LJR: bugs -
[Recent Entries][Archive][Friends][User Info]
07:55 am [do_]
[Link] | $ openssl s_client -showcerts -connect lj.rossia.org:443
CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = lj.rossia.org verify return:1 --- Certificate chain 0 s:/CN=lj.rossia.org i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- MIIFEDCCA/igAwIBAgISBAl2LToGkkmkbDaVFLIBt9POMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzExMjAwMDAwMDhaFw0x ODAyMTgwMDAwMDhaMBgxFjAUBgNVBAMTDWxqLnJvc3NpYS5vcmcwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrNm2gw1dgtAyz2+HU3F4CUfnd4VpxZ8Ys rArcNNfnbyos8X+vPQXR13zKLaav/25UQHeTPNyiWMXA4oJj3fpPExwPh05iSfRO LNBXbj1rjo5lIfc6ck/mYnFg3lT6zCcYv94f8atCmhHmKK4Jmk0PhYx8LPeWOWiG gwb++VwTsz62bJkGx2dbUVLxYRsS0++f5LA99qkjyQRbC+1vwG8LjwzC0Rnt7Xog +8TdsQORkh1nc+NcAj2QAZXDcrX8IuDnqu61R2jetyUJJkKDMzDZo+FXZur12JmE VcqwxEnH8PqKJXHAmrw7DlPgdPAbvuhj6SMLQom+ybz24S3wo4NFAgMBAAGjggIg MIICHDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEW8VyNCYSd8UAgkcHGDozFfFzIv MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMw YTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y ZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y Zy8wKwYDVR0RBCQwIoINbGoucm9zc2lhLm9yZ4IRd3d3LmxqLnJvc3NpYS5vcmcw gf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsG AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIw gZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5 IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhl IENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0 Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAUPPvby5qaQOztsaX i+vD+5kaBd+Yc2mWDNow0/wK8R1N45MLMVEGpIbL5QfPxyQTqymjIabR6rZ838Sa ow0CTRZwfUnufiukm2seSoR3d1RRLaJoukFy1950BxCrWIML38rdVfHfzoH0ODCK sqUDxW6I+L4GENbD9JxMDQzciKJuSPoeWwX2lTguThh0TnsX3dwt5JYQAoppMazj aCiuYe8+f/L7/5QrQRpOdT/gyFEvYpI7Il4raLNUodGd4oBkn8QaWrw44ns4EbDJ sa6sQenfOCChvXnc8M/9FGFt8rJ/8Ub88QiB0QTZIEj3tG+tqCeVR/pvhbXLSXW4 ccXNpw== -----END CERTIFICATE----- 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- --- Server certificate subject=/CN=lj.rossia.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3152 bytes and written 434 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 7E441503FD48603B4D26C4A2CC1F2E57B083403EEDD731F21BEFF085AD8C15F4 Session-ID-ctx: Master-Key: E19E3DC65E65DB1E985110F5B0E529F468D547D4A6667E4E0BB381B046777EE4014A5AE7B27F69DCB338399EFFF9F16E Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 1200 (seconds) TLS session ticket: 0000 - 50 2f af 16 b0 b2 5b f9-8c e4 08 e7 0b c3 de 93 P/....[......... 0010 - 89 ff 75 f9 d9 73 32 6d-30 25 e9 74 ff b6 57 8c ..u..s2m0%.t..W. 0020 - 59 ae 45 a8 b1 d2 c5 16-83 4f 48 3e 6f 17 fb a4 Y.E......OH>o... 0030 - e9 cb 4f c7 f2 02 6b d2-4f c6 ee fd d7 b7 a4 be ..O...k.O....... 0040 - ec 0e 7c 2f 86 50 c9 fe-b5 9f 22 ff d9 a1 4c 53 ..|/.P...."...LS 0050 - d6 cd 1b 84 52 e1 f1 d7-1c 0d 7e f8 81 86 69 e7 ....R.....~...i. 0060 - b0 fb 3a b1 4f a9 d8 71-2c 06 cb 31 96 e2 36 cd ..:.O..q,..1..6. 0070 - 8a cb 70 cc eb d3 cc f0-48 4b d8 cb 89 37 68 d0 ..p.....HK...7h. 0080 - fe b2 6a d3 70 f5 a8 fa-37 df d7 b7 35 ff 17 c9 ..j.p...7...5... 0090 - ea 73 e3 f5 26 b7 0a d3-cb b2 19 bb 3e 31 64 49 .s..&.......>1dI 00a0 - 70 da b4 b5 4a 24 2d 97-dc 4c 6e e2 10 49 49 e1 p...J$-..Ln..II.
Start Time: 1512261305 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed
А вот теперь так:
$ openssl s_client -servername lj.rossia.org -showcerts -connect lj.rossia.org:443 CONNECTED(00000003) depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd verify error:num=18:self signed certificate verify return:1 depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd verify error:num=10:certificate has expired notAfter=Nov 12 12:46:03 2014 GMT verify return:1 depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd notAfter=Nov 12 12:46:03 2014 GMT verify return:1 --- Certificate chain 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd -----BEGIN CERTIFICATE----- MIICATCCAWoCCQD1ui5gnJHbtDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 cyBQdHkgTHRkMB4XDTE0MTAxMzEyNDYwM1oXDTE0MTExMjEyNDYwM1owRTELMAkG A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt4ka Npv6pBCK9BAVr8y7FgNkrvwtAOwfjR8HZwkHwk0xgbjt7UJQVvqdlTVOhEIscwVS KQAGrw9d0pfjRjgNZWNbw2KKfEjc5J4eByLnCrG0DtAfohgyLVppv8n5T0UgCH4A T3XPVLj/qdenv7ySbrNPdIq8TTlDVv+0Awsu8KcCAwEAATANBgkqhkiG9w0BAQUF AAOBgQBnYRFTWiLxrCbU3AQjLaEfGN6Kb1yf1Y2xxm/XkYPEoCN23zy3Yt3674KE lO3Z0TJv3pda+4WN41OnuYE1Vgatlhai/lgxJBfMkZ94IljnLs7uj5AfYQiffcx/ GVlxkEQXHDsyERWJmJjS/0swu7crz2O0Ip6IF30ILSBaRPBt3w== -----END CERTIFICATE----- --- Server certificate subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1084 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 8D827149DD0E5E1811353050247F3E26D7155E06614B0C49FBD40EBB60C8178D Session-ID-ctx: Master-Key: 3047EAB2424E865B2168DFAA4FCC3D50A7795CC3F0AA812281435492F97B93BF2DD4A466ACF1F5DD71D98A064288E0F7 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 120 (seconds) TLS session ticket: 0000 - e8 a3 57 5e c9 fb fd ed-04 ad fb 78 2c 62 3f 0f ..W^.......x,b?. 0010 - d7 57 f6 eb cc 93 fb bd-1e 61 2e 5c c1 b8 52 96 .W.......a.\..R. 0020 - 93 a5 6b 59 39 f9 0c f6-23 94 b0 c0 60 e7 6c d6 ..kY9...#...`.l. 0030 - e2 2f b4 27 cc 1d 43 ad-70 71 41 57 eb 63 15 b4 ./.'..C.pqAW.c.. 0040 - fa 39 9d a2 1a e3 9a 9c-9d a5 55 8c fc fb b3 9c .9........U..... 0050 - 39 da 33 f3 e9 63 e0 c2-7f 04 24 73 91 e9 50 02 9.3..c....$s..P. 0060 - 6d 8d d9 d6 ae 4f b1 de-e6 59 16 0c 8c 64 39 03 m....O...Y...d9. 0070 - 2a 06 52 7c 79 b3 da 2d-a4 a0 ae 9d a0 fc 82 82 *.R|y..-........ 0080 - 32 84 cb 84 6e ed 70 c1-6f 95 95 17 3e 36 a1 cd 2...n.p.o...>6.. 0090 - ef 8a aa aa 02 b2 92 81-ff 96 21 f3 ce 79 06 95 ..........!..y.. 00a0 - af 9e 7b af 66 9c af dd-bc 58 68 8b 4f 3b ad ae ..{.f....Xh.O;.. 00b0 - 3f c3 e8 6d 63 c3 6c ec-a0 82 04 8e 5a 65 73 75 ?..mc.l.....Zesu
Start Time: 1512262297 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) ---
GET / HTTP/1.1 Host: lj.rossia.org
HTTP/1.1 302 Moved Temporarily Server: nginx/1.10.3 (Ubuntu) Date: Sun, 03 Dec 2017 00:52:04 GMT Content-Type: text/html Content-Length: 170 Connection: keep-alive Location: http://blocked.mts.ru/?host=lj.rossia.org
<html> <head><title>302 Found</title></head> <body bgcolor="white"> <center><h1>302 Found</h1></center> <hr><center>nginx/1.10.3 (Ubuntu)</center> </body> </html>
Дело за малым -- заставить браузер не слать -servername (но, похоже, именно этого современные браузеры и не умеют)
|
|
|
From: | (Anonymous) |
Date: | December 3rd, 2017 - 03:12 am |
---|
| | | (Link) |
|
https://www.youtube.com/watch?v=uXV-4ot13-Q
From: | (Anonymous) |
Date: | December 3rd, 2017 - 10:50 am |
---|
| | | (Link) |
|
> Дело за малым -- заставить браузер не слать -servername (но, похоже, именно этого современные браузеры и не умеют)
а какие умеют? какие-то старые?
| From: | do_ |
Date: | December 3rd, 2017 - 11:04 am |
---|
| | | (Link) |
|
По идее любой браузер в версии до того как в нём была запилена поддержка SNI. Если верить Википедии, в Хроме она была заполнена в 2010. Но сам пока не пробовал, подозреваю это будет мучение в наше время пользоваться таким браузером.
From: | (Anonymous) |
Date: | December 3rd, 2017 - 03:50 pm |
---|
| | | (Link) |
|
SNI - расширение TLS. Попробуйте отключить в браузере TLS (оставив только "устаревший" SSLv3).
В Firefox раньше это делалось так: security.tls.version.min = 0 security.tls.version.max = 0 Но сейчас не помогает - похоже, погроммисты огнелиса прибили TLS гвоздями.
Поможет ещё умный socks или https-прокси, вырезающий этот SNI-extension из Client Hello.
From: | (Anonymous) |
Date: | December 3rd, 2017 - 04:49 pm |
---|
| | | (Link) |
|
а разве при этом не отвалится половина сайтов? те, которые запретили ssl.
From: | (Anonymous) |
Date: | December 3rd, 2017 - 05:00 pm |
---|
| | | (Link) |
|
риторический вопрос. тогда см. ниже.
From: | (Anonymous) |
Date: | December 3rd, 2017 - 04:59 pm |
---|
| | | (Link) |
|
Вот нашёл аддон для подмены SNI в ClientHello: http://madynes.loria.fr/Research/Software#toc2 (аддон имитирует локальный прокси) |
|