SSL Check

Forums › Off topic › SSL Check

SteveON

1917 posts

Uber Geek
+1 received by user: 110

Topic # 66593 20-Aug-2010 13:59

Hey guys,

I have posted this in general because there is more traffic here and I am looking for people from overseas...

Recently some clients of ours are having SSL issues, it used to be only on OSX/Chrome but some PCs are giving the issues on the latest Firefox.

Could you visit our secure site? And if you are overseas please comment if you have any issues.
https://www.privatebox.co.nz/member/

Thanks.

1 | 2

Meow
7913 posts

Uber Geek
+1 received by user: 3935

Moderator

Trusted

Lifetime subscriber

Reply # 370371 20-Aug-2010 16:02

Not having any problems here, using Chrome on Debian Linux;

But Chrome on OSX is a tad different;

EDIT: Just thought I would add, this is from work for me, and Firefox on Debian likes your site, can't test any other browser on my OSX Machine since it's just a fresh install.

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

freitasm

BDFL - Memuneh
61335 posts

Uber Geek
+1 received by user: 12083

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 370418 20-Aug-2010 18:19

Still having problems with this certificate? You asked about this before...

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management

SteveON

1917 posts

Uber Geek
+1 received by user: 110

Reply # 370446 20-Aug-2010 19:14

freitasm: Still having problems with this certificate? You asked about this before...

The cert was changed back and forward testing this, we made some DNS changes and hope the next update will sort this out.

michaelmurfy: Not having any problems here, using Chrome on Debian Linux;

But Chrome on OSX is a tad different;

EDIT: Just thought I would add, this is from work for me, and Firefox on Debian likes your site, can't test any other browser on my OSX Machine since it's just a fresh install.

That's the error we had with the same setup from Australia, I am unsure if this is because the DNS issue or because Chrome has issues, I do know that Chrome on Windows had issues till they fixed it a few months back. But then we just had someone in Poland with the issue on the latest beta version of firefox...

I hope you don't mind if you could check this tomorrow (24hrs away) as the DNS should have updated by then.

Thanks!

Kyanar

3034 posts

Uber Geek
+1 received by user: 466

Trusted

Subscriber

Reply # 370528 20-Aug-2010 23:18

Firefox 4 gives me this:

I finally have fibre! Had to leave the country to get it though.

SCM

457 posts

Ultimate Geek
+1 received by user: 47

Reply # 370529 20-Aug-2010 23:26

Working fine from XP pro box with Fx 3.6.8, IE 8 and Chrome 5.0.375.127

michaelmurfy

Meow
7913 posts

Uber Geek
+1 received by user: 3935

Moderator

Trusted

Lifetime subscriber

Reply # 370542 21-Aug-2010 00:16

Doesn't seem like a DNS Issue:

michael-murphys-macbook:~ mmurphy$ dig privatebox.co.nz

; <<>> DiG 9.6.0-APPLE-P2 <<>> privatebox.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42885
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;privatebox.co.nz. IN A

;; ANSWER SECTION:
privatebox.co.nz. 600 IN A 119.47.116.250

;; AUTHORITY SECTION:
privatebox.co.nz. 64051 IN NS ns1.nameserver.net.nz.
privatebox.co.nz. 64051 IN NS ns2.nameserver.net.nz.

;; ADDITIONAL SECTION:
ns1.nameserver.net.nz. 188 IN A 119.47.119.1
ns2.nameserver.net.nz. 188 IN A 66.29.25.63

;; Query time: 29 msec
;; SERVER: 202.37.101.1#53(202.37.101.1)
;; WHEN: Sat Aug 21 00:15:47 2010
;; MSG SIZE rcvd: 133

Is this a Dedicated Server or Shared Hosting? The string I get from it:

Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0

tells me it's either a VPS or Dedicated but thought I'd better make sure, if so how have you applied the security certificate?

From what I see, there doesn't appear to be any firewalls in front of it, are you using iptables to limit the traffic in any way?

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

mentalinc

1579 posts

Uber Geek
+1 received by user: 154

Trusted

Reply # 370560 21-Aug-2010 07:25

I get the same error as above on firefox 4b3

works fine for IE8.

Do you have some sort of browser checker that provides different browsers different html?

CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB: Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

SteveON

1917 posts

Uber Geek
+1 received by user: 110

Reply # 370738 21-Aug-2010 17:56

I think I have found the issue... To be PCI compliant we are required to disable SSL2 and rely on SSL3 which happens to be disabled in these browsers.

I bit of a conflict from what I read: "All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs that attempt to perform renegotiation to experience failures where they formerly experienced successes, and is necessary for them to not be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF."

There was an issue in early versions of chrome which did not accept SSL3 and this may be why the osx issue is still around.

I am not really sure what we can do about this...

michaelmurfy

Meow
7913 posts

Uber Geek
+1 received by user: 3935

Moderator

Trusted

Lifetime subscriber

Reply # 370756 21-Aug-2010 18:42

Ah right, yeah that would be the issue there. Chrome is still giving me issues on OSX with your site.

Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router Guide | Community UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial

Kyanar

3034 posts

Uber Geek
+1 received by user: 466

Trusted

Subscriber

Reply # 370843 21-Aug-2010 23:11

Steve, just switch to TLS 1.0 instead. It's a hell of a lot more secure, and enabled by default in everything

I finally have fibre! Had to leave the country to get it though.

Kyanar

3034 posts

Uber Geek
+1 received by user: 466

Trusted

Subscriber

Reply # 370862 22-Aug-2010 00:16

Hmm. Further research says I am wrong there. You have to somehow disable session renegotiation.

The only thing I could find this this which suggests that you need to upgrade to Apache 2.2.15 (you're on 2.2.9) with OpenSSL 0.9.8m (you're on 0.9.8g).

I finally have fibre! Had to leave the country to get it though.

SteveON

1917 posts

Uber Geek
+1 received by user: 110

Reply # 370930 22-Aug-2010 10:39

Kyanar: Hmm. Further research says I am wrong there. You have to somehow disable session renegotiation.

The only thing I could find this this which suggests that you need to upgrade to Apache 2.2.15 (you're on 2.2.9) with OpenSSL 0.9.8m (you're on 0.9.8g).

Thanks, Ill let the webdrive guys know and hopefully they can sort it.
I thought this issue was only on some odd browsers but it seems like it is coming about on all the new releases.

Cheers,
Steven.

Kyanar

3034 posts

Uber Geek
+1 received by user: 466

Trusted

Subscriber

Reply # 371025 22-Aug-2010 14:34

Yeah, all the latest versions of the browser cores (except Trident) are disabling session renegotiation in its entirety because a recent vulnerability was discovered that allows MITM attacks on servers that try to renegotiate ciphers in the middle of the communications. A new protocol version was rushed through draft phases and is now mandated by the NSS and WebKit maintainers (despite that only bleeding edge servers support it).

Kind of funny when you think about it - the fact that you disabled SSL 2 actually made your server less secure.

I finally have fibre! Had to leave the country to get it though.

SteveON

1917 posts

Uber Geek
+1 received by user: 110

Reply # 373014 26-Aug-2010 10:03

Thanks guys for your help!

We upgraded the latest version of openSSL and this fixed it, I can't believe how much of an issue this had become considering the last release we had was only 6 months old. But I suppose that is part of running a up-to-date PCI compliant website.

SteveON

1917 posts

Uber Geek
+1 received by user: 110

Reply # 373017 26-Aug-2010 10:06

Kyanar: Yeah, all the latest versions of the browser cores (except Trident) are disabling session renegotiation in its entirety because a recent vulnerability was discovered that allows MITM attacks on servers that try to renegotiate ciphers in the middle of the communications. A new protocol version was rushed through draft phases and is now mandated by the NSS and WebKit maintainers (despite that only bleeding edge servers support it).

Kind of funny when you think about it - the fact that you disabled SSL 2 actually made your server less secure.

PCI compliance is a funny thing. It has so many issues and conflicts its not funny.

You can make up so much BS when becoming compliant, however if something goes wrong it is your a$$ on the line and a $250,000 fine too.

1 | 2