Hacker News new | ask | show | jobs
by freefriedrice 2223 days ago
> the modern iteration of HTTPS required by DarkSky.

I don't follow. The TLS handshake negotiates the appropriate ciphersuite. With the exception of dropping SHA1 in TLSv1.3, how was the macOS SSL module not able to negotiate a handshake? There should be plenty of suites available. What did Darksky ask for in the TLS handshake???

For example: I'm still running Mojave, and here's what I see from the handshake with the Darksky.net site on :443 ...

:

:

issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon

---

No client certificate CA names sent

Peer signing digest: SHA512

Peer signature type: RSA

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 5538 bytes and written 439 bytes

Verification: OK

---

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 :

:

:

They aren't even using TLS1.3 on the main page.
1 comments
Wowfunhappy 2223 days ago
Keep in mind that Mountain Lion is a lot older than Mojave. If I go to SSL labs and test DarkSky.net, it shows a "protocol mismatch" for Mountain Lion and older, which is exactly what I saw with the widget:

https://www.ssllabs.com/ssltest/analyze.html?d=darksky.net&s... (scroll down to "not simulated clients" and click "expand).

I don't actually understand that much about the internals of https, but my assumption is that there weren't any cipher suites supported by both DarkSky and Mountain Lion.

link
tialaramex 2223 days ago
It's not cipher suites it's the entire TLS protocol version.

That site requires exactly TLS 1.2 (not newer or older)

So an HTTPS implementation like Mountain Lion that only speaks TLS 1.1 or earlier will begin by saying it can do TLS 1.1 and the server says too bad, go away.

TLS 1.2 was defined in about 2008 but despite that a lot of products shipped without TLS 1.2 implemented for the next several years, because backwards compatibility meant they still worked, and it didn't seem like a priority, while forward compatibility had frequently proved problematic. Why ship something "more secure" that breaks for 1% of your users?

For example Firefox only added TLS 1.2 by default in 2014, after Mountain Lion was shipped (but before it ceased to be supported).

link
freefriedrice 2223 days ago
Wow, that's really cool. Googling around it appears that Mountain Lion wasn't upgraded to TLSv1.2 so any website that upgraded to TLSv1.1 broke on pre-Yosemite. I didn't realize this. Very interesting.
link
Wowfunhappy 2223 days ago
> any website that upgraded to TLSv1.1 broke on pre-Yosemite.

Tiny addendum, what I saw was different by one version: DarkSky worked fine in Mavericks, just not Mountain Lion.

link