Custom Query (196 matches)
Results (169 - 171 of 196)
Ticket | Resolution | Summary | Owner | Reporter |
---|---|---|---|---|
#349 | invalid | TLS SNI alerts on LDAP vhosts | presbrey | |
Description |
void is a scripts-vhost: presbrey@dr-wily:~$ host void.mit.edu void.mit.edu is an alias for SCRIPTS-VHOSTS.mit.edu. SCRIPTS-VHOSTS.mit.edu has address 18.181.0.46 that fails to handshake: presbrey@dr-wily:~$ curl -k https://void.mit.edu/ curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) even though scripts-vhosts itself works: presbrey@dr-wily:~$ curl -kv https://scripts-vhosts.mit.edu/ * About to connect() to scripts-vhosts.mit.edu port 443 (#0) * Trying 18.181.0.46... connected * Connected to scripts-vhosts.mit.edu (18.181.0.46) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-SHA * Server certificate: * subject: serialNumber=sKLt5io360jM-oAd2EGLNK0EraXwXE46; C=US; ST=Massachusetts; L=Cambridge; O=Massachusetts Institute of Technology; OU=scripts.mit.edu web hosting service; CN=scripts.mit.edu * start date: 2011-05-24 11:40:52 GMT * expire date: 2016-06-24 16:28:06 GMT * subjectAltName does not match scripts-vhosts.mit.edu > GET / HTTP/1.1 > User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6 > Host: scripts-vhosts.mit.edu > Accept: */* > < HTTP/1.1 200 OK < Date: Thu, 28 Feb 2013 02:21:46 GMT The problem has to do with TLS SNI extensions. TLS Alert 1112 is Level 1 (Warning) and Code 112 (Unrecognized name). This error is intended to notify the client that the server may not do what the client is expecting when the server does not recognize the SNI hostname passed by the client. The server-side TLS SNI that validates "recognized" hostnames apparently only checks against hardcoded ServerName?(s) and ServerAlias?(s), and fails to locate LDAP vhosts as valid SNI targets. |
|||
#7 | fixed | log -c scripts | andersk | price |
Description |
Let's log class scripts. Anders mailed charon-maintainers today requesting this. |
|||
#10 | wontfix | make it easier to set custom Perl library paths | price | |
Description |
Anders wrote a while ago: I talked with presbrey on Monday about his r403 (make suexec pass through PYTHONPATH and PERL5LIB), which I reverted for security concerns. The goal is to make it easier to use locally installed Python or Perl libraries, without having to mess with sys.path or @INC in every script. We came up with one possible solution, which is to have suexec pass PYTHONPATH and PERL5LIB after sanitizing them to make sure they only point to paths in the user's locker. I came up with an alternative solution for Python that involves significantly less work: I put the line import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.5/site-packages")) in /usr/lib/python2.5/site-packages/00scripts-home.pth. ecprice and I are going to try out this strategy with the HMMT server. I don't know of a similar mechanism for Perl, though. |