Home / user-37234

Leo's questions

Martin Hope
Leo
Asked: 2019-02-03 21:24:16 +0800 CST
  • 3

Does the Server Hello break the RFC? There seems to be contradiction in RFC.

A customer claims our device (Citrix Netscaler) returns Extension (ec_point_formats: EC point format: uncompressed) when they do not request it. Because of this they claim our device does not follow the RFCs.

From the RFCs I find these two relevant sections: extensions:

see rfc3546 sec 2.3. Hello Extensions

   Note that for all extension types (including those defined in
   future), the extension type MUST NOT appear in the extended server
   hello unless the same extension type appeared in the corresponding
   client hello.  Thus clients MUST abort the handshake if they receive
   an extension type in the extended server hello that they did not
   request in the associated (extended) client hello.

rfc 4492 and 8422 sec 4 paragraph 3:

   The client MUST NOT include these extensions in the ClientHello
   message if it does not propose any ECC cipher suites.  A client that
   proposes ECC cipher suites may choose not to include these
   extensions.  In this case, the server is free to choose any one of
   the elliptic curves or point formats listed in Section 5.  That
   section also describes the structure and processing of these
   extensions in greater detail.

Packet traces:

Client Hello:

TLSv1.2 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 63
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 59
        Version: TLS 1.2 (0x0303)
        Random
        Session ID Length: 0
        Cipher Suites Length: 20
        Cipher Suites (10 suites)
        Compression Methods Length: 1
        Compression Methods (1 method)

Server Hello:

TLSv1.2 Record Layer: Handshake Protocol: Server Hello
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 82
    Handshake Protocol: Server Hello
        Handshake Type: Server Hello (2)
        Length: 78
        Version: TLS 1.2 (0x0303)
        Random
        Session ID Length: 32
        Session ID: bfe64de5d94a7c4c12bdb419b6938efcbb70429cd216fa1c...
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
        Compression Method: null (0)
        Extensions Length: 6
        Extension: ec_point_formats
            Type: ec_point_formats (0x000b)
            Length: 2
            EC point formats Length: 1
            Elliptic curves point formats (1)
                EC point format: uncompressed (0)
networking
Martin Hope
Leo
Asked: 2010-11-13 08:20:55 +0800 CST
  • 13

I want every single command typed to go to a logserver. Already configured is the syslog-ng to send all logs to the logserver.

I'm interested in any and all methods to do this. I would expect some discussion of rogue users and security but the first primary objective is to simply get the sessions to log. All sessions are over ssh but console connection commands should be logged as well. I would like this to happen for any shell but the primary one is bash. (Again, I know a rogue user could create their own shell... )

logging security shell
Martin Hope
Leo
Asked: 2010-09-11 06:48:32 +0800 CST
  • 1

An auditor recommends: We recommend that PGP environment be re-keyed using the industry required (ISO x9.8 and x9.24) standards of “split-knowledge and dual control”

Is there something that we're missing?: this would require encrypted files to be decrypted with two people each time the key is accessed/loaded.

Are there use cases with PGP keys that this makes sense?

security pgp