[tor-bugs] #8443 [Tor]: SSL handshake filtered when MAX_SSL_KEY_LIFETIME_ADVERTISED is 365 days

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Mar 9 22:42:36 UTC 2013 

#8443: SSL handshake filtered when MAX_SSL_KEY_LIFETIME_ADVERTISED is 365 days
------------------------+---------------------------------------------------
 Reporter:  arma        |          Owner:                    
     Type:  defect      |         Status:  needs_revision    
 Priority:  normal      |      Milestone:  Tor: 0.2.4.x-final
Component:  Tor         |        Version:                    
 Keywords:  tor-bridge  |         Parent:                    
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------
Changes (by nickm):

  * status:  needs_review => needs_revision


Comment:

 I did a little spot-checking to see whether it was more usual for
 certificate to have notbefore/notafter times at more or less random
 intervals, or to have notbefore/notafter times of an exact duration, or to
 have them more or less at random.

 I checked 4 or 5 well-known websites and found that their certificates in
 the wild are all over the map.  More research could be warranted.

 Here's the script I used:
 {{{
 echo |openssl s_client -connect $HOST:443 | perl -ne 'if (/^-----BEGIN/) {
 $p=1}; print if $p; if (/^-----END/) {$p=0}' |openssl asn1parse |grep
 UTCTIME
 }}}
 (First, set HOST to the host you want to connect to.

 This prints stuff like:
 {{{
   232:d=3  hl=2 l=  13 prim: UTCTIME           :121017000000Z
   247:d=3  hl=2 l=  13 prim: UTCTIME           :131018235959Z
 }}}
 where the notBefore time is 121017000000Z (that is, 2012-10-17 00:00:00
 GMT) and the notAfter time is 131018235959Z (that is, 2013-10-18 23:59:59
 GMT).

 Those are the intervals I got for amazon. I found other stuff too.  We
 could stand to do a little more spot checking before we settle on 'random'
 IMO.  Nearly nobody has a 1-day lifetime AFAICT.


 Is it guaranteed that we'll get a new link certificate at least daily?  If
 not, the "one day" minimum lifetime is too short.

 The patch looks okay otherwise, but it needs a patch to tor.1.txt to
 accompany it.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8443#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list