On Mon, Dec 02, 2013 at 12:23:54PM -0500, Alex wrote:
> > No need. This is the problem with Exchange on Windows 2003, and
> > the broken DES-CBC3-SHA ciphersuite. Work-around in the list
> > archives.
>
> I believe I've found your post in the archives from just a few weeks
> ago that describes this a bit further, but it doesn't describe where
> you got the info from, so that I may understand this further.
>
> Do you know where I can find more info about this? Perhaps there's a
> MS tech bulletin or something that I can forward to the ISP?
I am not aware of any definitive Microsoft technical articles
covering this issue. My posts on the subject to this list are
based information I discovered for myself. My report is sufficiently
authoritative to stand on its own.
A quick Google search uncovers the following, which is either the
same issue or a related issue:
http://support.microsoft.com/kb/938857
the description is rather poor (surely wrong, written by some poor
sod who is mis-reporting it second hand):
Block ciphers algorithms are unusual because they change the
size of the data that is encrypted. When the encrypted data is
returned, the size of the data may be smaller than the size of
the data that was sent to be encrypted. In other words, the
size of the encrypted data that the Exchange 2003 server sends
back to the client is different by several bytes. For example,
a program uses an SSL connection to send 1,000 bytes of data
to be encrypted. When the data is encrypted and then returned
to the client, the size of the data is 980 bytes. This can
remove the client's ability to decrypt the encrypted data.
Back on planet Earth, block encryption algorithms add a variable
amount of padding, but they never shrink the payload. Mix in
sufficient skepticism about the expertise of the author and the
core issue is the same ("several bytes" of CBC padding mishandled
by Exchange 2003).
--
Viktor.
