Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


1917 posts

Uber Geek
+1 received by user: 110


Topic # 66593 20-Aug-2010 13:59

Hey guys,

I have posted this in general because there is more traffic here and I am looking for people from overseas...

Recently some clients of ours are having SSL issues, it used to be only on OSX/Chrome but some PCs are giving the issues on the latest Firefox.

Could you visit our secure site? And if you are overseas please comment if you have any issues.
https://www.privatebox.co.nz/member/


Thanks. 

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Meow
7913 posts

Uber Geek
+1 received by user: 3935

Moderator
Trusted
Lifetime subscriber

  Reply # 370371 20-Aug-2010 16:02
Send private message

Not having any problems here, using Chrome on Debian Linux;



But Chrome on OSX is a tad different;



EDIT: Just thought I would add, this is from work for me, and Firefox on Debian likes your site, can't test any other browser on my OSX Machine since it's just a fresh install.




BDFL - Memuneh
61335 posts

Uber Geek
+1 received by user: 12083

Administrator
Trusted
Geekzone
Lifetime subscriber



1917 posts

Uber Geek
+1 received by user: 110


  Reply # 370446 20-Aug-2010 19:14

freitasm: Still having problems with this certificate? You asked about this before...



The cert was changed back and forward testing this, we made some DNS changes and hope the next update will sort this out.

michaelmurfy: Not having any problems here, using Chrome on Debian Linux;


But Chrome on OSX is a tad different;




EDIT: Just thought I would add, this is from work for me, and Firefox on Debian likes your site, can't test any other browser on my OSX Machine since it's just a fresh install.
 

That's the error we had with the same setup from Australia, I am unsure if this is because the DNS issue or because Chrome has issues, I do know that Chrome on Windows had issues till they fixed it a few months back. But then we just had someone in Poland with the issue on the latest beta version of firefox... 

I hope you don't mind if you could check this tomorrow (24hrs away) as the DNS should have updated by then. 


Thanks!

3034 posts

Uber Geek
+1 received by user: 466

Trusted
Subscriber

  Reply # 370528 20-Aug-2010 23:18
Send private message

Firefox 4 gives me this:





I finally have fibre!  Had to leave the country to get it though.


SCM

457 posts

Ultimate Geek
+1 received by user: 47


  Reply # 370529 20-Aug-2010 23:26
Send private message

Working fine from XP pro box with Fx 3.6.8, IE 8 and Chrome 5.0.375.127




 Click to see full size

 

 


Meow
7913 posts

Uber Geek
+1 received by user: 3935

Moderator
Trusted
Lifetime subscriber

  Reply # 370542 21-Aug-2010 00:16
Send private message

Doesn't seem like a DNS Issue:

michael-murphys-macbook:~ mmurphy$ dig privatebox.co.nz

; <<>> DiG 9.6.0-APPLE-P2 <<>> privatebox.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42885
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;privatebox.co.nz. IN A

;; ANSWER SECTION:
privatebox.co.nz. 600 IN A 119.47.116.250

;; AUTHORITY SECTION:
privatebox.co.nz. 64051 IN NS ns1.nameserver.net.nz.
privatebox.co.nz. 64051 IN NS ns2.nameserver.net.nz.

;; ADDITIONAL SECTION:
ns1.nameserver.net.nz. 188 IN A 119.47.119.1
ns2.nameserver.net.nz. 188 IN A 66.29.25.63

;; Query time: 29 msec
;; SERVER: 202.37.101.1#53(202.37.101.1)
;; WHEN: Sat Aug 21 00:15:47 2010
;; MSG SIZE  rcvd: 133


Is this a Dedicated Server or Shared Hosting? The string I get from it:
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0

tells me it's either a VPS or Dedicated but thought I'd better make sure, if so how have you applied the security certificate?

From what I see, there doesn't appear to be any firewalls in front of it, are you using iptables to limit the traffic in any way? 




1579 posts

Uber Geek
+1 received by user: 154

Trusted

  Reply # 370560 21-Aug-2010 07:25
Send private message

I get the same error as above on firefox 4b3

works fine for IE8.

Do you have some sort of browser checker that provides different browsers different html?




CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 




1917 posts

Uber Geek
+1 received by user: 110


  Reply # 370738 21-Aug-2010 17:56

I think I have found the issue... To be PCI compliant we are required to disable SSL2 and rely on SSL3 which happens to be disabled in these browsers.

I bit of a conflict from what I read: "All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs that attempt to perform renegotiation to experience failures where they formerly experienced successes, and is necessary for them to not be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF."

There was an issue in early versions of chrome which did not accept SSL3 and this may be why the osx issue is still around.

I am not really sure what we can do about this...

Meow
7913 posts

Uber Geek
+1 received by user: 3935

Moderator
Trusted
Lifetime subscriber

  Reply # 370756 21-Aug-2010 18:42
Send private message

Ah right, yeah that would be the issue there. Chrome is still giving me issues on OSX with your site.




3034 posts

Uber Geek
+1 received by user: 466

Trusted
Subscriber

  Reply # 370843 21-Aug-2010 23:11
Send private message

Steve, just switch to TLS 1.0 instead. It's a hell of a lot more secure, and enabled by default in everything




I finally have fibre!  Had to leave the country to get it though.


3034 posts

Uber Geek
+1 received by user: 466

Trusted
Subscriber

  Reply # 370862 22-Aug-2010 00:16
Send private message

Hmm. Further research says I am wrong there. You have to somehow disable session renegotiation.

The only thing I could find this this which suggests that you need to upgrade to Apache 2.2.15 (you're on 2.2.9) with OpenSSL 0.9.8m (you're on 0.9.8g).




I finally have fibre!  Had to leave the country to get it though.




1917 posts

Uber Geek
+1 received by user: 110


  Reply # 370930 22-Aug-2010 10:39

Kyanar: Hmm. Further research says I am wrong there. You have to somehow disable session renegotiation.

The only thing I could find this this which suggests that you need to upgrade to Apache 2.2.15 (you're on 2.2.9) with OpenSSL 0.9.8m (you're on 0.9.8g).


Thanks, Ill let the webdrive guys know and hopefully they can sort it.
I thought this issue was only on some odd browsers but it seems like it is coming about on all the new releases.


Cheers,
Steven. 

3034 posts

Uber Geek
+1 received by user: 466

Trusted
Subscriber

  Reply # 371025 22-Aug-2010 14:34
Send private message

Yeah, all the latest versions of the browser cores (except Trident) are disabling session renegotiation in its entirety because a recent vulnerability was discovered that allows MITM attacks on servers that try to renegotiate ciphers in the middle of the communications. A new protocol version was rushed through draft phases and is now mandated by the NSS and WebKit maintainers (despite that only bleeding edge servers support it).

Kind of funny when you think about it - the fact that you disabled SSL 2 actually made your server less secure.




I finally have fibre!  Had to leave the country to get it though.




1917 posts

Uber Geek
+1 received by user: 110


  Reply # 373014 26-Aug-2010 10:03

Thanks guys for your help!

We upgraded the latest version of openSSL and this fixed it, I can't believe how much of an issue this had become considering the last release we had was only 6 months old. But I suppose that is part of running a up-to-date PCI compliant website.



1917 posts

Uber Geek
+1 received by user: 110


  Reply # 373017 26-Aug-2010 10:06

Kyanar: Yeah, all the latest versions of the browser cores (except Trident) are disabling session renegotiation in its entirety because a recent vulnerability was discovered that allows MITM attacks on servers that try to renegotiate ciphers in the middle of the communications. A new protocol version was rushed through draft phases and is now mandated by the NSS and WebKit maintainers (despite that only bleeding edge servers support it).

Kind of funny when you think about it - the fact that you disabled SSL 2 actually made your server less secure.


PCI compliance is a funny thing. It has so many issues and conflicts its not funny. 

You can make up so much BS when becoming compliant, however if something goes wrong it is your a$$ on the line and a $250,000 fine too.

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.