Open sauttefk opened 5 years ago
@aeris Oh, I forgot to mention: Cryptcheck is a really great tool for analysing all those webservers I have to manage! Thanks!
Seems the service on the other side is not fully SSL/TLS compliant.
SSLv2 negociation hangs and so max analysis duration is hit.
If the service doesn't support SSLv2, it needs to reject the connection cleanly (fatal protocol version
).
OK, good point... But I think cryptcheck should respond graceful to this server side misconfiguration and continue it's analysis.
I limit the analysis duration to avoid DoS of the CryptCheck service (20s max for a TCP connection and 10min max for the overall scan). Will think about adding an option to ignore some timeout.
I think the 20s timeout is OK. This should be reported in the output, but all the other results should still be reported.
At this point, there is no result to report, this is just fast TLS ping to detect supported protocols. Perhaps I may consider errors at this point as "not supported protocol" rather than "server error". But this may hide misconfiguration too.
SSL Labs shows SSLv2 and SSLv3 as not supported. https://www.ssllabs.com/ssltest/analyze.html?d=spiegel.de
Yep, but missed here the fact the server is not SSL/TLS compliant :joy:
I get an error on several hosts e.g. for https://spiegel.de/
On the webservice: https://tls.imirhil.fr/https/spiegel.de
And also on the shell:
docker run --rm cryptcheck bin/check_https spiegel.de