[lug] Colorado Bureau of Investigation

Robert Racansky robert.racansky at gmail.com
Fri Jan 23 11:13:20 MST 2015 

On Fri, Jan 23, 2015 at 8:54 AM, George Sexton <georges at mhsoftware.com> wrote:
>
> On 1/23/2015 8:48 AM, Robert Racansky wrote:
>
> Researching this, I found out that "Chrome 40 is removing SSLv3
> support since it's been shown to be broken.  Please contact the site's
> administrators and ask them to update their SSL stack."
>
>
> One of our customers is the South Carolina Department of Natural Resources
> and they're hitting the same issue.
>


Here's a one-stop source for information about the issue --
https://disablessl3.com/   "This web page aims to become a one-stop
resource on how to effectively disable SSLv3 in major web browsers as
well as in web, mail and other servers that may still be using it."




Testing this with Windows 10 Technical Preview edition using Internet
Explorer v 11.0.9879.0 , the CBI Insta Check web page works.

If Microsoft has not disabled SSLv3 in Internet Explorer, that would
explain why the CBI hasn't gotten widespread calls about this
(assuming most shops are using Internet Explorer).  Those dealers that
do call are told it's a client side and not a server side problem.
It's also working in Safari, but not Google Chrome 40 or Firefox 34
(both which have disabled SSL v3).


Also, it turns out that you have to type in the  https://  part of the
URL into the web browser :

ccic.state.co.us/InstaCheck
and
http://ccic.state.co.us/InstaCheck/   ( without the "s" )

do not automatically re-direct the user to

https://ccic.state.co.us/InstaCheck/




FYI:  Here's the site's connection information.  Toward the end it
says "SSL-Session:  Protocol  : SSLv3"

 ~ $ openssl

OpenSSL> s_client -connect ccic.state.co.us:443

CONNECTED(00000003)
depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref.
(limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net
Certification Authority (2048)
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Colorado/L=Denver/O=Governor's Office of Information
Technology/CN=ccic.state.co.us
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority
- L1C
 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority
- L1C
   i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref.
(limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net
Certification Authority (2048)
 2 s:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref.
(limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net
Certification Authority (2048)
   i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref.
(limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net
Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKjCCBBKgAwIBAgIETCM3yDANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xNDA1MzAxNjQxMzhaFw0xODA3MDcx
MDUyMzdaMIGCMQswCQYDVQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xDzANBgNV
BAcTBkRlbnZlcjE0MDIGA1UEChMrR292ZXJub3IncyBPZmZpY2Ugb2YgSW5mb3Jt
YXRpb24gVGVjaG5vbG9neTEZMBcGA1UEAxMQY2NpYy5zdGF0ZS5jby51czCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJSxRGXJD0WTvt6bG7ynudDBIyCb
2wZ0nPF0e22Nj2RfIBpJWa+mkSU2ytJfTshDJJnTJsfwUA9vvvSTB2iCU/OWdiRE
KS+EEqFPXiRaRHEU5zQW4ukJligMMXFR1c9ppoFAWrtIKSPPEHwlyMTtuJDSbQLH
ZP2zv5nrBVw319JK6N6pw1CALq6Dh9dgVd6+lmG9EzMO4f/XzwlY5dt5dHJnoBbr
stEwuOHXfS97xmjlVnum9qZ8fHuFFj5nghQ68C8AssoWwGLXF+4BT/bndw4rQm7t
Qio2cWt//cD1/lW/kBHs7lfT5Ca+Ek5r56zllzYvjyc9svJjQv39PWhy3C0CAwEA
AaOCAXUwggFxMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAzBgNV
HR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L2xldmVsMWMuY3Js
MGQGCCsGAQUFBwEBBFgwVjAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVz
dC5uZXQwLwYIKwYBBQUHMAKGI2h0dHA6Ly9haWEuZW50cnVzdC5uZXQvMjA0OC1s
MWMuY2VyMEoGA1UdIARDMEEwNQYJKoZIhvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0
dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAECAjAbBgNVHREEFDASghBj
Y2ljLnN0YXRlLmNvLnVzMB8GA1UdIwQYMBaAFB7xq4kG+EkPATN37hR67hl8kyhN
MB0GA1UdDgQWBBQHhcdEFes+sDF/+07rKnnn4Qbd1TAJBgNVHRMEAjAAMA0GCSqG
SIb3DQEBBQUAA4IBAQBUm00HZXrzJmXhYteJlZMdQIRFVLrTAw7XYmdPfMbbSEMK
n0RLHJvTOojtVKSnrFG2mrk5FaystU1DRQo9A3OKqhFLnNyW0BRRVmSbn0p0j3BY
Mi0+NatWTL8NOlvJMHcmei5tBsFc9ZZNtPiriH/QnTWkdveiiZlMrQlegOYqBIsX
inaXASQxcE7O3eM6q0Hx8WroOmct86unafHrQYwecGMT3o3wuuF2tdAfcbWnemMv
w4oBwxrQdnAppZs5pcsoh27rPrclKVi8u1XZv+WA7rg/NOAauBh5rbEdHiXcvBGw
benOumxe+sx1pbklvpe36rx9D3v2Zd7fSalUKQGm
-----END CERTIFICATE-----
subject=/C=US/ST=Colorado/L=Denver/O=Governor's Office of Information
Technology/CN=ccic.state.co.us
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority
- L1C
---
No client certificate CA names sent
---
SSL handshake has read 4387 bytes and written 519 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 54C2769268CDCD62C62F8921288F06B4AB4FE0DBCAA6F8F01EB474F5BCBA7121
    Session-ID-ctx:
    Master-Key:
BE79F52C624FD1EACC9D1DDEF9ACF2058F1A535DF2BE3E3980FB89EB92DD446E4BB0C583435AE3850371EDDDF1CBAB2C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1422030482
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

More information about the LUG mailing list