[TLS] Updated test server
Michael D'Errico <mike-list@pobox.com> Fri, 20 November 2009 16:39 UTC
Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4C2893A6A1F for <tls@core3.amsl.com>; Fri, 20 Nov 2009 08:39:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.472
X-Spam-Level:
X-Spam-Status: No, score=-2.472 tagged_above=-999 required=5 tests=[AWL=0.127, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N4jjGrbku4oG for <tls@core3.amsl.com>; Fri, 20 Nov 2009 08:39:53 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by core3.amsl.com (Postfix) with ESMTP id 514D53A6A48 for <tls@ietf.org>; Fri, 20 Nov 2009 08:39:53 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 4C48181DF1 for <tls@ietf.org>; Fri, 20 Nov 2009 11:39:50 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:content-type :content-transfer-encoding; s=sasl; bh=ASU10eObDSMah5pxiZurBB1fl DE=; b=qNmgq0Uq5fCS1o59NUl/AkpwSIj6OtPRaUyAUjPWgF0lxyP2AV0fUBrto PJoJTQ7E8tBldvlvEsdaVdp/U6uZfYkPeqfSeEoDiivtL5lyIi5i8gqBqtsfihmm oQRhYy3q5vHI1OXltGrAKdbnmKU4fPDb4qbieKWQMry1KeBLSk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:content-type :content-transfer-encoding; q=dns; s=sasl; b=v8OpX7DSTYhqx143oBS YZohrHeSSiZUERVuQz9XGlJ9E5F3j7d+yy+qfXA1INKf1gehfCnn+Wj+Cn4k0jNf 7DmYi1dQNlRUz/czHAl8pl8WCs2GwmH4O5TOcwEm39IhTWwRSXO2vACGo1UXYr1q EK5fLMTZf6XfWqNuUpGmbG+8=
Received: from a-pb-sasl-quonix. (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 0606D81DF0 for <tls@ietf.org>; Fri, 20 Nov 2009 11:39:50 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id 5811B81DEE for <tls@ietf.org>; Fri, 20 Nov 2009 11:39:49 -0500 (EST)
Message-ID: <4B06C6A9.3080508@pobox.com>
Date: Fri, 20 Nov 2009 08:41:13 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 5229D410-D5F3-11DE-931A-9F3FEE7EF46B-38729857!a-pb-sasl-quonix.pobox.com
Subject: [TLS] Updated test server
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2009 16:39:54 -0000
I have updated my server at https://www.mikestoolbox.net to support the upcoming draft from Martin Rex. Here are the particulars: - client adds a "magic" cipher suite to its list of cipher suites in the ClientHello message as a signal to the server that it supports secure renegotiation. the code point for testing is 0xBFFF. the client MAY put the magic cipher suite anywhere in the list though it is RECOMMENDED that it be first to aid in the quick detection of patched clients by monitoring devices. - server looks for "magic" cipher suite in client's cipher suite list. it may be anywhere in the list and the server MUST check the entire list - server proceeds as normal except that when composing the ServerHello message, the high bit of the server version is set to one. this is only a signal to the client; the version is not changed. notably the record layer version MUST NOT have the high bit set. - the server then adds the previous verify_data from the prior handshake (if any) to the running hash of the handshake messages. this data MUST follow the ServerHello message. the client verify_data is added first, followed by the server verify_data. if this is an initial handshake, the data is empty, but if it is a renegotiation the data will be 72 bytes for SSLv3 or 24 bytes for all versions of TLS (unless TLS 1.2 is used with a cipher suite that changes the default length of the verify_data). - the client checks for the top bit of the ServerHello version being set to 1 and if it is adds the verify_data from the previous handshake to the running handshake messages hash immediately after ServerHello. the client verify_data is added first followed by the server's verify_data. the high bit of the version is reset to zero when used for the record layer version Mike
- [TLS] Updated test server Michael D'Errico
- Re: [TLS] Updated test server Michael D'Errico