[9fans] tls and iphones and ios9 (sigh)

[9fans] tls and iphones and ios9 (sigh)

[Steve Simon]

I upgraded my iphone to ios9 and now cannot access my email on plan9 -
no sniggering at the back.

It seems apple require 1024bit keys for Diffe helman exchanges in TLS,
and DH + RSA is no longer sypported at all.

Primarly this is a warning to 9fans about the perils of ios9
and a vain hope that somone might be looking at modifying libsec.

-Steve

Re: [9fans] tls and iphones and ios9 (sigh)

[Jeff Sickel]

> On Sep 17, 2015, at 9:33 AM, Steve Simon <steve@quintile.net> wrote:
>
> I upgraded my iphone to ios9 and now cannot access my email on plan9 -
> no sniggering at the back.
>
> It seems apple require 1024bit keys for Diffe helman exchanges in TLS,
> and DH + RSA is no longer sypported at all.
>
> Primarly this is a warning to 9fans about the perils of ios9
> and a vain hope that somone might be looking at modifying libsec.
>
> -Steve
>

A good warning as OS X 10.11 will be using the same App Transport Security
as iOS 9, both using TLS 1.2.

Might be time to combover RFC 5246 and reconcile libsec and devtls.

-jas

Re: [9fans] tls and iphones and ios9 (sigh)

[erik quanstrom]

combover.  I see what you did there.

- erik


On Sep 17, 2015 8:42 AM, Jeff Sickel <jas@corpus-callosum.com> wrote:
>
>
> > On Sep 17, 2015, at 9:33 AM, Steve Simon <steve@quintile.net> wrote: 
> > 
> > I upgraded my iphone to ios9 and now cannot access my email on plan9 - 
> > no sniggering at the back. 
> > 
> > It seems apple require 1024bit keys for Diffe helman exchanges in TLS, 
> > and DH + RSA is no longer sypported at all. 
> > 
> > Primarly this is a warning to 9fans about the perils of ios9 
> > and a vain hope that somone might be looking at modifying libsec. 
> > 
> > -Steve 
> > 
>
> A good warning as OS X 10.11 will be using the same App Transport Security 
> as iOS 9, both using TLS 1.2. 
>
> Might be time to combover RFC 5246 and reconcile libsec and devtls. 
>
> -jas 
>
>
>

Re: [9fans] tls and iphones and ios9 (sigh)

[Skip Tavakkolian]

> combover.  I see what you did there.

ha! i can trump that...

Re: [9fans] tls and iphones and ios9 (sigh)

[Jeff Sickel]

> On Sep 17, 2015, at 12:46 PM, Skip Tavakkolian <9nut@9netics.com> wrote:
> 
>> combover.  I see what you did there.
> 
> ha! i can trump that…

There’s a direct correlation to length of hair and billable rate.

Re: [9fans] tls and iphones and ios9 (sigh)

[erik quanstrom]

On Thu Sep 17 12:49:37 PDT 2015, jas@corpus-callosum.com wrote:
> 
> > On Sep 17, 2015, at 12:46 PM, Skip Tavakkolian <9nut@9netics.com> wrote:
> > 
> >> combover.  I see what you did there.
> > 
> > ha! i can trump that…
> 
> There’s a direct correlation to length of hair and billable rate.

lucky me.

- erik

Re: [9fans] tls and iphones and ios9 (sigh)

[Andrew Simmons]

Such are my limitations, I’m not sure what you mean by "cannot access my email on plan9”.

Email works fine for me on my obsolete iPad 4.


> On Sep 18, 2015, at 2:33 am, Steve Simon <steve@quintile.net> wrote:
> 
> I upgraded my iphone to ios9 and now cannot access my email on plan9 -
> no sniggering at the back.
> 
> It seems apple require 1024bit keys for Diffe helman exchanges in TLS,
> and DH + RSA is no longer sypported at all.
> 
> Primarly this is a warning to 9fans about the perils of ios9
> and a vain hope that somone might be looking at modifying libsec.
> 
> -Steve
> 

Re: [9fans] tls and iphones and ios9 (sigh)

[Brantley Coile]

And me, now. Ask jas. 

Sent from my iPad

> On Sep 17, 2015, at 10:27 PM, erik quanstrom <quanstro@quanstro.net> wrote:
> 
>> On Thu Sep 17 12:49:37 PDT 2015, jas@corpus-callosum.com wrote:
>> 
>>>> On Sep 17, 2015, at 12:46 PM, Skip Tavakkolian <9nut@9netics.com> wrote:
>>>> 
>>>> combover.  I see what you did there.
>>> 
>>> ha! i can trump that…
>> 
>> There’s a direct correlation to length of hair and billable rate.
> 
> lucky me.
> 
> - erik
> 

Re: [9fans] tls and iphones and ios9 (sigh)

[hiro]

sigh

Re: [9fans] tls and iphones and ios9 (sigh)

[Steve Simon]

Sorry for not being clear.

The problem is with TLS, and how I noticed is I use imaps (imap4
over a TLS encrypted socket) to access my email which is stored on
plan9.

I can still access my email but only over an cleartext connection,
but this is not wise on the internet these days.

https and pop3s are probably similarly broken.

-Steve

Re: [9fans] tls and iphones and ios9 (sigh)

[cinap_lenrek]

so you need server side support for what cipher suits and protocol
versions exactly?

the work has been done in 9front libsec and devtls to support ecdhe
and dhe and tls 1.2 on the *client* side at least. so you can start
from there. whats missing is the signing and signature verification
of the dh parameters.

--
cinap

Re: [9fans] tls and iphones and ios9 (sigh)

[erik quanstrom]

On Fri Sep 18 06:01:44 PDT 2015, cinap_lenrek@felloff.net wrote:
> so you need server side support for what cipher suits and protocol
> versions exactly?
>
> the work has been done in 9front libsec and devtls to support ecdhe
> and dhe and tls 1.2 on the *client* side at least. so you can start
> from there. whats missing is the signing and signature verification
> of the dh parameters.

quite a bit of work that looks good.  thanks.

here are some current differences i've got.  the - is your version.
* i think aes_xts should take u32ints as this is defined in the standard.
the assumption that ulong is 32 bits is suspect.

* sorry for the ignorance, but why do we need ripemd160?


../../../include/libsec.h:396,403 - /mnt/term/sys/include/libsec.h:407,414
  PEMChain*readcertchain(char *filename);

  /* aes_xts.c */
- int aes_xts_encrypt(ulong tweak[], ulong ecb[],  vlong sectorNumber, uchar *input, uchar *output, ulong len) ;
- int aes_xts_decrypt(ulong tweak[], ulong ecb[], vlong sectorNumber, uchar *input, uchar *output, ulong len);
+ int aes_xts_encrypt(u32int tweak[], u32int ecb[],  vlong sectorNumber, uchar *input, uchar *output, usize len) ;
+ int aes_xts_decrypt(u32int tweak[], u32int ecb[], vlong sectorNumber, uchar *input, uchar *output, usize len);

  typedef struct ECpoint{
  	int inf;
../../../include/libsec.h:432,439 - /mnt/term/sys/include/libsec.h:443,448
  void	base58enc(uchar *, char *, int);
  int	base58dec(char *, uchar *, int);

- DigestState*	ripemd160(uchar *, ulong, uchar *, DigestState *);
-
  /*
   * Diffie-Hellman key exchange
   */


- erik

Re: [9fans] tls and iphones and ios9 (sigh)

[cinap_lenrek]

bitcoin.

--
cinap