Search

About me

Johannes (Hanno) Böck
mail: hanno@hboeck.de
jabber: hanno@hboeck.de
gpg: BBB51E42
ssh: RSA, ECDSA


Hanno on Twitter
Hanno on identi.ca

Impressum

schokokeks.org



Atheist

Twitter/identi.ca

hanno: Ouch... list of "predatory" science journals gets requests from people who want to be "added to the list" http://t.co/X3aOID2DI1

hanno: @vieuxrenard @annalist @GescheJoost Hä? Das ergibt keinen Sinn. "Vorratsdatenspeicherung nur für schwere Straftaten" geht ja schlecht

hanno: Man sollte mal vorm BGH das Internet als ganzes verklagen - ich bin sicher die aussichten auf ein Verbot sind nicht schlecht

hanno: @ivanristic @Kryptoblog is he really proposing using mac-then-encrypt? Isn't that the reason we got BEAST etc.? I commented on it.

hanno: Nintendo baut versehentlich Homoehe in Spiel ein http://t.co/6ShFeOp3ib

Anzeigen

Events

22.05 - 25.05 - Linuxtag (3 Days)
30.05 - 02.06 - GPN13 (11 Days)
04.07 - 07.07 - PQCrypto (46 Days)
05.07 - 07.07 - SIGINT (47 Days)
31.07 - 04.08 - OHM13 (73 Days)
01.10 - 02.10 - Open Access Tage (135 Days)
My pages
Picture gallery

Archives

Categories



All categories

Feeds

Tags

Creative Commons

CC0
Unless noted otherwise, all content is CC Zero / public domain

X.509 / SSL certificate test cases

Thursday, April 21. 2011, 13:52
https is likely the most widely used cryptographic protocol. It's based on X.509 certificates. There's a living debate how useful this concept is at all, mainly through the interesting findings of the EFF SSL Observatory. But that won't be my point today.

Pretty much all webpage certificates use RSA and sadly, the vast majority still use insecure hash algorithms. But it is rarely known that the X.509 standards support a whole bunch of other public key algorithms.

I've set up a page with a couple of test-cases for less-often used algorithm combinations. At the moment, it's mainly focused on RSASSA-PSS, but I plan to add elliptic curve algorithms soon. As I won't get any certificate authority to sign me certificates with anything else than classic RSA, I created my own testing root CA.

I'd be very interested to get some feedback. If you happen to have some interesting OS/Browser combination, please import the root certificate and send me a screenshot where I can see how many green ticks there are (post a link to the screenshot in the commends or send it via email).

At the moment, I'm especially looking for people to test:
  • Internet Explorer 9 on Windows 7
  • Safari on latest MacOS X
  • Internal browser on iPhone (I don't know if it's possible to install a new certificate authority there)
Cryptography, English | Comments (3) | Trackbacks (0)
Defined tags for this entry: , , , , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Safari on Mac OS X 10.6.7
http://dev.gentoo.org/~fuzzyray/ssl.hboeck.png
#1 Paul Varner on 2011-04-21 18:31
RSA with SHA224 signature
RSASSA-PSS with differing hashes (SHA256, MGF1+SHA512, 32 bit salt)
RSASSA-PSS with differing hashes (SHA384, MGF1+SHA1, salt 32 bit)
RSASSA-PSS with SHA-224

give no green tick
also in the pic row 1, column 2+4 and row2 column 1 are not shown

W7-64bit / IE9-32bit
#2 Thomas (Link) on 2011-04-21 19:58
Add certs using IE9 certificate import wizard defaults.
try accessing page yields:
http://ompldr.org/vOGVxZg

Confirming same thing after restarting, also show cert status:
http://ompldr.org/vOGVxZw

After click IE "Show content" button":
http://ompldr.org/vOGVxaA

W7-32bit IE9-32bit

Didn't mess with importing them as root certs trusted.
#3 xivi on 2011-04-25 05:36

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.