sfs8 pt1

[Richard Clayton]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <48D7851A.80002@gmx.co.uk>, Dave Howe <DaveHowe@gmx.co.uk>
writes

>Revisiting a *really* old post here, but was just playing with wireshark
>and noticed that, given the server's private key and a packet capture
>(no MitM or knowledge of the key during the capture) it will quite
>happily decrypt the content of packets for you.

this is true if you're using RSA key exchange

        http://wiki.wireshark.org/SSL

but would not be true for other negotiations, such as (in particular!)
ephemeral Diffie-Hellman

>Duplicated this using a stock apache 2.2 server (current release) plus
>several variations of IE and Firefox. I haven't looked at the source to
>see why this is yet (given I suspect my employers may object to me
>spending work hours understanding source), but the implications worry me.

sounds as if your server isn't putting ephemeral Diffie-Hellman high
enough in its preferences list for the SSL (TLS?) negotiation :(  

is it an out-of-the-box configuration ?

- -- 
richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBSNecXpoAxkTY1oPiEQKR5gCgjEb5Yg2TN16muW64tOM6iElsTYAAnR6n
2FhOBz8ctruT9qn0achMYpPg
=2UeP
-----END PGP SIGNATURE-----