need to plug it into Joe his patched apache to see if it will
still allow that initial re-negotation; but block later re-negotiaion.

Dw

*: Unless someone can tell me how to make the right thing
with openssl; I cannot figure out how to do the extension
file right - and thing it is not an option.


dirkx at webweaving

Nov 5, 2009, 6:07 PM

Post #4 of 9 (256 views)
Permalink
Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL) [In reply to]
Dr Stephen Henson wrote:

> There are two separate types used by Mozilla (Step up?) and Microsoft SSL/TLS
> (SGC?) implementations IIRC. One completes the handshake then starts a new
> session the second cuts it half way through.
>
> Been many years since I looked at those though. I recall having to alter the
> state machine to accommodate the Microsoft flavour. (Checks code, yes look for
> SGC comments in there)

You aware of any command line tool which implements either or both ?

Dw


dirkx at webweaving

Nov 5, 2009, 6:19 PM

Post #5 of 9 (247 views)
Permalink
Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL) [In reply to]
Dr Stephen Henson wrote:

> There are two separate types used by Mozilla (Step up?) and Microsoft SSL/TLS
> (SGC?) implementations IIRC. One completes the handshake then starts a new
> session the second cuts it half way through.
>
> Been many years since I looked at those though. I recall having to alter the
> state machine to accommodate the Microsoft flavour. (Checks code, yes look for
> SGC comments in there)

Actually Steve - you may know - what besides the obvious

extendedKeyUsage=nsSGC,msSGC

in the extension file needs to go into a sub-ca below a
self-signed-root-chain to make the browsers dance ? Or have they
hardcoded in some specific CA or similar ? Or is there a test case in
opnessl which is useful here ? As that would let us do decent tests script.

Thanks,

Dw


dirkx at webweaving

Nov 5, 2009, 6:21 PM

Post #6 of 9 (247 views)
Permalink
Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL) [In reply to]
Dirk-Willem van Gulik wrote:

> Actually Steve - you may know - what besides the obvious
>
> extendedKeyUsage=nsSGC,msSGC
>
> in the extension file needs to go into a sub-ca below a
> self-signed-root-chain to make the browsers dance ? Or have they
> hardcoded in some specific CA or similar ? Or is there a test case in
> opnessl which is useful here ? As that would let us do decent tests script.

Hmm - just found

http://www.modssl.org/docs/apachecon2001/slide-010-n.html

which seems to be one of the few places on the web; which suggest that
sepcial tagging in the browser is happening on a per-CA level.

Is that indeed the case. That would suggest that we do need the help of
a CA to do proper testing.

Dw.


shenson at oss-institute

Nov 5, 2009, 7:09 PM

Post #7 of 9 (247 views)
Permalink
Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL) [In reply to]
Dirk-Willem van Gulik wrote:
> Dirk-Willem van Gulik wrote:
>
>> Actually Steve - you may know - what besides the obvious
>>
>> extendedKeyUsage=nsSGC,msSGC
>>
>> in the extension file needs to go into a sub-ca below a
>> self-signed-root-chain to make the browsers dance ? Or have they
>> hardcoded in some specific CA or similar ? Or is there a test case in
>> opnessl which is useful here ? As that would let us do decent tests
>> script.
>
> Hmm - just found
>
> http://www.modssl.org/docs/apachecon2001/slide-010-n.html
>
> which seems to be one of the few places on the web; which suggest that
> sepcial tagging in the browser is happening on a per-CA level.
>
> Is that indeed the case. That would suggest that we do need the help of
> a CA to do proper testing.
>

Some of it is coming back to me now ;-)

If any old CA (including user installed ones) could do SGC and/or Step Up then
there wouldn't be much point as the whole idea was to restrict who could use
strong cryptography, prompted by the export laws of the time.

You needed EKU extensions in each intermediate CA and the EE certificate in the
chain (it was optional in the root) *and* the root CA had to be authorised to do
SGC/Step Up.

As I recall you could flip a bit/byte in the NSS certificate database to do
this, I think that is documented somewhere. Caused quite a fuss at the time when
this was discovered. In these more enlightened times you may be able to do the
same with NSS tools.

I recall doing experiments with MS CryptoAPI to enable SGC: that was many
versions of Windows and MSIE ago though. You couldn't just flip a bit with that:
it was hard coded to one root.

I also remember that Netscape (as it was then) would only do Step up while MSIE
would do Step Up or SGC depending on whether the nsSGC or msSGC EKUs were
present in the chain.

SGC doesn't actually renegotiate in the normal sense at all. It just sends
another client hello before completing the first handshake. That was why OpenSSL
needed to be modified to support it: it was a technical violation of the protocol.

Steve.
--
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org


shenson at oss-institute

Nov 8, 2009, 4:47 AM

Post #8 of 9 (225 views)
Permalink
Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL) [In reply to]
Dirk-Willem van Gulik wrote:
> Dirk-Willem van Gulik wrote:
>
>> Actually Steve - you may know - what besides the obvious
>>
>> extendedKeyUsage=nsSGC,msSGC
>>
>> in the extension file needs to go into a sub-ca below a
>> self-signed-root-chain to make the browsers dance ? Or have they
>> hardcoded in some specific CA or similar ? Or is there a test case in
>> opnessl which is useful here ? As that would let us do decent tests
>> script.
>
> Hmm - just found
>
> http://www.modssl.org/docs/apachecon2001/slide-010-n.html
>
> which seems to be one of the few places on the web; which suggest that
> sepcial tagging in the browser is happening on a per-CA level.
>
> Is that indeed the case. That would suggest that we do need the help of
> a CA to do proper testing.
>

Actually now I think of this there is another issue. In SGC/Step Up an export
grade browser would first connect using weak crypto (because that was the
strongest algorithm it would support generally) and (if the certificate was
authorised) step up to strong crypto.

Now that browsers can connect with strong crypto from the start there isn't a
great deal of point doing that any more. In fact there's a good reason not to:
the double handshake with Step Up ends up perfomring two expensive server
private key operations compared to one in a normal handshake.

Do any countries still have browsers restricted to weak crypto and that might
use Step Up or SGC?

If so you also need an appropriate browser to test it...

Steve.
--
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org


jorton at redhat

Nov 16, 2009, 6:51 AM

Post #9 of 9 (107 views)
Permalink
Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL) [In reply to]
On Fri, Nov 06, 2009 at 02:00:47AM +0000, Dirk-Willem van Gulik wrote:
> What we really need is 1) a pub/priv key pair of such a cert* (or use
> attached CSR) of some random domain (ideally expired and with a totally
> bogus CN valye so we can post the private key publicly) and 2) obviously
> a browser which support this (but that we can handle).

Rick got me an SGC-enabled test cert (thanks a lot!) - I've installed it
on box which can be accessed e.g. here:

https://dougal.manyfish.co.uk/cgi-bin/printenv

with SSLCipherSuite tweaked to enable EXPORT ciphers; it now reads:

SSLCipherSuite ALL:!ADH:EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

The box is running the RHEL 2.2.3 with the CVE-2009-3555 patch applied,
so should reject any client-initiated renegotiations. Note that the
cert has expired already (intentionally), but is otherwise valid.

I've been trying to find a real browser to do SGC against this but have
failed - help welcome here! I've tried old releases of Netscape 4.0x
but they predate the Verisign root from which the cert was issued, so,
prerequisite "enable SGC" trust bit in the root CA bundle isn't there.

It seems like the best bet to get a working SGC-enabled browser might be
Windows 2K or similar vintage with an old "export" (non-US) version of
MSIE (4/5?). Can anybody dig out such a best and try loading the above
page?

You'd need to verify it was an export version by loading some other SSL
site and checking the cipher used, and/or verifying that SGC works
against one of the sites mentioned ealier:

> https://www.chase.com
> https://www.wellsfargo.com

Regards, Joe

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.