sfs8 pt1

Dave Howe ukcrypto at chiark.greenend.org.uk
Mon, 22 Sep 2008 19:31:39 +0100 

Richard Clayton wrote:
> sounds as if your server isn't putting ephemeral Diffie-Hellman high
> enough in its preferences list for the SSL (TLS?) negotiation :(  
> 
> is it an out-of-the-box configuration ?

Yes.

I did a bit more testing and paid more attention. I took a look at
exactly what was happening) and it looks like FF (checked 2.x and 3.x)
works fine, but IE (any version from 6 up to 8b2) doesn't.

It also appears to be a feature of the *browser*'s preferred list,
rather than the server.

out-of-the-box the apache 2.2 config has this:

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

During connect, IE (in this case IE7) asserts the following list:
Cipher Suites (11 suites)
  Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
  Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
  Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
  Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
  Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
  Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
  Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
  Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
  Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
  Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
  Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)

of which, apache selects the first (0x0004)

The list for firefox (in this case 3.x) looks like this:
Cipher Suites (28 suites)
  Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
  Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
  Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
  Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
  Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
  Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
  Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
  Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
  Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
  Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
  Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
  Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
  Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
  Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
  Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
  Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
  Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
  Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
  Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
  Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
  Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
  Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
  Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
  Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
  Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
  Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
  Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
  Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

from this list, apache selects the third (I am assuming the first two
aren't supported by apache) - 0x0039

so my guess is - at least in this instance, the server starts at the top
of the list presented by the client, and takes the first one that it
encounters that is on its supported list. In this case, that is a
non-DHE suite for IE, but a DHE one for firefox - hence the difference
in captures.

for the FF, there is a third handshake packet and then the channel goes
to garbage (at least in terms of the software used to decode it) - for
ie, the next packet is the http get request, which is decodable.

I will try this with a few other servers later.