[Recent Entries][Archive][Friends][User Info]
| December 3rd, 2017 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 07:55 am [do_] [Link] |     CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = lj.rossia.org verify return:1 --- Certificate chain 0 s:/CN=lj.rossia.org i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- MIIFEDCCA/igAwIBAgISBAl2LToGkkmkbDaVFLIB MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQn ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAe ODAyMTgwMDAwMDhaMBgxFjAUBgNVBAMTDWxqLnJv SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrNm2gw1dg rArcNNfnbyos8X+vPQXR13zKLaav/25UQHeTPNyi LNBXbj1rjo5lIfc6ck/mYnFg3lT6zCcYv94f8atC gwb++VwTsz62bJkGx2dbUVLxYRsS0++f5LA99qkj +8TdsQORkh1nc+NcAj2QAZXDcrX8IuDnqu61R2je VcqwxEnH8PqKJXHAmrw7DlPgdPAbvuhj6SMLQom+y MIICHDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEW8 MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z YTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50 ZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50 Zy8wKwYDVR0RBCQwIoINbGoucm9zc2lhLm9yZ4IR gf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysG AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0 gZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5 IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBh IENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBo Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsF i+vD+5kaBd+Yc2mWDNow0/wK8R1N45MLMVEGpIbL ow0CTRZwfUnufiukm2seSoR3d1RRLaJoukFy1950 sqUDxW6I+L4GENbD9JxMDQzciKJuSPoeWwX2lTgu aCiuYe8+f/L7/5QrQRpOdT/gyFEvYpI7Il4raLNU sa6sQenfOCChvXnc8M/9FGFt8rJ/8Ub88QiB0QTZ ccXNpw== -----END CERTIFICATE----- 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheyn MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBU DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0 SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdz GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIB AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Ga SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqo /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwID AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYw CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlk bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRl c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKex VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNy MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5j Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcn uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wod wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jM X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+s PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbG KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- --- Server certificate subject=/CN=lj.rossia.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3152 bytes and written 434 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 7E441503FD48603B4D26C4A2CC1F2E57B083403E Session-ID-ctx: Master-Key: E19E3DC65E65DB1E985110F5B0E529F468D547D4 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 1200 (seconds) TLS session ticket: 0000 - 50 2f af 16 b0 b2 5b f9-8c e4 08 e7 0b c3 de 93 P/....[......... 0010 - 89 ff 75 f9 d9 73 32 6d-30 25 e9 74 ff b6 57 8c ..u..s2m0%.t..W. 0020 - 59 ae 45 a8 b1 d2 c5 16-83 4f 48 3e 6f 17 fb a4 Y.E......OH>o... 0030 - e9 cb 4f c7 f2 02 6b d2-4f c6 ee fd d7 b7 a4 be ..O...k.O....... 0040 - ec 0e 7c 2f 86 50 c9 fe-b5 9f 22 ff d9 a1 4c 53 ..|/.P...."...LS 0050 - d6 cd 1b 84 52 e1 f1 d7-1c 0d 7e f8 81 86 69 e7 ....R.....~...i. 0060 - b0 fb 3a b1 4f a9 d8 71-2c 06 cb 31 96 e2 36 cd ..:.O..q,..1..6. 0070 - 8a cb 70 cc eb d3 cc f0-48 4b d8 cb 89 37 68 d0 ..p.....HK...7h. 0080 - fe b2 6a d3 70 f5 a8 fa-37 df d7 b7 35 ff 17 c9 ..j.p...7...5... 0090 - ea 73 e3 f5 26 b7 0a d3-cb b2 19 bb 3e 31 64 49 .s..&.......>1dI 00a0 - 70 da b4 b5 4a 24 2d 97-dc 4c 6e e2 10 49 49 e1 p...J$-..Ln..II. Start Time: 1512261305 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed А вот теперь так: $ openssl s_client -servername lj.rossia.org -showcerts -connect lj.rossia.org:443 CONNECTED(00000003) depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd verify error:num=18:self signed certificate verify return:1 depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd verify error:num=10:certificate has expired notAfter=Nov 12 12:46:03 2014 GMT verify return:1 depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd notAfter=Nov 12 12:46:03 2014 GMT verify return:1 --- Certificate chain 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd -----BEGIN CERTIFICATE----- MIICATCCAWoCCQD1ui5gnJHbtDANBgkqhkiG9w0B VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE cyBQdHkgTHRkMB4XDTE0MTAxMzEyNDYwM1oXDTE0 A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0B Npv6pBCK9BAVr8y7FgNkrvwtAOwfjR8HZwkHwk0x KQAGrw9d0pfjRjgNZWNbw2KKfEjc5J4eByLnCrG0 T3XPVLj/qdenv7ySbrNPdIq8TTlDVv+0Awsu8KcC AAOBgQBnYRFTWiLxrCbU3AQjLaEfGN6Kb1yf1Y2x lO3Z0TJv3pda+4WN41OnuYE1Vgatlhai/lgxJBfM GVlxkEQXHDsyERWJmJjS/0swu7crz2O0Ip6IF30I -----END CERTIFICATE----- --- Server certificate subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1084 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 8D827149DD0E5E1811353050247F3E26D7155E06 Session-ID-ctx: Master-Key: 3047EAB2424E865B2168DFAA4FCC3D50A7795CC3 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 120 (seconds) TLS session ticket: 0000 - e8 a3 57 5e c9 fb fd ed-04 ad fb 78 2c 62 3f 0f ..W^.......x,b?. 0010 - d7 57 f6 eb cc 93 fb bd-1e 61 2e 5c c1 b8 52 96 .W.......a.\..R. 0020 - 93 a5 6b 59 39 f9 0c f6-23 94 b0 c0 60 e7 6c d6 ..kY9...#...`.l. 0030 - e2 2f b4 27 cc 1d 43 ad-70 71 41 57 eb 63 15 b4 ./.'..C.pqAW.c.. 0040 - fa 39 9d a2 1a e3 9a 9c-9d a5 55 8c fc fb b3 9c .9........U..... 0050 - 39 da 33 f3 e9 63 e0 c2-7f 04 24 73 91 e9 50 02 9.3..c....$s..P. 0060 - 6d 8d d9 d6 ae 4f b1 de-e6 59 16 0c 8c 64 39 03 m....O...Y...d9. 0070 - 2a 06 52 7c 79 b3 da 2d-a4 a0 ae 9d a0 fc 82 82 *.R|y..-........ 0080 - 32 84 cb 84 6e ed 70 c1-6f 95 95 17 3e 36 a1 cd 2...n.p.o...>6.. 0090 - ef 8a aa aa 02 b2 92 81-ff 96 21 f3 ce 79 06 95 ..........!..y.. 00a0 - af 9e 7b af 66 9c af dd-bc 58 68 8b 4f 3b ad ae ..{.f....Xh.O;.. 00b0 - 3f c3 e8 6d 63 c3 6c ec-a0 82 04 8e 5a 65 73 75 ?..mc.l.....Zesu Start Time: 1512262297 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- GET / HTTP/1.1 Host: lj.rossia.org HTTP/1.1 302 Moved Temporarily Server: nginx/1.10.3 (Ubuntu) Date: Sun, 03 Dec 2017 00:52:04 GMT Content-Type: text/html Content-Length: 170 Connection: keep-alive Location: http://blocked.mts.ru/?host=lj.rossia.o <html> <head><title>302 Found</title></head> <body bgcolor="white"> <center><h1>302 Found</h1></center> <hr><center>nginx/1.10.3 (Ubuntu)</center> </body> </html> Дело за малым -- заставить браузер не слать -servername (но, похоже, именно этого современные браузеры и не умеют) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comments | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://www.youtube.com/watch?v=uXV-4ot1
> Дело за малым -- заставить браузер не слать -servername (но, похоже, именно этого современные браузеры и не умеют) а какие умеют? какие-то старые? (Reply to this) (Thread) По идее любой браузер в версии до того как в нём была запилена поддержка SNI. Если верить Википедии, в Хроме она была заполнена в 2010. Но сам пока не пробовал, подозреваю это будет мучение в наше время пользоваться таким браузером. (Reply to this) (Parent)
SNI - расширение TLS. Попробуйте отключить в браузере TLS (оставив только "устаревший" SSLv3). В Firefox раньше это делалось так: security.tls.version.min = 0 security.tls.version.max = 0 Но сейчас не помогает - похоже, погроммисты огнелиса прибили TLS гвоздями. Поможет ещё умный socks или https-прокси, вырезающий этот SNI-extension из Client Hello.
а разве при этом не отвалится половина сайтов? те, которые запретили ssl.
риторический вопрос. тогда см. ниже. (Reply to this) (Parent)
Вот нашёл аддон для подмены SNI в ClientHello: http://madynes.loria.fr/Research/Softwar (аддон имитирует локальный прокси) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[info]](http://lj.rossia.org/img/userinfo.gif){kind=small}