Closed dalf closed 4 years ago
Seems there is a firewall on front of this service, refusing the connection after few handshakes. CryptCheck litterally hammers tested services with thousands of TLS handskakes. And so any DDoS protection can be triggered.
I guess ssllab is working because there are additional delay between requests ? If so, it would be nice to have a parameter to do that.
Already exists with the SLOW_DOWN
env variable
SLOW_DOWN=0.1 bin/cryptcheck https spot.ecloud.global
:blush:
But in you case, seems SSLv2 check completly hang.
Supported methods
Try method=TLSv1_2 / ciphers=ALL:COMPLEMENTOFALL / curves= / scsv=false
Method TLSv1_2
Try method=TLSv1_1 / ciphers=ALL:COMPLEMENTOFALL / curves= / scsv=false
Error occurs : SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: wrong version number
Method TLSv1_1 : not supported
Try method=TLSv1 / ciphers=ALL:COMPLEMENTOFALL / curves= / scsv=false
Error occurs : SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: tlsv1 alert protocol version
Method TLSv1 : not supported
Try method=SSLv3 / ciphers=ALL:COMPLEMENTOFALL / curves= / scsv=false
Error occurs : SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: wrong version number
Method SSLv3 : not supported
Try method=SSLv2 / ciphers=ALL:COMPLEMENTOFALL / curves= / scsv=false
Error occurs : Timeout when TLS connecting to 51.15.41.157:443 (max 20 seconds)
Timeout when TLS connecting to 51.15.41.157:443 (max 20 seconds)
Seems your TLS stack is bugged and don't know how to handle correctly SSLv2.
For reference, correct stack must reject the handshake with a SSLv2 read server hello
Try method=SSLv2 / ciphers=ALL:COMPLEMENTOFALL / curves= / scsv=false
Error occurs : SSL_connect returned=6 errno=0 state=SSLv2 read server hello A
Method SSLv2 : not supported
Thank you.
@dalf Thanks to you to track that issue.
This is probably related to the usage of Traefik as router which uses Golang language and https://golang.org/pkg/crypto/tls/ library which does not support SSLv2.
@aeris Can we update a timeout state as unsupported protocol instead of a fatal error which produces any results from cryptcheck tool ?
There is a difference between not supporting SSLv2 and not respecting SSL/TLS RFC on how to reject SSLv2 :yum: I think TLS implementation of Traefik is not compliant. Will see if I can change something on my side to handle this case
I add the BUG_METHOD_UNSUPPORTED_TIMEOUT
env variable to bypass the timeout in 8ec6029.
cryptcheck can't connect to spot.ecloud.global but the website is working fine:
cryptcheck log
same results on two differents IP:
curl log