[Ach] Idea: catching old clients with sni

Wed Nov 13 00:13:56 CET 2013

That's certainly a very good idea!

I'm not so sure about the RC4 in there - it should be Java7 compatible with
CBC as well, right? Let's include this. Any comments from other people?

Aaron

On Tue, Nov 12, 2013 at 11:44 PM, Adi Kriegisch <adi at kriegisch.at> wrote:

> Hey!
>
> > >> PS: For Java7 this trick will not work as Java7 supports sni and
> needs the
> > >> "strong crypto pack" to enable stronger ciphers.
> > > Are there _really_ any Browsers written in Java that people actually
> use? Or is Java “only” used to access Web-APIs? In the latter case one
> could specifically narrow access without impacting common browsers. Or am I
> totally thinking in the wrong direction here? (Or is it just that I'm
> allergic to Java that I try to find excuses to not support it?)
> > Everybody is allergic to java except for java programmers. Java is used
> by so many things - you can’t work around it - There might come a time
> (like with flash) that it is in fact obsolete, but that will take a long
> time. Java is heavily used in webapps and GUIs that use HTTPS. We’ll need
> to find a solution.
> Ok, another idea: not even sni config is needed. For apache, nginx and I am
> sure and for lighttpd I assume the following is possible:
> Add (for the sake of simplicity) on weak cipher supported by about every
> client out there (something like DHE+AES128+RC4+SHA comes to my mind) as a
> "last ressort". Then add a condition to your web server redirecting to a
> special page based on the cipher:
> in apache
>  RewriteCond %{ENV:SSL_CIPHER} = "MY_CIPHER_STRING_FROM_ABOVE"
>  RewriteRule ...whereever we want to send that guy...
>
> in nginx
>  if ($ssl_cipher ~ "MY_CIPHER_STRING_FROM_ABOVE") {
>      rewrite ...whereever we want to send that guy...;
>  }
>
> This has three advantages:
> It is more generic than the sni approach
> It doesn't need a modification on the application level
> It catches Java7 too
>
> One may even extend that to detecting the client string and redirect to a
> certain page for a client (like a page that tells Java people to enable
> reasonable crypto).
>
> The disadvantage is obvious: there is a certain overhead in checking that
> conditional on every request. When using a default Apache with all/most
> modules enabled, people are used to pain and won't notice the difference in
> speed. Also compared to a complete SSL/TLS handshake the difference might
> be negligible.
>
> -- Adi
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iQIVAwUBUoKvT3REfA6phVy/AQJGBw//VaQTsWWTPuO6S/AvVtnpc9FU+uKDsLej
> rmLD7J5GjTUP7pBfJJ5M+1KRZQm/OzKtqBG3rFP5t69yQ//y11PpNYjFa1V0EeWq
> nnhS8DZPKtWXW8ZKlap4dlcZjY8wKAKFOgHtT2ePy82oAdZP9sw3rSBJu2P9d94J
> wyAZJm2BruEW8kNKVnN0p0OwQL3OyPpbsXz9i61KQD82VqVGlosmjVgccyaLFS4Y
> B2GypI1f/O/wdJIVPiINTHUxzILHmwp+Rn7JeyeJtpZrv8ko86IBVyxkc997/ERC
> 84NaKthWBhPYqubX/y8/eZVYxszEaP4+mZUaAfIlMmRiW6GMsdnAwFQh8IQlNta4
> wIkRTfvteIPfrRuwpoCXvLOHCDdkGl3QcoxtBvvOcUX8QWepstukFTuTQVVv194B
> QMzXhJ7p0vrv7DPVFADD5m9MI0nwoYMxiUeJ/J9GLHtzT4hWyplknIQd1PPq4tt9
> xTLNJBIYJylkpYBE7nbOjY6yq0A/aezj/kbIDrkFqnCpOmjUy6MRTFV21H0GFEv/
> SXzljTPO4e0q3rngy9c8gUmzTFdJxG94cDCxseLvbXVn1x0bQHxjHv6HKSDFTEN7
> EsaFKFKqxy3p2A+XQvUucaIJlbmhtAQkJZVm53VPauaNVA39zsMl8DmcBzmsPFrY
> ekJ3Mw8FqP0=
> =AGGX
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20131113/75f6e694/attachment.html>