Problem with IE5.x -NEW approach !

Tue, 04 Jul 2000 05:05:10 -0700 

Following the modssl-mailinglist many workarounds have been proposed
related to the problem with IE5.x and Apache/1.3.12 mod_ssl/2.6.4 and
OpenSSL/0.9.5a.
Some of them work for some constellations (but not for all so that these
are only hint's and not a practical solution) or they impose other
severe issues (security and performance problems and so forth)

I figured out a different approach:

If you remove all MD5 MACs and force the server and the client to built
a SHA-1 hash sum it works. We tried this with many systems and browsers
and the problem did't show up any more (by the way I certainly don't say
that it will work under all circumstances and I would be glad if anybody
would tell me if I'm wrong - hopefully not ;-) )

There is still a little flaw in this approach:

Looking at the TLS-protokoll it takes the 64 bytes from the PRF
(pseudo-random function) and split it into halves. Data is generated
with P_MD5 from one halve and with P_SHA-1 from the other halve. The
idea behind it is, that a flaw in one algorithm doesn't break the
overall protocol. A good idea I guess but... As far as I'm concerned is
the SHA-1 hash algorithm better anyway so my proposal doesn't inherit a
real disadvantage unless someone compromises SHA-1.

One thing I still don't understand is the following:

If someone downgrades to Apache/1.3.9 (Unix) mod_ssl/2.4.9 OpenSSL/0.9.4
it works fine with no workarounds required at all. One idea might be
that the MD5 implementation in IE5 is faulty or they (server and client)
simply negotiate the wrong MAC but how can a downgrade help under these
circumstances? Openssl-MD5 certainly can't have the bug in it, because
0.9.5a and 0.9.4 both generate the same digest. Maybe somebody has an
idea !


Kind regards,

Patrick Surke

+--------------------------+------------------------------+
| Patrick Surke            |    MCS-Cityline              |
| SSL-Administration       |    Essener Strasse 99        |
| [EMAIL PROTECTED] |    D-22149 Hamburg           |
+--------------------------+    fon +49 (40) 5 37 73-0    |
                           |    fax +49 (40) 5 37 73-200  |
                           +------------------------------+




______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to