RE: MS crypto API based ssl proxy??

From: Gaziel, Avishay (avishaygaziel_at_kpmg.com)
Date: 01/07/04

  • Next message: Brewis, Mark: "RE: MS crypto API based ssl proxy??" 
    To: "'shashrai@emirates.net.ae'" <shashrai@emirates.net.ae>, Volker Tanger <volker.tanger@discon.de>
Date: Wed, 7 Jan 2004 18:12:46 +0100

    I would try getting (or generating using openSSL) a set of client
    certificates with popular user/password combinations, or, if you have a list
    of users (a corporate phone list would do)I would create a few certificates
    for these users as well. openssl/stunnel/sslproxy have all been used for
    that.
    It's not much but might work.....
    A.

    -----Original Message-----
    From: Shashank Rai [mailto:shashrai@emirates.net.ae]
    Sent: 07 January 2004 04:37
    To: Volker Tanger
    Cc: pen-test@securityfocus.com
    Subject: Re: MS crypto API based ssl proxy??

    > It maybe uses the Micro$oft NTLM authentication scheme - or similar.
    > What does a packet sniffer tell you, what happens?
    >
    > Bye
    >
    > Volker Tanger
    > ITK-Security

    It is nothing to do with NTLM auth (or for that matter basic auth). When
    i browse the site using IE, i am prompted to provide the user
    certificate. Running stunnel/sslproxy in debug mode clearly show the
    server requesting the client certificate.
    Packet sniffer is good only to the extent of showing me TLS v1 hand
    shake (and ofcourse the remaining conversation is encrypted).
    I belive the site is M$ specific, 'coz, sslproxy/stunnel manage to
    complete the SSL handshake, and open a connection to the server. But the
    moment i send a "GET / HTTP/1.0" request, the connection is closed from
    the server end, stating that the client certificate i provided is not
    valid (the certificate had been exported from IE, along with the private
    key). Hence the conclusion that the calls made to check the validity of
    the certificate are someway M$ specific!!! (as stated in my original
    post)

    Thanks anyway :)

    cheers, 

    -- 
shashank
<--
Here is the Packet that was fragmented and has been assembled again.
                                       (with apologies to JRR Tolkien :)
-->
---------------------------------------------------------------------------
----------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------
De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming hebben dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en de bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht.
KPMG is niet aansprakelijk voor schade ten gevolge van het gebruik van elektronische middelen van communicatie, daaronder begrepen -maar niet beperkt tot- schade ten gevolge van niet aflevering of vertraging bij de aflevering van elektronische berichten, onderschepping of manipulatie van elektronische berichten door derden of door programmatuur/apparatuur gebruikt voor elektronische communicatie en overbrenging van virussen en andere kwaadaardige programmatuur.
Any information transmitted by means of this e-mail (and any of its attachments) is intended exclusively for the addressee or addressees and for those authorized by the addressee or addressees to read this message. Any use by a party other than the addressee or addressees is prohibited. The information contained in this e-mail (or any of its attachments) may be confidential in nature and fall under a duty of non-disclosure.
KPMG shall not be liable for damages resulting from the use of electronic means of communication, including -but not limited to- damages resulting from failure or delay in delivery of electronic communications, interception or manipulation of electronic communications by third parties or by computer programs used for electronic communications and transmission of viruses and other malicious code.
--------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Brewis, Mark: "RE: MS crypto API based ssl proxy??"

    Relevant Pages

    • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
      ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: LDP client authentication fails
      ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
      (microsoft.public.windows.server.active_directory)
    • Re: SSL & Man In the Middle Attack
      ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
      (comp.security.misc)
    • Re: activesync issue
      ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
      (microsoft.public.windows.server.sbs)
    • [Full-disclosure] VMSA-2006-0010 - SSL sessions not authenticated by VC Clients
      ... X.509 certificate when creating an SSL session, ... Both the client and server need certificates from a mutually-trusted ... VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch ...
      (Full-Disclosure)
    • Quantcast