[PYTHON-CRYPTO] M2Cypto SSL and IE5's 56bit bug
Richard Jones
richard at BIZARSOFTWARE.COM.AU
Wed Jul 4 10:03:29 CEST 2001
On Wed, 4 Jul 2001 17:08, Richard Jones wrote:
> Here's a workaround for ZServerSSL for the 56bit SSL cipher bug in IE 5.
> The bug is described in the following pages:
>
> http://www.geocrawler.com/archives/3/191/2000/6/0/3962617/
> http://support.microsoft.com/support/kb/articles/Q249/8/63.asp
>
> I've managed to work around it in much the same way as the Apache mod-ssl
> fix - by disabling the 56bit ciphers. In ZServerSSL, this is achieved using
> the following context call:
>
>
> ssl_ctx.set_cipher_list('ALL:!EXPORT56:!ADH:RC4+RSA:+SSLv2:@STRENGTH')
>
>
> ... except this doesn't work. A dump of ssl_conn.get_ciphers() definitely
> doesn't list any 56-bit ciphers, but IE still refuses to work. A test with
> s_server in both -www and -WWW mode works OK though (with -cipher being the
> above cipher list)...
>
> Anyone got any ideas?
A clarification - this only occurs with the Thawte SuperCerts or Verisign`s
"Global Site Services". Specifically, we have a Thawte SuperCert. When using
the dummy server.pem bundled with m2crypto, there's no problems.
I have the https_server.py code dumping the cipher usage info for each
connection at the moment. With the chiper list above, the actual list of
ciphers is the same regardless of the server.pem used:
EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, DES-CBC3-SHA, DES-CBC3-MD5,
DHE-DSS-RC4-SHA, IDEA-CBC-SHA, RC4-SHA, RC4-MD5, IDEA-CBC-MD5, RC2-CBC-MD5,
RC4-MD5, RC4-64-MD5, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA, DES-CBC-SHA,
DES-CBC-MD5, EXP-EDH-RSA-DES-CBC-SHA, EXP-EDH-DSS-DES-CBC-SHA,
EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-RC4-MD5, EXP-RC2-CBC-MD5, EXP-RC4-MD5
When using the m2crypto dummy server.pem, the EXP-RC2-CBC-MD5 cipher is
selected. When using our SuperCert server.pem, the handshake fails and no
cipher is selected.
I don't actually know how the SuperCert differs from the m2crypto cert, and I
can see a brick wall rapidly approaching...
Richard
--
Richard Jones
richard at bizarsoftware.com.au
Senior Software Developer, Bizar Software (www.bizarsoftware.com.au)
More information about the python-crypto
mailing list