[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MSIE cryptography
Eric Murray writes:
>Peter Trei writes:
>>
>> John Hemming - CEO MarketNet" <[email protected]> writes:
>
>> > Just downloaded the most recent English Version 2.1 for Windows 3.1.
>> > This does appear to do the same in terms of no encryption at all after
>> > the server hello.
>> Please ensure that the server you are connecting to is not configured for
>> authenticate-only. It would be a pity to raise a big ruckus over what may be
>> just a mis-configured server.
>In addition, encryption isn't performed until after the ClientFinished
>and ServerFinished messages, no matter which CipherSuites are negotiated.
Actually the server verify message should be encrypted (to verify the
key negotiation). Also the server and client finished should be encrypted.
I don't actually get the client finished record or client master key record.
However, I don't get those all I get is the cleartext data in packets of
SSL record format. I have done a little more experimentation and it does
appear quite clear that this happens with a non standard (ie not
Verisign and a few others) X509 Certificate.
In the trace that I have posted it is clear that cypher 02 00 80 has
in theory been negotiated.