Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


SteveON

1916 posts

Uber Geek


#66593 20-Aug-2010 13:59

Hey guys,

I have posted this in general because there is more traffic here and I am looking for people from overseas...

Recently some clients of ours are having SSL issues, it used to be only on OSX/Chrome but some PCs are giving the issues on the latest Firefox.

Could you visit our secure site? And if you are overseas please comment if you have any issues.
https://www.privatebox.co.nz/member/


Thanks. 

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
michaelmurfy
meow
13241 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #370371 20-Aug-2010 16:02
Send private message

Not having any problems here, using Chrome on Debian Linux;



But Chrome on OSX is a tad different;



EDIT: Just thought I would add, this is from work for me, and Firefox on Debian likes your site, can't test any other browser on my OSX Machine since it's just a fresh install.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.




freitasm
BDFL - Memuneh
79263 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #370418 20-Aug-2010 18:19
Send private message

Still having problems with this certificate? You asked about this before...





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


SteveON

1916 posts

Uber Geek


  #370446 20-Aug-2010 19:14

freitasm: Still having problems with this certificate? You asked about this before...



The cert was changed back and forward testing this, we made some DNS changes and hope the next update will sort this out.

michaelmurfy: Not having any problems here, using Chrome on Debian Linux;


But Chrome on OSX is a tad different;




EDIT: Just thought I would add, this is from work for me, and Firefox on Debian likes your site, can't test any other browser on my OSX Machine since it's just a fresh install.
 

That's the error we had with the same setup from Australia, I am unsure if this is because the DNS issue or because Chrome has issues, I do know that Chrome on Windows had issues till they fixed it a few months back. But then we just had someone in Poland with the issue on the latest beta version of firefox... 

I hope you don't mind if you could check this tomorrow (24hrs away) as the DNS should have updated by then. 


Thanks!



Kyanar
4089 posts

Uber Geek

ID Verified
Trusted

  #370528 20-Aug-2010 23:18
Send private message

Firefox 4 gives me this:


SCM

SCM
459 posts

Ultimate Geek


  #370529 20-Aug-2010 23:26
Send private message

Working fine from XP pro box with Fx 3.6.8, IE 8 and Chrome 5.0.375.127




 Click to see full size

 

 


michaelmurfy
meow
13241 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #370542 21-Aug-2010 00:16
Send private message

Doesn't seem like a DNS Issue:

michael-murphys-macbook:~ mmurphy$ dig privatebox.co.nz

; <<>> DiG 9.6.0-APPLE-P2 <<>> privatebox.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42885
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;privatebox.co.nz. IN A

;; ANSWER SECTION:
privatebox.co.nz. 600 IN A 119.47.116.250

;; AUTHORITY SECTION:
privatebox.co.nz. 64051 IN NS ns1.nameserver.net.nz.
privatebox.co.nz. 64051 IN NS ns2.nameserver.net.nz.

;; ADDITIONAL SECTION:
ns1.nameserver.net.nz. 188 IN A 119.47.119.1
ns2.nameserver.net.nz. 188 IN A 66.29.25.63

;; Query time: 29 msec
;; SERVER: 202.37.101.1#53(202.37.101.1)
;; WHEN: Sat Aug 21 00:15:47 2010
;; MSG SIZE  rcvd: 133


Is this a Dedicated Server or Shared Hosting? The string I get from it:
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0

tells me it's either a VPS or Dedicated but thought I'd better make sure, if so how have you applied the security certificate?

From what I see, there doesn't appear to be any firewalls in front of it, are you using iptables to limit the traffic in any way? 




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.


mentalinc
3228 posts

Uber Geek

Trusted

  #370560 21-Aug-2010 07:25
Send private message

I get the same error as above on firefox 4b3

works fine for IE8.

Do you have some sort of browser checker that provides different browsers different html?




CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB:  Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

 

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX 


 
 
 
 

Shop now on Samsung phones, tablets, TVs and more (affiliate link).
SteveON

1916 posts

Uber Geek


  #370738 21-Aug-2010 17:56

I think I have found the issue... To be PCI compliant we are required to disable SSL2 and rely on SSL3 which happens to be disabled in these browsers.

I bit of a conflict from what I read: "All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs that attempt to perform renegotiation to experience failures where they formerly experienced successes, and is necessary for them to not be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF."

There was an issue in early versions of chrome which did not accept SSL3 and this may be why the osx issue is still around.

I am not really sure what we can do about this...

michaelmurfy
meow
13241 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #370756 21-Aug-2010 18:42
Send private message

Ah right, yeah that would be the issue there. Chrome is still giving me issues on OSX with your site.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.


Kyanar
4089 posts

Uber Geek

ID Verified
Trusted

  #370843 21-Aug-2010 23:11
Send private message

Steve, just switch to TLS 1.0 instead. It's a hell of a lot more secure, and enabled by default in everything

Kyanar
4089 posts

Uber Geek

ID Verified
Trusted

  #370862 22-Aug-2010 00:16
Send private message

Hmm. Further research says I am wrong there. You have to somehow disable session renegotiation.

The only thing I could find this this which suggests that you need to upgrade to Apache 2.2.15 (you're on 2.2.9) with OpenSSL 0.9.8m (you're on 0.9.8g).

SteveON

1916 posts

Uber Geek


  #370930 22-Aug-2010 10:39

Kyanar: Hmm. Further research says I am wrong there. You have to somehow disable session renegotiation.

The only thing I could find this this which suggests that you need to upgrade to Apache 2.2.15 (you're on 2.2.9) with OpenSSL 0.9.8m (you're on 0.9.8g).


Thanks, Ill let the webdrive guys know and hopefully they can sort it.
I thought this issue was only on some odd browsers but it seems like it is coming about on all the new releases.


Cheers,
Steven. 

Kyanar
4089 posts

Uber Geek

ID Verified
Trusted

  #371025 22-Aug-2010 14:34
Send private message

Yeah, all the latest versions of the browser cores (except Trident) are disabling session renegotiation in its entirety because a recent vulnerability was discovered that allows MITM attacks on servers that try to renegotiate ciphers in the middle of the communications. A new protocol version was rushed through draft phases and is now mandated by the NSS and WebKit maintainers (despite that only bleeding edge servers support it).

Kind of funny when you think about it - the fact that you disabled SSL 2 actually made your server less secure.

SteveON

1916 posts

Uber Geek


  #373014 26-Aug-2010 10:03

Thanks guys for your help!

We upgraded the latest version of openSSL and this fixed it, I can't believe how much of an issue this had become considering the last release we had was only 6 months old. But I suppose that is part of running a up-to-date PCI compliant website.

SteveON

1916 posts

Uber Geek


  #373017 26-Aug-2010 10:06

Kyanar: Yeah, all the latest versions of the browser cores (except Trident) are disabling session renegotiation in its entirety because a recent vulnerability was discovered that allows MITM attacks on servers that try to renegotiate ciphers in the middle of the communications. A new protocol version was rushed through draft phases and is now mandated by the NSS and WebKit maintainers (despite that only bleeding edge servers support it).

Kind of funny when you think about it - the fact that you disabled SSL 2 actually made your server less secure.


PCI compliance is a funny thing. It has so many issues and conflicts its not funny. 

You can make up so much BS when becoming compliant, however if something goes wrong it is your a$$ on the line and a $250,000 fine too.

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.