[nSLUG] Wikipedia changes/limits protocols?

Johann Tienhaara jtienhaara at yahoo.com
Mon Jul 13 17:03:49 ADT 2015


> > I'd still like to know if Wikipedia is/has been/will be rejecting
> > SSLv2 requests -- if that's what's actually happening.
>
> They do not allow SSLv2 (or 3), see here, under Configuration:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=en.wikipedia.org
>
> No one should be using SSLv2 or 3, and ideally nothing TLS <1.2. If
> you have things that only support SSLv2/3 I'd really recommend
> upgrading them.

Are we sure Firefox is actually making an SSLv2 request?  That would be
very odd indeed, since FF was not even born until long after TLS had
been invented.  I wonder if maybe wireshark is lying and it actually
means TLS1.2, or something like that.  What happens when you wireshark
a *successful* connection?

> Huh. Okay. lessee... So does the 'S' in "PKCS" mean "Syntax" or
> "Standards"? AFAICT, the TCP negotiation never gets past the line
> where my host attempts to initiate SSLv2. But, also AFAICT, PKCS #12
> is a spec for a *file format* for storing crypto certs. It's unclear
> how FF could get as far as that when it gets a RST right after the
> "client hello".

According to your wireshark output, unless I'm mis-reading it, the
server responded after your Client Hello:

> TCP 32998 > https [SYN]
> TCP https > 32998 [SYN, ACK]
> TCP 32998 > https [ACK]
> SSLv2 Client Hello
> TCP https > 32998 [ACK]
> TCP https > 32998 [RST, ACK]

Or am I mis-reading the above?

I would expect a Server Hello next, so if FireFox is sometimes
working then maybe some of the Wikipedia servers are misconfigured,
or something like that.

PKCS stands for Public Key Cryptography Standards.  It has nothing
directly to do with the SSL/TLS handshaking protocol or "syntax", but
since all the world's server certificates are some flavour or another
of PKCS, differences in the standards # could conceivably cause
"connection reset" issues.  It's even possible that the key size or
encryption cipher could cause these issues.

I looked back through my debugging notes, and sure enough, the only
time I've personally run into "connection reset" was when my HTTPS
server had a borken server certificate.  Java has some pretty useful
logging of HTTPS connections.

I'm sure there are other ways to achieve "connection reset", but...
Who knows, maybe Wikipedia has some servers with busted certs.

I'd be curious to see if anyone running a super-whipper-snapper
up-to-date browser ever runs into the same problems, or if they
really are tied to old browsers.

Cheers,

Johann


More information about the nSLUG mailing list