August 2016

TLS Extended Master Secret, Breaking SSL Proxies

SSL Proxy Failing To Decrypt The Handshake, Fixing Connection Reset Issue in New Browsers There was a new update couple of months ago affecting web servers and web browsers introducing a new TLS extension (Extended master secret) that changes the way master_secret is generated. This update broke the devices that were doing SSL inspection or proxy because they wouldn’t be able to decrypt the handshake and ultimately would reset the connection. In this post we’re going discuss the issue and look for workarounds and fixes. These fixes would be either an update in the device which is decrypting the SSL...

Continue reading...

Client Certificate Authentication in SSL/TLS and its interaction with Web Application Firewalls

SSL Logo

In a previous blog post I discussed about Client Certificate Authentication and possible implementation methods. In this post I’m going to delve deep into TLS protocol implementation, specifically the Client Certificate part. During the setup of Client Certificate Authentication on a web application I faced various issues and when a piece of technology is just a black box in your view, there’s not much tuning or debugging that can take place when things stop working. So I spent a handful of time studying the underlying technology and I’m sharing the gist of it here. I’m also going to briefly go...

Continue reading...