the ``./o-saft.pl my.tld +cipher --ciphermode=intern --cipher-range=full`` command on a local serveur

[kylak]

Hi.

I executed the ./o-saft.pl my.tld +cipher --ciphermode=intern --cipher-range=full command on a local server, but the execution is not yet finished after nearly 1 hour, is it normal ? if yes, how long it takes usually on a local server please ?

Also, here is the result given by the command :

**WARNING: 058: given path '/etc/ssl/certs/' does not contain a CA file
**WARNING: 409: SSLv2 does not support SNI; cipher checks are done without SNI
**WARNING: 409: SSLv3 does not support SNI; cipher checks are done without SNI
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0xFFF3 ... 0x03010012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03010013 ... 0x03010032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03010033 ... 0x03010052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03010073 ... 0x03010092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03010093 ... 0x030100B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0301BFF3 ... 0x0301C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0301C013 ... 0x0301C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0301FFF3 ... 0x03020012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03020013 ... 0x03020032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03020033 ... 0x03020052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03020073 ... 0x03020092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03020093 ... 0x030200B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0302BFF3 ... 0x0302C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0302C013 ... 0x0302C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0302FFF3 ... 0x03030012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03030013 ... 0x03030032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03030033 ... 0x03030052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03030073 ... 0x03030092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03030093 ... 0x030300B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0303BFF3 ... 0x0303C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0303C013 ... 0x0303C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0303FFF3 ... 0x03040012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03040013 ... 0x03040032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03040033 ... 0x03040052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03040073 ... 0x03040092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03040093 ... 0x030400B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0304BFF3 ... 0x0304C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0304C013 ... 0x0304C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0304FFF3 ... 0x03050012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03050013 ... 0x03050032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03050033 ... 0x03050052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03050073 ... 0x03050092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03050093 ... 0x030500B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0305BFF3 ... 0x0305C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0305C013 ... 0x0305C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0305FFF3 ... 0x03060012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03060013 ... 0x03060032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03060033 ... 0x03060052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03060073 ... 0x03060092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03060093 ... 0x030600B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0306BFF3 ... 0x0306C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0306C013 ... 0x0306C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0306FFF3 ... 0x03070012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03070013 ... 0x03070032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03070033 ... 0x03070052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03070073 ... 0x03070092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03070093 ... 0x030700B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0307BFF3 ... 0x0307C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0307C013 ... 0x0307C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0307FFF3 ... 0x03080012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03080013 ... 0x03080032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03080033 ... 0x03080052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03080073 ... 0x03080092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03080093 ... 0x030800B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0308BFF3 ... 0x0308C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0308C013 ... 0x0308C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0308FFF3 ... 0x03090012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03090013 ... 0x03090032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03090033 ... 0x03090052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03090073 ... 0x03090092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03090093 ... 0x030900B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0309BFF3 ... 0x0309C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0309C013 ... 0x0309C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0309FFF3 ... 0x030A0012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x030A0013 ... 0x030A0032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x030A0033 ... 0x030A0052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x030A0073 ... 0x030A0092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x030A0093 ... 0x030A00B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x030ABFF3 ... 0x030AC012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x030AC013 ... 0x030AC032'. at ./o-saft.pl line 3104.

Is this result normal ? How to interpret it ? because I didn't find any documentation on this.

Regards.

[EnDe]

How to interpret it ?

Good question ;-)

As you see in the warning (last line in you example), 0xC013from the range 0x030AC013 ... 0x030AC032 caused the message. This is a unknown cipher, hence we don't know what the server is doing with it. In this case it return some error in the server-hello. Finally these ciphers are not listed as accepted, do they? That's intended behaviour, IMHO.

If you're really interested what's going on with undefined ciphers, you may use the options --trace=4 and/or any of the --ssl-* options. See ./o-saft.pl --help=options. If this in't sufficient, feel free to dig deeper into the sources of SSLhello.pm.

[kylak]

Ok I got it thanks. And what's about the execution time please ?

[EnDe]

.. the execution is not yet finished after nearly 1 hour, is it normal?

Yes if so many warnings occur. --range=full is fuzzing, or in this case brute force 1.6G ciphers. Which time do you expect? Reason is that we try to tweak the server with other client-hello messages if such errors are detected. This behaviour can be controlled slightly with the --ssl-* options.

For what it's worth: on my server (cpu 3GHz, 3GB free RAM) localhost, this test completes in less than 5 minutes (but no warnings there), not bad, is it? I'd like to engage you to think about what you're doing, checking the docs, and then ask if something is wrong, missing, unexpected. Also the options --v --trace --trace=[234] --traceme may give hints what's going on. Wait: we can setup a training ... :-)

[kylak]

Could you explain what you mean by "tweak" in "we try to tweak the server with other client-hello messages" ?

Thanks.

[EnDe]

Short answer: fiddling around with various client-hello messages. Feel free to follow my comment (last paragraph). Additionally the --trace=4 and --trace=5 option will flood you with information. You may also try usr/checkAllCiphers.pl --trace=5 your-server

[kylak]

Ok, thanks.