SSL breakage and client verification
Hopefully this may help others.
I’ve recently been trying startssl.com for an SSL certificate for a customer. Their wizard unfortunately insists upon generating them with “www” in front (although it provides altname of “DNS: www.example.com, DNS:example.com” (names altered BTW)) – however firefox ain’t happy. So I’m going to get them to sign my CSR.
However I couldn’t login – it failed with:
The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
After trying to figure out WTF was happening, I’ve finally found: [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561918 #561918]. This is the real problem. Unfortunately there isn’t a straightforward solution as the reason it was disabled was due to a nasty bug someone found in SSL renegotiation.
The workaround for now is to start firefox with:
export NSS_SSL_ENABLE_RENEGOTIATION=1
firefox
Posted: February 4th, 2010 under Linux.
Comments: 4
Comments
Comment from Daniel Pope
Time: Thursday 4 February, 2010, 14:16
An elegant reminder of one of the reasons not to use Debian unstable.
Comment from adrian
Time: Thursday 4 February, 2010, 14:19
I’m not sure I agree – the problem is that there isn’t an ideal solution ATM:
- either all your SSL connections are at risk of hijacking
- or SSL client-side verification is broken (which is very, very rarely used)
I’d expect it to be the same case on stable, or Ubuntu, or Fedora,…
Comment from Daniel Pope
Time: Thursday 4 February, 2010, 18:30
Ah, I misunderstood the gist of the bug thread – I read it that the upstream had disabled a little-used feature over security concerns, rather than fixing it. I didn’t realise it can’t be fixed without changing the TLS protocol.
Comment from adrian
Time: Thursday 4 February, 2010, 20:07
That’s my understanding, but I’m certainly no expert 
Write a comment