3 Replies Latest reply on Mar 27, 2017 1:08 PM by johnaldridge

    BadSSL.com Query -  wrong.host?


      Hello all. I happened to come across this tweet: https://twitter.com/konklone/status/842377019971244033?s=03 and so I hopped on over to badssl.com/dashboard and saw the following. I was wondering if anyone might know what would trigger the wrong.host issue (maybe even the dh1024 one too). I think it's because 1. wrong.host.badssl.com will connect when the hostname on the certificate doesn't match the hostname URL being requested, and 2. dh1024does DHE using 1024bits as opposed to 2048 bits. Is there even any way to force DH2048? I actually hadn't seen any DH settings in the SSL Scanner.



        • 1. Re: BadSSL.com Query -  wrong.host?

          I was using a SSL Scanner ruleset that I had imported from my earlier version of MWG. A slight change was made to the newer version's SSL Scanner (Verify Safe Signature Algorithms rule made into a ruleset of its own and placed above Verify Common Name (Proxy Setup) ruleset). After importing the new version, MWG had no problems realizing a CN Mismatch error.



          Still, BadSSL.com is a great resource.

          • 2. Re: BadSSL.com Query -  wrong.host?



            Did you ever figure out about the dh1024 setting? I'm having a similar issue with our internal compliance folks complaining about the fact that my policy trips on the same thing on badssl.com. Haven't figured out if we need to disable it and if so how would you do that. I'm assuming its a change to the server side cipher list in the certificate verification settings but not 100% sure.

            • 3. Re: BadSSL.com Query -  wrong.host?

              I recently did a workup of a cipher-suite spec. for our configuration.  This it based on cipher-suite listing provided at: Qualys SSL Labs - Projects / User Agent Capabilities: Firefox 49  / Win 7


              After tinkering with openssl cipher command, this is what I came up with:




              I believe this excludes all CBC (Cipher block chaining) suites, but it also seems to exclude all plain vanilla DH suites.


              Note that there were a couple of cipher suites available in the latest Firefox and Chrome version that are not available in Web Gateway.  I don't remember what they were, but it's easy enough to figure it out if anyone's interested.