https spot.ecloud.global: timeout

[dalf]

cryptcheck can't connect to spot.ecloud.global but the website is working fine:

• www.ssllabs.com says TLS 1.2 and 1.3 is supported
• curl don't have problem (neither Firefox nor Chrome)

cryptcheck log

same results on two differents IP:

$ docker run --network host --rm aeris22/cryptcheck https spot.ecloud.global
51.15.41.157:443 [spot.ecloud.global]

Supported methods
  Method TLSv1_2
Timeout when TLS connecting to 51.15.41.157:443 (max 20 seconds)

curl log

$ curl --tlsv1.2 -vvvv https://spot.ecloud.global
* Rebuilt URL to: https://spot.ecloud.global/
*   Trying 51.15.41.157...
* TCP_NODELAY set
* Connected to spot.ecloud.global (51.15.41.157) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
...

[aeris]

Seems there is a firewall on front of this service, refusing the connection after few handshakes. CryptCheck litterally hammers tested services with thousands of TLS handskakes. And so any DDoS protection can be triggered.

[dalf]

I guess ssllab is working because there are additional delay between requests ? If so, it would be nice to have a parameter to do that.

[aeris]

Already exists with the SLOW_DOWN env variable SLOW_DOWN=0.1 bin/cryptcheck https spot.ecloud.global :blush:

But in you case, seems SSLv2 check completly hang.

Supported methods
Try method=TLSv1_2 / ciphers=ALL:COMPLEMENTOFALL / curves= / scsv=false
  Method TLSv1_2
Try method=TLSv1_1 / ciphers=ALL:COMPLEMENTOFALL / curves= / scsv=false
Error occurs : SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: wrong version number
  Method TLSv1_1 : not supported
Try method=TLSv1 / ciphers=ALL:COMPLEMENTOFALL / curves= / scsv=false
Error occurs : SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: tlsv1 alert protocol version
  Method TLSv1 : not supported
Try method=SSLv3 / ciphers=ALL:COMPLEMENTOFALL / curves= / scsv=false
Error occurs : SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: wrong version number
  Method SSLv3 : not supported
Try method=SSLv2 / ciphers=ALL:COMPLEMENTOFALL / curves= / scsv=false
Error occurs : Timeout when TLS connecting to 51.15.41.157:443 (max 20 seconds)
Timeout when TLS connecting to 51.15.41.157:443 (max 20 seconds)

Seems your TLS stack is bugged and don't know how to handle correctly SSLv2.

For reference, correct stack must reject the handshake with a SSLv2 read server hello

Try method=SSLv2 / ciphers=ALL:COMPLEMENTOFALL / curves= / scsv=false
Error occurs : SSL_connect returned=6 errno=0 state=SSLv2 read server hello A
  Method SSLv2 : not supported

[dalf]

Thank you.

[nfk]

@dalf Thanks to you to track that issue.

This is probably related to the usage of Traefik as router which uses Golang language and https://golang.org/pkg/crypto/tls/ library which does not support SSLv2.

@aeris Can we update a timeout state as unsupported protocol instead of a fatal error which produces any results from cryptcheck tool ?

[aeris]

There is a difference between not supporting SSLv2 and not respecting SSL/TLS RFC on how to reject SSLv2 :yum: I think TLS implementation of Traefik is not compliant. Will see if I can change something on my side to handle this case

[aeris]

I add the BUG_METHOD_UNSUPPORTED_TIMEOUT env variable to bypass the timeout in 8ec6029.