Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1917 posts

Uber Geek


# 66593 20-Aug-2010 13:59

Hey guys,

I have posted this in general because there is more traffic here and I am looking for people from overseas...

Recently some clients of ours are having SSL issues, it used to be only on OSX/Chrome but some PCs are giving the issues on the latest Firefox.

Could you visit our secure site? And if you are overseas please comment if you have any issues.
https://www.privatebox.co.nz/member/


Thanks. 

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Mr Snotty
8871 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 370371 20-Aug-2010 16:02
Send private message

Not having any problems here, using Chrome on Debian Linux;



But Chrome on OSX is a tad different;



EDIT: Just thought I would add, this is from work for me, and Firefox on Debian likes your site, can't test any other browser on my OSX Machine since it's just a fresh install.




 
 
 
 




1917 posts

Uber Geek


  # 370446 20-Aug-2010 19:14

freitasm: Still having problems with this certificate? You asked about this before...



The cert was changed back and forward testing this, we made some DNS changes and hope the next update will sort this out.

michaelmurfy: Not having any problems here, using Chrome on Debian Linux;


But Chrome on OSX is a tad different;




EDIT: Just thought I would add, this is from work for me, and Firefox on Debian likes your site, can't test any other browser on my OSX Machine since it's just a fresh install.
 

That's the error we had with the same setup from Australia, I am unsure if this is because the DNS issue or because Chrome has issues, I do know that Chrome on Windows had issues till they fixed it a few months back. But then we just had someone in Poland with the issue on the latest beta version of firefox... 

I hope you don't mind if you could check this tomorrow (24hrs away) as the DNS should have updated by then. 


Thanks!

3102 posts

Uber Geek

Trusted
Subscriber

  # 370528 20-Aug-2010 23:18
Send private message

Firefox 4 gives me this:





I finally have fibre!  Had to leave the country to get it though.


SCM

457 posts

Ultimate Geek


  # 370529 20-Aug-2010 23:26
Send private message

Working fine from XP pro box with Fx 3.6.8, IE 8 and Chrome 5.0.375.127




 Click to see full size

 

 


Mr Snotty
8871 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 370542 21-Aug-2010 00:16
Send private message

Doesn't seem like a DNS Issue:

michael-murphys-macbook:~ mmurphy$ dig privatebox.co.nz

; <<>> DiG 9.6.0-APPLE-P2 <<>> privatebox.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42885
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;privatebox.co.nz. IN A

;; ANSWER SECTION:
privatebox.co.nz. 600 IN A 119.47.116.250

;; AUTHORITY SECTION:
privatebox.co.nz. 64051 IN NS ns1.nameserver.net.nz.
privatebox.co.nz. 64051 IN NS ns2.nameserver.net.nz.

;; ADDITIONAL SECTION:
ns1.nameserver.net.nz. 188 IN A 119.47.119.1
ns2.nameserver.net.nz. 188 IN A 66.29.25.63

;; Query time: 29 msec
;; SERVER: 202.37.101.1#53(202.37.101.1)
;; WHEN: Sat Aug 21 00:15:47 2010
;; MSG SIZE  rcvd: 133


Is this a Dedicated Server or Shared Hosting? The string I get from it:
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0

tells me it's either a VPS or Dedicated but thought I'd better make sure, if so how have you applied the security certificate?

From what I see, there doesn't appear to be any firewalls in front of it, are you using iptables to limit the traffic in any way? 




1752 posts

Uber Geek

Trusted

  # 370560 21-Aug-2010 07:25
Send private message

I get the same error as above on firefox 4b3

works fine for IE8.

Do you have some sort of browser checker that provides different browsers different html?




CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 


 
 
 
 




1917 posts

Uber Geek


  # 370738 21-Aug-2010 17:56

I think I have found the issue... To be PCI compliant we are required to disable SSL2 and rely on SSL3 which happens to be disabled in these browsers.

I bit of a conflict from what I read: "All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs that attempt to perform renegotiation to experience failures where they formerly experienced successes, and is necessary for them to not be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF."

There was an issue in early versions of chrome which did not accept SSL3 and this may be why the osx issue is still around.

I am not really sure what we can do about this...

Mr Snotty
8871 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 370756 21-Aug-2010 18:42
Send private message

Ah right, yeah that would be the issue there. Chrome is still giving me issues on OSX with your site.




3102 posts

Uber Geek

Trusted
Subscriber

  # 370843 21-Aug-2010 23:11
Send private message

Steve, just switch to TLS 1.0 instead. It's a hell of a lot more secure, and enabled by default in everything




I finally have fibre!  Had to leave the country to get it though.


3102 posts

Uber Geek

Trusted
Subscriber

  # 370862 22-Aug-2010 00:16
Send private message

Hmm. Further research says I am wrong there. You have to somehow disable session renegotiation.

The only thing I could find this this which suggests that you need to upgrade to Apache 2.2.15 (you're on 2.2.9) with OpenSSL 0.9.8m (you're on 0.9.8g).




I finally have fibre!  Had to leave the country to get it though.




1917 posts

Uber Geek


  # 370930 22-Aug-2010 10:39

Kyanar: Hmm. Further research says I am wrong there. You have to somehow disable session renegotiation.

The only thing I could find this this which suggests that you need to upgrade to Apache 2.2.15 (you're on 2.2.9) with OpenSSL 0.9.8m (you're on 0.9.8g).


Thanks, Ill let the webdrive guys know and hopefully they can sort it.
I thought this issue was only on some odd browsers but it seems like it is coming about on all the new releases.


Cheers,
Steven. 

3102 posts

Uber Geek

Trusted
Subscriber

  # 371025 22-Aug-2010 14:34
Send private message

Yeah, all the latest versions of the browser cores (except Trident) are disabling session renegotiation in its entirety because a recent vulnerability was discovered that allows MITM attacks on servers that try to renegotiate ciphers in the middle of the communications. A new protocol version was rushed through draft phases and is now mandated by the NSS and WebKit maintainers (despite that only bleeding edge servers support it).

Kind of funny when you think about it - the fact that you disabled SSL 2 actually made your server less secure.




I finally have fibre!  Had to leave the country to get it though.




1917 posts

Uber Geek


  # 373014 26-Aug-2010 10:03

Thanks guys for your help!

We upgraded the latest version of openSSL and this fixed it, I can't believe how much of an issue this had become considering the last release we had was only 6 months old. But I suppose that is part of running a up-to-date PCI compliant website.



1917 posts

Uber Geek


  # 373017 26-Aug-2010 10:06

Kyanar: Yeah, all the latest versions of the browser cores (except Trident) are disabling session renegotiation in its entirety because a recent vulnerability was discovered that allows MITM attacks on servers that try to renegotiate ciphers in the middle of the communications. A new protocol version was rushed through draft phases and is now mandated by the NSS and WebKit maintainers (despite that only bleeding edge servers support it).

Kind of funny when you think about it - the fact that you disabled SSL 2 actually made your server less secure.


PCI compliance is a funny thing. It has so many issues and conflicts its not funny. 

You can make up so much BS when becoming compliant, however if something goes wrong it is your a$$ on the line and a $250,000 fine too.

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18


Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36


2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17


Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46


Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.