I mentioned extensions because I had a few and saw them die. the 40-bit ssl is the web interface for power5 (the so-called ASMI https interface). These ports have no access to "outside", on a separate lan segment. my desktop, not acting as router, can connect to non-Natted and NATted segments. re: use of a stunnel - how does this turn 40-bit https into >40-bit https. Sounds like a man-in-the-middle I do not want to know about (but should learn about just the same - aka the sand is not so deep I can bury my head completely :) On Mar 27, 2015 2:37 PM, "Hubert Kario" <hkario at redhat.com> wrote:> On Friday 27 March 2015 14:15:47 Gert Doering wrote: > > Hi, > > > > On Fri, Mar 27, 2015 at 12:53:05PM +0100, Hubert Kario wrote: > > > On Thursday 26 March 2015 11:19:28 Michael Felt wrote: > > > > Experience: I have some hardware, on an internal network - that only > > > > supports 40-bit ssl. I am forced to continue to use FF v17 because > that > > > > was > > > > the last browser to provide SSL40-bit support. My security is > weakened > > > > because I cannot update that browser, and I continue to lose plugins > > > > because they do not support FF17 anymore. All other browsers stopped > > > > support earlier as well. > > > > > > Please put the device behind a stunnel and don't put yourself at risk. > > > > I don't think Michael is accessing that device over the Internet - but > even > > *in house* some devices force you to jump through such hoops. > > the fact that he mentions usage of extensions, I'm not so sure he uses it > only > for internal out-of-band management sites... > > > Like, old HP ILO that you can't get updates for, that insist on using > SSL, > > but then fail to interoperate with recent browsers. So what are you > going > > to do? "Throw away a perfectly working and secure machine, because its > > out of band interface is crap" or "keep around an old and insecure > browser"? > > such interfaces should be on a network of their own, as such you should go > through a router to be able to connect to them. On same router you can put > the > stunnel or a redirect to other machine that does the tunneling to make sure > the insecure connections from trusted network are not routed over regular > network (be it company internal or Internet) > > > Same thing with needing sshv1 to access old network gear where even sshv1 > > was an achievement. "Throw away gear that does its job perfectly well, > > but has no sshv2 for *management*" or "keep around an ssh v1 capable > > client"? > > If you depend on hardware like this, you should have support* for it. > Exactly > because issues like this. > > * - where "support" means that either you have other people responsible > for > fixing it or that you can hire other people to fix it as the need arises > -- > Regards, > Hubert Kario
On Wednesday 01 April 2015 14:37:59 Michael Felt wrote:> re: use of a stunnel - how does this turn 40-bit https into >40-bit https. > Sounds like a man-in-the-middle I do not want to know about (but should > learn about just the same - aka the sand is not so deep I can bury my head > completely :)Yes, it is literally a "man in the middle", the point is, that this man is *you*, and as such, you can trust him, at least as much as you can trust the server itself It's the same way a reverse proxy turns a local HTTP server running on port 8080 (or any other for that matter) into a proper HTTPS server. Or in other words, it's to turn something like this: | trusted network here client .-,( ),-. __ _ .-( )-. router server [__]|=| ---->( internet )-------> __________ ------> ____ __ /::/|_| SSLv2 '-( ).-' SSLv2 [...__...?] SSLv2 | | |==| '-.( ).-' |____| | | /::::/ |__| into something like this: | trusted network here client .-,( ),-. __ _ .-( )-. router server [__]|=| ---->( internet )-------> __________ ------> ____ __ /::/|_| TLS1.2 '-( ).-' TLS1.2 [...__...?] SSLv2 | | |==| '-.( ).-' ? |____| | | stunnel /::::/ |__| (diagram taken from http://unix.stackexchange.com/a/126638) -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purky?ova 99/71, 612 45, Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150401/577ccf0c/attachment.bin>
Ok - thanks. stunnel is something 'useful' to study. Hopefully I will not have to hit my head against the wall too often. That said - is there (an official) way to disable ssh1 in the server (e.g., --without-ssh1 Disable support for SSH protocol 1) but keep support in the client? That is how I would like to package it as of today. And I expect, (read hope) that even though support is compiled in, I could still disable it - by default - in the client via ssh_config. Michael p.s. Hubert - my apologies for the double send, forgot reply-to-all. On Wed, Apr 1, 2015 at 3:05 PM, Hubert Kario <hkario at redhat.com> wrote:> On Wednesday 01 April 2015 14:37:59 Michael Felt wrote: > > re: use of a stunnel - how does this turn 40-bit https into >40-bit > https. > > Sounds like a man-in-the-middle I do not want to know about (but should > > learn about just the same - aka the sand is not so deep I can bury my > head > > completely :) > > Yes, it is literally a "man in the middle", the point is, that this man is > *you*, and as such, you can trust him, at least as much as you can trust > the > server itself > > It's the same way a reverse proxy turns a local HTTP server running on port > 8080 (or any other for that matter) into a proper HTTPS server. > > > Or in other words, it's to turn something like this: > > > > | trusted network here > client .-,( ),-. > __ _ .-( )-. router server > [__]|=| ---->( internet )-------> __________ ------> ____ __ > /::/|_| SSLv2 '-( ).-' SSLv2 [...__...?] SSLv2 | | |==| > '-.( ).-' |____| | | > /::::/ |__| > > > > into something like this: > > | trusted network here > client .-,( ),-. > __ _ .-( )-. router server > [__]|=| ---->( internet )-------> __________ ------> ____ __ > /::/|_| TLS1.2 '-( ).-' TLS1.2 [...__...?] SSLv2 | | |==| > '-.( ).-' ? |____| | | > stunnel /::::/ |__| > > > > (diagram taken from http://unix.stackexchange.com/a/126638) > -- > Regards, > Hubert Kario > Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purky?ova 99/71, 612 45, Brno, Czech Republic >