[Ach] git - cipher suites - proxy - thoughts
Ulrich Poeschl
ulrich.poeschl at bmlvs.gv.at
Wed Nov 20 15:07:03 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hey all,
sorry for three useless commits during the last 24 hours. I was just
trying to get the git-setup up and running behind our big chinese
firewall here and ran into a problem that Adi (thanks!) gave me some
clue about and I think it's worth mentioning here.
we have a proxy that intercepts everything, including https. so a
typical "man in the middle" to scan everything for malware & sh*t.
what I never thought about, was checking the ssl-connection that the
proxy-appliance then negotiates with the real destination and I think
that should be a point worth mentioning in the paper. you can have the
newest shiny browser on your client, but if the intercepting proxy
negotiates weak crypto you loose again AND: you won't notice it.
I guess that the webserver at bettercrypto.org was not happy with what
the proxy here was offering, and the error message never reached my
git-client.
just after disabling ssl-interception for bettercrypto.org it started
working properly. so this is 1. a problem with the capabilities of our
proxy here and 2. possibly a bug in the git binary.
will now start to review the document and try to contribute something
more useful ;-)
regards,
Ulrich
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJSjMIHAAoJEJKZmcxlX63Xu0cP/iwP50k6TUj3jKqMQfBbS5QZ
+VRDgbJZNAoEnivnFLhckJWxNfWq8O0cDscqfePyeZuzc7+CIWNjZl0/HAmlHJJW
7o662kucVaDjXD6cImmwzVqmGl9CtU7+CJivGdiSoQPdelEwz2sZyfEfC7xl1pUu
W9l3IP9blAa8deDvWKw0n68AK8OvOcvBXJQWxekGjGJWImccbEItXBuN+0mRplYu
awyFIO2IJJDJQwBE3dvaJZdHFmpqep3vln+Vqz5AxtUSxcYQJJL2P/wL0ursB9hC
qxSJQH5Ixk8fsiCjXLtVinzs0itDEWVY3kavU81TRfqI/yceALzdaWhypOBtk515
/CaUlG3LunCGOSnBVS8efNzWKPEPw8C7OpO0d7laL3NtxNGRjKebidIXxupF7sKQ
NnoSiEmmJWN+pDNmCXfaK48c78GDE37jRsy/IwFx6EbRSVyOohUqzn1QTs2hTwfy
N6bE0vDLXgov9NJXhZ+/b+/VD5sg/apevDJEOf3c4wOlnyEiTujyBguKObibYkIo
V/OKQDxqzCua8BuHMYRDmHHWRTcQ9b3BkYd9VHctOZcDWzEiVF/z9O1fFXdsVltB
yOCbHYmd89Kg8VCTKZ5ltTBWSqFU/N+LoJ9DfxkLN9QIgnU7OTAHFw9RXvLR5oKG
QOAy+zZNio9GPLQB9uor
=KuCM
-----END PGP SIGNATURE-----
More information about the Ach
mailing list