LJR: bugs -
December 3rd, 2017
07:55 am
[do_]

[Link]

Previous Entry Add to Memories Tell A Friend Next Entry
$ openssl s_client -showcerts -connect lj.rossia.org:443

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = lj.rossia.org
verify return:1
---
Certificate chain
0 s:/CN=lj.rossia.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFEDCCA/igAwIBAgISBAl2LToGkkmkbDaVFLIBt9POMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzExMjAwMDAwMDhaFw0x
ODAyMTgwMDAwMDhaMBgxFjAUBgNVBAMTDWxqLnJvc3NpYS5vcmcwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrNm2gw1dgtAyz2+HU3F4CUfnd4VpxZ8Ys
rArcNNfnbyos8X+vPQXR13zKLaav/25UQHeTPNyiWMXA4oJj3fpPExwPh05iSfRO
LNBXbj1rjo5lIfc6ck/mYnFg3lT6zCcYv94f8atCmhHmKK4Jmk0PhYx8LPeWOWiG
gwb++VwTsz62bJkGx2dbUVLxYRsS0++f5LA99qkjyQRbC+1vwG8LjwzC0Rnt7Xog
+8TdsQORkh1nc+NcAj2QAZXDcrX8IuDnqu61R2jetyUJJkKDMzDZo+FXZur12JmE
VcqwxEnH8PqKJXHAmrw7DlPgdPAbvuhj6SMLQom+ybz24S3wo4NFAgMBAAGjggIg
MIICHDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEW8VyNCYSd8UAgkcHGDozFfFzIv
MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMw
YTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y
ZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKwYDVR0RBCQwIoINbGoucm9zc2lhLm9yZ4IRd3d3LmxqLnJvc3NpYS5vcmcw
gf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsG
AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIw
gZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5
IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhl
IENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0
Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAUPPvby5qaQOztsaX
i+vD+5kaBd+Yc2mWDNow0/wK8R1N45MLMVEGpIbL5QfPxyQTqymjIabR6rZ838Sa
ow0CTRZwfUnufiukm2seSoR3d1RRLaJoukFy1950BxCrWIML38rdVfHfzoH0ODCK
sqUDxW6I+L4GENbD9JxMDQzciKJuSPoeWwX2lTguThh0TnsX3dwt5JYQAoppMazj
aCiuYe8+f/L7/5QrQRpOdT/gyFEvYpI7Il4raLNUodGd4oBkn8QaWrw44ns4EbDJ
sa6sQenfOCChvXnc8M/9FGFt8rJ/8Ub88QiB0QTZIEj3tG+tqCeVR/pvhbXLSXW4
ccXNpw==
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=lj.rossia.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3152 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7E441503FD48603B4D26C4A2CC1F2E57B083403EEDD731F21BEFF085AD8C15F4
Session-ID-ctx:
Master-Key: E19E3DC65E65DB1E985110F5B0E529F468D547D4A6667E4E0BB381B046777EE4014A5AE7B27F69DCB338399EFFF9F16E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 1200 (seconds)
TLS session ticket:
0000 - 50 2f af 16 b0 b2 5b f9-8c e4 08 e7 0b c3 de 93 P/....[.........
0010 - 89 ff 75 f9 d9 73 32 6d-30 25 e9 74 ff b6 57 8c ..u..s2m0%.t..W.
0020 - 59 ae 45 a8 b1 d2 c5 16-83 4f 48 3e 6f 17 fb a4 Y.E......OH>o...
0030 - e9 cb 4f c7 f2 02 6b d2-4f c6 ee fd d7 b7 a4 be ..O...k.O.......
0040 - ec 0e 7c 2f 86 50 c9 fe-b5 9f 22 ff d9 a1 4c 53 ..|/.P...."...LS
0050 - d6 cd 1b 84 52 e1 f1 d7-1c 0d 7e f8 81 86 69 e7 ....R.....~...i.
0060 - b0 fb 3a b1 4f a9 d8 71-2c 06 cb 31 96 e2 36 cd ..:.O..q,..1..6.
0070 - 8a cb 70 cc eb d3 cc f0-48 4b d8 cb 89 37 68 d0 ..p.....HK...7h.
0080 - fe b2 6a d3 70 f5 a8 fa-37 df d7 b7 35 ff 17 c9 ..j.p...7...5...
0090 - ea 73 e3 f5 26 b7 0a d3-cb b2 19 bb 3e 31 64 49 .s..&.......>1dI
00a0 - 70 da b4 b5 4a 24 2d 97-dc 4c 6e e2 10 49 49 e1 p...J$-..Ln..II.

Start Time: 1512261305
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed


А вот теперь так:

$ openssl s_client -servername lj.rossia.org -showcerts -connect lj.rossia.org:443
CONNECTED(00000003)
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=10:certificate has expired
notAfter=Nov 12 12:46:03 2014 GMT
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
notAfter=Nov 12 12:46:03 2014 GMT
verify return:1
---
Certificate chain
0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
-----BEGIN CERTIFICATE-----
MIICATCCAWoCCQD1ui5gnJHbtDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMB4XDTE0MTAxMzEyNDYwM1oXDTE0MTExMjEyNDYwM1owRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt4ka
Npv6pBCK9BAVr8y7FgNkrvwtAOwfjR8HZwkHwk0xgbjt7UJQVvqdlTVOhEIscwVS
KQAGrw9d0pfjRjgNZWNbw2KKfEjc5J4eByLnCrG0DtAfohgyLVppv8n5T0UgCH4A
T3XPVLj/qdenv7ySbrNPdIq8TTlDVv+0Awsu8KcCAwEAATANBgkqhkiG9w0BAQUF
AAOBgQBnYRFTWiLxrCbU3AQjLaEfGN6Kb1yf1Y2xxm/XkYPEoCN23zy3Yt3674KE
lO3Z0TJv3pda+4WN41OnuYE1Vgatlhai/lgxJBfMkZ94IljnLs7uj5AfYQiffcx/
GVlxkEQXHDsyERWJmJjS/0swu7crz2O0Ip6IF30ILSBaRPBt3w==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1084 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 8D827149DD0E5E1811353050247F3E26D7155E06614B0C49FBD40EBB60C8178D
Session-ID-ctx:
Master-Key: 3047EAB2424E865B2168DFAA4FCC3D50A7795CC3F0AA812281435492F97B93BF2DD4A466ACF1F5DD71D98A064288E0F7
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 120 (seconds)
TLS session ticket:
0000 - e8 a3 57 5e c9 fb fd ed-04 ad fb 78 2c 62 3f 0f ..W^.......x,b?.
0010 - d7 57 f6 eb cc 93 fb bd-1e 61 2e 5c c1 b8 52 96 .W.......a.\..R.
0020 - 93 a5 6b 59 39 f9 0c f6-23 94 b0 c0 60 e7 6c d6 ..kY9...#...`.l.
0030 - e2 2f b4 27 cc 1d 43 ad-70 71 41 57 eb 63 15 b4 ./.'..C.pqAW.c..
0040 - fa 39 9d a2 1a e3 9a 9c-9d a5 55 8c fc fb b3 9c .9........U.....
0050 - 39 da 33 f3 e9 63 e0 c2-7f 04 24 73 91 e9 50 02 9.3..c....$s..P.
0060 - 6d 8d d9 d6 ae 4f b1 de-e6 59 16 0c 8c 64 39 03 m....O...Y...d9.
0070 - 2a 06 52 7c 79 b3 da 2d-a4 a0 ae 9d a0 fc 82 82 *.R|y..-........
0080 - 32 84 cb 84 6e ed 70 c1-6f 95 95 17 3e 36 a1 cd 2...n.p.o...>6..
0090 - ef 8a aa aa 02 b2 92 81-ff 96 21 f3 ce 79 06 95 ..........!..y..
00a0 - af 9e 7b af 66 9c af dd-bc 58 68 8b 4f 3b ad ae ..{.f....Xh.O;..
00b0 - 3f c3 e8 6d 63 c3 6c ec-a0 82 04 8e 5a 65 73 75 ?..mc.l.....Zesu

Start Time: 1512262297
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---

GET / HTTP/1.1
Host: lj.rossia.org

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.10.3 (Ubuntu)
Date: Sun, 03 Dec 2017 00:52:04 GMT
Content-Type: text/html
Content-Length: 170
Connection: keep-alive
Location: http://blocked.mts.ru/?host=lj.rossia.org

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.10.3 (Ubuntu)</center>
</body>
</html>

Дело за малым -- заставить браузер не слать -servername
(но, похоже, именно этого современные браузеры и не умеют)

(7 comments | Leave a comment)

Comments
 
From:(Anonymous)
Date:December 3rd, 2017 - 12:12 am
(Link)
https://www.youtube.com/watch?v=uXV-4ot13-Q
From:(Anonymous)
Date:December 3rd, 2017 - 07:50 am
(Link)
> Дело за малым -- заставить браузер не слать -servername
(но, похоже, именно этого современные браузеры и не умеют)

а какие умеют?
какие-то старые?
[User Picture]
From:[info]do_
Date:December 3rd, 2017 - 08:04 am
(Link)
По идее любой браузер в версии до того как в нём была запилена поддержка SNI. Если верить Википедии, в Хроме она была заполнена в 2010. Но сам пока не пробовал, подозреваю это будет мучение в наше время пользоваться таким браузером.
From:(Anonymous)
Date:December 3rd, 2017 - 12:50 pm
(Link)
SNI - расширение TLS.
Попробуйте отключить в браузере TLS (оставив только "устаревший" SSLv3).

В Firefox раньше это делалось так:
security.tls.version.min = 0
security.tls.version.max = 0
Но сейчас не помогает - похоже, погроммисты огнелиса прибили TLS гвоздями.

Поможет ещё умный socks или https-прокси, вырезающий этот SNI-extension из Client Hello.
From:(Anonymous)
Date:December 3rd, 2017 - 01:49 pm
(Link)
а разве при этом не отвалится половина сайтов? те, которые запретили ssl.
From:(Anonymous)
Date:December 3rd, 2017 - 02:00 pm
(Link)
риторический вопрос.
тогда см. ниже.
From:(Anonymous)
Date:December 3rd, 2017 - 01:59 pm
(Link)
Вот нашёл аддон для подмены SNI в ClientHello:
http://madynes.loria.fr/Research/Software#toc2
(аддон имитирует локальный прокси)
Powered by LJ.Rossia.org