TLS-Timeout on several hosts

[sauttefk]

I get an error on several hosts e.g. for https://spiegel.de/

On the webservice: https://tls.imirhil.fr/https/spiegel.de

[HTTPS] spiegel.de (03/12/2018 15:12:22 +00:00)
spiegel.de - 128.65.210.8 : 443
Fehler bei der Analyse: Timeout when TLS connect to 128.65.210.8:443 (max 20 seconds)

And also on the shell: docker run --rm cryptcheck bin/check_https spiegel.de

128.65.210.8:443 [spiegel.de]

Supported methods
  Method TLSv1_2
  Method TLSv1_1
  Method TLSv1
Timeout when TLS connecting to 128.65.210.8:443 (max 20 seconds)

[sauttefk]

@aeris Oh, I forgot to mention: Cryptcheck is a really great tool for analysing all those webservers I have to manage! Thanks!

[aeris]

Seems the service on the other side is not fully SSL/TLS compliant. SSLv2 negociation hangs and so max analysis duration is hit. If the service doesn't support SSLv2, it needs to reject the connection cleanly (fatal protocol version).

[sauttefk]

OK, good point... But I think cryptcheck should respond graceful to this server side misconfiguration and continue it's analysis.

[aeris]

I limit the analysis duration to avoid DoS of the CryptCheck service (20s max for a TCP connection and 10min max for the overall scan). Will think about adding an option to ignore some timeout.

[sauttefk]

I think the 20s timeout is OK. This should be reported in the output, but all the other results should still be reported.

[aeris]

At this point, there is no result to report, this is just fast TLS ping to detect supported protocols. Perhaps I may consider errors at this point as "not supported protocol" rather than "server error". But this may hide misconfiguration too.

[sauttefk]

SSL Labs shows SSLv2 and SSLv3 as not supported. https://www.ssllabs.com/ssltest/analyze.html?d=spiegel.de

[aeris]

Yep, but missed here the fact the server is not SSL/TLS compliant :joy: