SSL Check

Forums › Off topic › SSL Check

SteveON

1916 posts

Uber Geek

#66593 20-Aug-2010 13:59

Hey guys,

I have posted this in general because there is more traffic here and I am looking for people from overseas...

Recently some clients of ours are having SSL issues, it used to be only on OSX/Chrome but some PCs are giving the issues on the latest Firefox.

Could you visit our secure site? And if you are overseas please comment if you have any issues.
https://www.privatebox.co.nz/member/

Thanks.

1 | 2

meow
13241 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#370371 20-Aug-2010 16:02

Not having any problems here, using Chrome on Debian Linux;

But Chrome on OSX is a tad different;

EDIT: Just thought I would add, this is from work for me, and Firefox on Debian likes your site, can't test any other browser on my OSX Machine since it's just a fresh install.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#370418 20-Aug-2010 18:19

Still having problems with this certificate? You asked about this before...

SteveON

1916 posts

Uber Geek

#370446 20-Aug-2010 19:14

freitasm: Still having problems with this certificate? You asked about this before...

The cert was changed back and forward testing this, we made some DNS changes and hope the next update will sort this out.

michaelmurfy: Not having any problems here, using Chrome on Debian Linux;

But Chrome on OSX is a tad different;

EDIT: Just thought I would add, this is from work for me, and Firefox on Debian likes your site, can't test any other browser on my OSX Machine since it's just a fresh install.

That's the error we had with the same setup from Australia, I am unsure if this is because the DNS issue or because Chrome has issues, I do know that Chrome on Windows had issues till they fixed it a few months back. But then we just had someone in Poland with the issue on the latest beta version of firefox...

I hope you don't mind if you could check this tomorrow (24hrs away) as the DNS should have updated by then.

Thanks!

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#370528 20-Aug-2010 23:18

Firefox 4 gives me this:

SCM

459 posts

Ultimate Geek

#370529 20-Aug-2010 23:26

Working fine from XP pro box with Fx 3.6.8, IE 8 and Chrome 5.0.375.127

michaelmurfy

meow
13241 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#370542 21-Aug-2010 00:16

Doesn't seem like a DNS Issue:

michael-murphys-macbook:~ mmurphy$ dig privatebox.co.nz

; <<>> DiG 9.6.0-APPLE-P2 <<>> privatebox.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42885
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;privatebox.co.nz. IN A

;; ANSWER SECTION:
privatebox.co.nz. 600 IN A 119.47.116.250

;; AUTHORITY SECTION:
privatebox.co.nz. 64051 IN NS ns1.nameserver.net.nz.
privatebox.co.nz. 64051 IN NS ns2.nameserver.net.nz.

;; ADDITIONAL SECTION:
ns1.nameserver.net.nz. 188 IN A 119.47.119.1
ns2.nameserver.net.nz. 188 IN A 66.29.25.63

;; Query time: 29 msec
;; SERVER: 202.37.101.1#53(202.37.101.1)
;; WHEN: Sat Aug 21 00:15:47 2010
;; MSG SIZE rcvd: 133

Is this a Dedicated Server or Shared Hosting? The string I get from it:

Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0

tells me it's either a VPS or Dedicated but thought I'd better make sure, if so how have you applied the security certificate?

From what I see, there doesn't appear to be any firewalls in front of it, are you using iptables to limit the traffic in any way?

mentalinc

3228 posts

Uber Geek

Trusted

#370560 21-Aug-2010 07:25

I get the same error as above on firefox 4b3

works fine for IE8.

Do you have some sort of browser checker that provides different browsers different html?

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

SteveON

1916 posts

Uber Geek

#370738 21-Aug-2010 17:56

I think I have found the issue... To be PCI compliant we are required to disable SSL2 and rely on SSL3 which happens to be disabled in these browsers.

I bit of a conflict from what I read: "All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs that attempt to perform renegotiation to experience failures where they formerly experienced successes, and is necessary for them to not be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF."

There was an issue in early versions of chrome which did not accept SSL3 and this may be why the osx issue is still around.

I am not really sure what we can do about this...

michaelmurfy

meow
13241 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#370756 21-Aug-2010 18:42

Ah right, yeah that would be the issue there. Chrome is still giving me issues on OSX with your site.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#370843 21-Aug-2010 23:11

Steve, just switch to TLS 1.0 instead. It's a hell of a lot more secure, and enabled by default in everything

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#370862 22-Aug-2010 00:16

Hmm. Further research says I am wrong there. You have to somehow disable session renegotiation.

The only thing I could find this this which suggests that you need to upgrade to Apache 2.2.15 (you're on 2.2.9) with OpenSSL 0.9.8m (you're on 0.9.8g).

SteveON

1916 posts

Uber Geek

#370930 22-Aug-2010 10:39

Kyanar: Hmm. Further research says I am wrong there. You have to somehow disable session renegotiation.

The only thing I could find this this which suggests that you need to upgrade to Apache 2.2.15 (you're on 2.2.9) with OpenSSL 0.9.8m (you're on 0.9.8g).

Thanks, Ill let the webdrive guys know and hopefully they can sort it.
I thought this issue was only on some odd browsers but it seems like it is coming about on all the new releases.

Cheers,
Steven.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#371025 22-Aug-2010 14:34

Yeah, all the latest versions of the browser cores (except Trident) are disabling session renegotiation in its entirety because a recent vulnerability was discovered that allows MITM attacks on servers that try to renegotiate ciphers in the middle of the communications. A new protocol version was rushed through draft phases and is now mandated by the NSS and WebKit maintainers (despite that only bleeding edge servers support it).

Kind of funny when you think about it - the fact that you disabled SSL 2 actually made your server less secure.

SteveON

1916 posts

Uber Geek

#373014 26-Aug-2010 10:03

Thanks guys for your help!

We upgraded the latest version of openSSL and this fixed it, I can't believe how much of an issue this had become considering the last release we had was only 6 months old. But I suppose that is part of running a up-to-date PCI compliant website.

SteveON

1916 posts

Uber Geek

#373017 26-Aug-2010 10:06

Kyanar: Yeah, all the latest versions of the browser cores (except Trident) are disabling session renegotiation in its entirety because a recent vulnerability was discovered that allows MITM attacks on servers that try to renegotiate ciphers in the middle of the communications. A new protocol version was rushed through draft phases and is now mandated by the NSS and WebKit maintainers (despite that only bleeding edge servers support it).

Kind of funny when you think about it - the fact that you disabled SSL 2 actually made your server less secure.

PCI compliance is a funny thing. It has so many issues and conflicts its not funny.

You can make up so much BS when becoming compliant, however if something goes wrong it is your a$$ on the line and a $250,000 fine too.

1 | 2