IPv6 issue on searx.be using the docker image aeris22/cryptcheck

dalf commented 4 years ago

cryptcheck docker image seems to not be able to connect to searx.be using IPv6 ( with the option --network host to avoid any docker issue).

the results are:
- sometimes TLS seems not supported on this server
- Timeout when connecting to 2a00:6d40:60:b060::1:443 (max 10 seconds)
- On another machine, I have a [BUG] Illegal instruction ( see https://gist.github.com/dalf/46f06e9211570c79099bd42e7b73d9ef )
curl works as intended (with an IPv6 address)
https://cryptcheck.fr/ has no issue

I can't figure out if this related to the network connection / hardware or if it is a cryptcheck issue.

docker

$ docker pull aeris22/cryptcheck
Using default tag: latest
latest: Pulling from aeris22/cryptcheck
Digest: sha256:1be4ad0960fa67d3ab194cf3aa9502a2669c7b86fdbf6e1a1457ff0e4fa8e492
Status: Image is up to date for aeris22/cryptcheck:latest
docker.io/aeris22/cryptcheck:latest

$ docker run --rm --network host -e BUG_METHOD_UNSUPPORTED_TIMEOUT=10 -e SLOW_DOWN=0.1 aeris22/cryptcheck https searx.be
Using default tag: latest
latest: Pulling from aeris22/cryptcheck
Digest: sha256:1be4ad0960fa67d3ab194cf3aa9502a2669c7b86fdbf6e1a1457ff0e4fa8e492
Status: Image is up to date for aeris22/cryptcheck:latest
docker.io/aeris22/cryptcheck:latest
root@al-f:~# docker run --rm --network host -e BUG_METHOD_UNSUPPORTED_TIMEOUT=10 -e SLOW_DOWN=0.1 aeris22/cryptcheck https searx.be
2a00:6d40:60:b060::1:443 [searx.be]

Supported methods
TLS seems not supported on this server

94.177.213.96:443 [searx.be]

Supported methods
  Method TLSv1_2

Supported ciphers
  Cipher TLSv1_2 ECDHE-RSA-AES128-GCM-SHA256 [aead]
    PFS : ECC 256 bits
  Cipher TLSv1_2 ECDHE-RSA-AES256-GCM-SHA384 [aead]
    PFS : ECC 256 bits
  Cipher TLSv1_2 ECDHE-RSA-CHACHA20-POLY1305 [aead]
...

curl

$ curl -6 -v https://searx.be/
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5605ed949e80)
* Connected to searx.be (2a00:6d40:60:b060::1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: [NONE]
*  start date: Apr 17 23:04:37 2020 GMT
*  expire date: Oct 15 21:59:00 2020 GMT
*  subjectAltName: host "searx.be" matched cert's "searx.be"
*  issuer: C=NO; O=Buypass AS-983163327; CN=Buypass Class 2 CA 5
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5605ed949e80)

aeris commented 4 years ago

Is the curl command run into docker ? You have to enable IPv6 on the docker daemon too : https://docs.docker.com/config/daemon/ipv6/ And perhaps to assign an IPv6 : https://github.com/docker/docker.github.io/issues/9676

dalf commented 4 years ago

Even with --network host ?

[EDIT]

https://docs.docker.com/network/network-tutorial-host/
curl is not into docker.

aeris commented 4 years ago

I don't know, but I guess yes.

dalf commented 4 years ago

docker run --rm -ti --network host alpine apk add curl; curl -v -6 https://searx.be

Same output than on the host (without ipv6 configuration):

...
* Connected to searx.be (2a00:6d40:60:b060::1) port 443 (#0)
...
< HTTP/2 200

aeris commented 4 years ago

Put the command with quote, here you execute curl on your host :D

docker run --rm -ti --network host alpine sh -c "apk add curl; curl -v -6 https://searx.be"

aeris commented 4 years ago

And no problem on my side with IPv6

$ docker run --rm --network host -e BUG_METHOD_UNSUPPORTED_TIMEOUT=10 -e SLOW_DOWN=0.1 aeris22/cryptcheck https searx.be
Unable to find image 'aeris22/cryptcheck:latest' locally
latest: Pulling from aeris22/cryptcheck
cbdbe7a5bc2a: Already exists 
f401a2de47d4: Pull complete 
65415a3831f1: Pull complete 
be23029dc3f2: Pull complete 
11f4cccc9e86: Pull complete 
e8e64d3f9fd6: Pull complete 
Digest: sha256:1be4ad0960fa67d3ab194cf3aa9502a2669c7b86fdbf6e1a1457ff0e4fa8e492
Status: Downloaded newer image for aeris22/cryptcheck:latest
2a00:6d40:60:b060::1:443 [searx.be]

Supported methods
  Method TLSv1_2

Supported ciphers
  Cipher TLSv1_2 ECDHE-RSA-AES128-GCM-SHA256 [aead]
    PFS : ECC 256 bits
  Cipher TLSv1_2 ECDHE-RSA-AES256-GCM-SHA384 [aead]
    PFS : ECC 256 bits
  Cipher TLSv1_2 ECDHE-RSA-CHACHA20-POLY1305 [aead]
    PFS : ECC 256 bits

dalf commented 4 years ago

Put the command with quote, here you execute curl on your host :D

thanks !

docker run --rm -ti --network host alpine sh -c "apk add curl; curl -v -6 https://searx.be; cat /etc/alpine-release"

Same output for curl even on docker

dalf commented 4 years ago

So it can be either my setup or the OVH network.

aeris commented 4 years ago

Try with more debug:

docker run --rm --network host -e LOG=debug -e BUG_METHOD_UNSUPPORTED_TIMEOUT=10 -e SLOW_DOWN=0.1 aeris22/cryptcheck https searx.be

dalf commented 4 years ago

Not very helpful:

2a00:6d40:60:b060::1:443 [searx.be]

Supported methods
  Method TLSv1_2 : not supported
  Method TLSv1_1 : not supported
  Method TLSv1 : not supported
  Method SSLv3 : not supported
  Method SSLv2 : not supported
TLS seems not supported on this server

94.177.213.96:443 [searx.be]

Supported methods
  Method TLSv1_2
  Method TLSv1_1 : not supported
  Method TLSv1 : not supported
  Method SSLv3 : not supported
  Method SSLv2 : not supported

Supported ciphers
  Cipher TLSv1_2 ECDHE-ECDSA-AES128-GCM-SHA256 [aead] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-AES256-GCM-SHA384 [aead] : not supported

SuperSandro2000 commented 4 years ago

Works on my end on Ubuntu 20.04 and IPv6 enabled Docker-ce without userland proxy.

aeris commented 4 years ago

Could you capture traffic with Wireshark and post pcap here?

dalf commented 4 years ago

tcpdump -ni eno1 -s 0 host 2a00:6d40:60:b060::1 -w searxbe.ko.pcap

https://seafile.al-f.net/d/958ff611b5b046358981/

searx.ok.pcap: on a host where it works. searx.ko.pcap: on a host where it doesn't work.

aeris commented 4 years ago

The ko version seems strange. I see a first try on 1.2 OK, then 1.1/1.0/3.0/2.0 KO (as expected), then enumeration of 1.2 ciphers suites. So at least you must not have Method TLSv1_2 : not supported because if this is the case, there is no 1.2 enumeration. I also see multiple HTTPS request but with reply in plain text (113.432871 timecode). Seems there are interleaving CryptCheck invocations on this pcap, and so difficult to spot a trouble.

dalf commented 4 years ago

The previous pcap was made using cryptcheck-backend, sorry for the noise.

Maybe these two new pcap are not better, I don't understand what is going on... I think it is not related to cryptcheck but rather a network problem.

searx.ko.1.pcap

(same link https://seafile.al-f.net/d/958ff611b5b046358981/ )

tcpdump -ni eno1 -s 0 host 2a00:6d40:60:b060::1 -w searxbe.ko.1.pcap

docker run --rm --network host -e LOG=debug -e BUG_METHOD_UNSUPPORTED_TIMEOUT=10 -e SLOW_DOWN=0.1 aeris22/cryptcheck https searx.be

2a00:6d40:60:b060::1:443 [searx.be]

Supported methods
  Method TLSv1_2 : not supported
  Method TLSv1_1 : not supported
  Method TLSv1 : not supported
  Method SSLv3 : not supported
  Method SSLv2 : not supported
TLS seems not supported on this server

94.177.213.96:443 [searx.be]

Supported methods
  Method TLSv1_2
  Method TLSv1_1 : not supported
  Method TLSv1 : not supported
  Method SSLv3 : not supported
  Method SSLv2 : not supported

Supported ciphers
  Cipher TLSv1_2 ECDHE-ECDSA-AES128-GCM-SHA256 [aead] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-AES256-GCM-SHA384 [aead] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305 [aead] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305-D [aead] : not supported

Fallback SCSV : not applicable

Certificates
  Certificate  [207483412387225913038490] issued by /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 CA 5
    Key : RSA 2048 bits
    Identity : valid
    Trust : trusted
execution expired
No HSTS

Grade : E
{
    :critical => {
        :mdc2_sign => false,
         :md2_sign => false,
         :md4_sign => false,
         :md5_sign => false,
         :sha_sign => false,
        :sha1_sign => false,
              :rsa => false,
            :sslv2 => false,
            :sslv3 => false,
              :dss => false,
        :anonymous => false,
             :null => false,
           :export => false,
              :des => false,
              :md5 => false,
              :rc4 => false,
          :sweet32 => false
    },
       :error => {
            :rsa => false,
        :tlsv1_0 => false,
        :tlsv1_1 => false,
            :pfs => false
    },
     :warning => {
        :hsts => true,
        :sha1 => false,
         :dhe => false
    },
        :good => {
        :fallback_scsv => nil,
                 :hsts => false,
                 :aead => true
    },
       :great => {
        :hsts => false
    },
        :best => {}
}

searx.ko.2.pcap

Same but with the addition of or 94.177.213.96 and IPv6 works (I've tried few times with and without, it is consistent)

tcpdump -ni eno1 -s 0 host 2a00:6d40:60:b060::1 or 94.177.213.96 -w searxbe.ko.2.pcap

docker run --rm --network host -e LOG=debug -e BUG_METHOD_UNSUPPORTED_TIMEOUT=10 -e SLOW_DOWN=0.1 aeris22/cryptcheck https searx.be

2a00:6d40:60:b060::1:443 [searx.be]

Supported methods
  Method TLSv1_2
  Method TLSv1_1 : not supported
  Method TLSv1 : not supported
  Method SSLv3 : not supported
  Method SSLv2 : not supported

Supported ciphers
  Cipher TLSv1_2 ECDHE-ECDSA-AES128-GCM-SHA256 [aead] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-AES256-GCM-SHA384 [aead] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305 [aead] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305-D [aead] : not supported
  Cipher TLSv1_2 ECDHE-RSA-AES128-GCM-SHA256 [aead] : not supported
  Cipher TLSv1_2 ECDHE-RSA-AES256-GCM-SHA384 [aead]
    PFS : ECC 256 bits
  Cipher TLSv1_2 ECDHE-RSA-CHACHA20-POLY1305 [aead]
    PFS : ECC 256 bits
  Cipher TLSv1_2 ECDHE-RSA-CHACHA20-POLY1305-D [aead] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-AES128-SHA256 [] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-AES256-SHA384 [] : not supported
  Cipher TLSv1_2 ECDHE-RSA-AES128-SHA256 [] : not supported
  Cipher TLSv1_2 ECDHE-RSA-AES256-SHA384 [] : not supported
  Cipher TLSv1_2 DHE-RSA-AES128-GCM-SHA256 [dhe aead] : not supported
  Cipher TLSv1_2 DHE-RSA-AES128-SHA [sha1 dhe] : not supported
  Cipher TLSv1_2 DHE-RSA-AES128-SHA256 [dhe] : not supported
  Cipher TLSv1_2 DHE-RSA-AES256-GCM-SHA384 [dhe aead] : not supported
  Cipher TLSv1_2 DHE-RSA-AES256-SHA [sha1 dhe] : not supported
  Cipher TLSv1_2 DHE-RSA-AES256-SHA256 [dhe] : not supported
  Cipher TLSv1_2 DHE-RSA-CAMELLIA128-SHA [sha1 dhe] : not supported
  Cipher TLSv1_2 DHE-RSA-CAMELLIA256-SHA [sha1 dhe] : not supported
  Cipher TLSv1_2 DHE-RSA-CHACHA20-POLY1305 [dhe aead] : not supported
  Cipher TLSv1_2 DHE-RSA-CHACHA20-POLY1305-D [dhe aead] : not supported
  Cipher TLSv1_2 DHE-RSA-SEED-SHA [sha1 dhe] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-AES128-SHA [sha1] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-AES256-SHA [sha1] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-DES-CBC3-SHA [sha1] : not supported
  Cipher TLSv1_2 ECDHE-RSA-AES128-SHA [sha1] : not supported
...
  Cipher TLSv1_2 EXP-DES-CBC-SHA [export des sweet32 pfs sha1] : not supported

  Cipher TLSv1_2 EXP-EDH-DSS-DES-CBC-SHA [dss export des sweet32 sha1 dhe] : not supported
  Cipher TLSv1_2 EXP-EDH-RSA-DES-CBC-SHA [export des sweet32 sha1 dhe] : not supported
  Cipher TLSv1_2 EXP-RC2-CBC-MD5 [export md5 sweet32 pfs] : not supported
  Cipher TLSv1_2 EXP-RC4-MD5 [export md5 rc4 pfs] : not supported
  Cipher TLSv1_2 NULL-MD5 [null md5 sweet32 pfs] : not supported
  Cipher TLSv1_2 NULL-SHA [null sweet32 pfs sha1] : not supported
  Cipher TLSv1_2 NULL-SHA256 [null sweet32 pfs] : not supported
  Cipher TLSv1_2 PSK-RC4-SHA [rc4 pfs sha1] : not supported
  Cipher TLSv1_2 RC4-MD5 [md5 rc4 pfs] : not supported
  Cipher TLSv1_2 RC4-SHA [rc4 pfs sha1] : not supported
  Cipher TLSv1_2 SRP-DSS-3DES-EDE-CBC-SHA [dss pfs sha1] : not supported
  Cipher TLSv1_2 SRP-DSS-AES-128-CBC-SHA [dss pfs sha1] : not supported
  Cipher TLSv1_2 SRP-DSS-AES-256-CBC-SHA [dss pfs sha1] : not supported

Cipher suite preferences
Timeout when connecting to 2a00:6d40:60:b060::1:443 (max 10 seconds)

94.177.213.96:443 [searx.be]

Supported methods
  Method TLSv1_2
  Method TLSv1_1 : not supported
  Method TLSv1 : not supported
  Method SSLv3 : not supported
  Method SSLv2 : not supported

Supported ciphers
  Cipher TLSv1_2 ECDHE-ECDSA-AES128-GCM-SHA256 [aead] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-AES256-GCM-SHA384 [aead] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305 [aead] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305-D [aead] : not supported
  Cipher TLSv1_2 ECDHE-RSA-AES128-GCM-SHA256 [aead]
    PFS : ECC 256 bits
  Cipher TLSv1_2 ECDHE-RSA-AES256-GCM-SHA384 [aead]
    PFS : ECC 256 bits
  Cipher TLSv1_2 ECDHE-RSA-CHACHA20-POLY1305 [aead]
    PFS : ECC 256 bits
  Cipher TLSv1_2 ECDHE-RSA-CHACHA20-POLY1305-D [aead] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-AES128-SHA256 [] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-AES256-SHA384 [] : not supported
  Cipher TLSv1_2 ECDHE-RSA-AES128-SHA256 [] : not supported
  Cipher TLSv1_2 ECDHE-RSA-AES256-SHA384 [] : not supported
  Cipher TLSv1_2 DHE-RSA-AES128-GCM-SHA256 [dhe aead] : not supported
  Cipher TLSv1_2 DHE-RSA-AES128-SHA [sha1 dhe] : not supported
  Cipher TLSv1_2 DHE-RSA-AES128-SHA256 [dhe] : not supported
  Cipher TLSv1_2 DHE-RSA-AES256-GCM-SHA384 [dhe aead] : not supported
  Cipher TLSv1_2 DHE-RSA-AES256-SHA [sha1 dhe] : not supported
  Cipher TLSv1_2 DHE-RSA-AES256-SHA256 [dhe] : not supported
  Cipher TLSv1_2 DHE-RSA-CAMELLIA128-SHA [sha1 dhe] : not supported
  Cipher TLSv1_2 DHE-RSA-CAMELLIA256-SHA [sha1 dhe] : not supported
  Cipher TLSv1_2 DHE-RSA-CHACHA20-POLY1305 [dhe aead] : not supported
  Cipher TLSv1_2 DHE-RSA-CHACHA20-POLY1305-D [dhe aead] : not supported
  Cipher TLSv1_2 DHE-RSA-SEED-SHA [sha1 dhe] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-AES128-SHA [sha1] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-AES256-SHA [sha1] : not supported
...
  Cipher TLSv1_2 DHE-DSS-AES256-SHA256 [dss dhe] : not supported
  Cipher TLSv1_2 DHE-DSS-CAMELLIA128-SHA [dss sha1 dhe] : not supported
  Cipher TLSv1_2 DHE-DSS-CAMELLIA256-SHA [dss sha1 dhe] : not supported
  Cipher TLSv1_2 DHE-DSS-SEED-SHA [dss sha1 dhe] : not supported
  Cipher TLSv1_2 ECDH-ECDSA-NULL-SHA [null sweet32 pfs sha1] : not supported
  Cipher TLSv1_2 ECDH-ECDSA-RC4-SHA [rc4 pfs sha1] : not supported
  Cipher TLSv1_2 ECDH-RSA-NULL-SHA [null sweet32 pfs sha1] : not supported
  Cipher TLSv1_2 ECDH-RSA-RC4-SHA [rc4 pfs sha1] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-NULL-SHA [null sweet32 sha1] : not supported
  Cipher TLSv1_2 ECDHE-ECDSA-RC4-SHA [rc4 sha1] : not supported
  Cipher TLSv1_2 ECDHE-RSA-NULL-SHA [null sweet32 sha1] : not supported
  Cipher TLSv1_2 ECDHE-RSA-RC4-SHA [rc4 sha1] : not supported
  Cipher TLSv1_2 EDH-DSS-DES-CBC-SHA [dss des sweet32 sha1 dhe] : not supported
  Cipher TLSv1_2 EDH-DSS-DES-CBC3-SHA [dss sha1 dhe] : not supported
  Cipher TLSv1_2 EDH-RSA-DES-CBC-SHA [des sweet32 sha1 dhe] : not supported
  Cipher TLSv1_2 EXP-ADH-DES-CBC-SHA [anonymous export des sweet32 sha1 dhe] : not supported
  Cipher TLSv1_2 EXP-ADH-RC4-MD5 [anonymous export md5 rc4 dhe] : not supported
  Cipher TLSv1_2 EXP-DES-CBC-SHA [export des sweet32 pfs sha1] : not supported
  Cipher TLSv1_2 EXP-EDH-DSS-DES-CBC-SHA [dss export des sweet32 sha1 dhe] : not supported
  Cipher TLSv1_2 EXP-EDH-RSA-DES-CBC-SHA [export des sweet32 sha1 dhe] : not supported
  Cipher TLSv1_2 EXP-RC2-CBC-MD5 [export md5 sweet32 pfs] : not supported
  Cipher TLSv1_2 EXP-RC4-MD5 [export md5 rc4 pfs] : not supported
  Cipher TLSv1_2 NULL-MD5 [null md5 sweet32 pfs] : not supported
  Cipher TLSv1_2 NULL-SHA [null sweet32 pfs sha1] : not supported
  Cipher TLSv1_2 NULL-SHA256 [null sweet32 pfs] : not supported
  Cipher TLSv1_2 PSK-RC4-SHA [rc4 pfs sha1] : not supported
  Cipher TLSv1_2 RC4-MD5 [md5 rc4 pfs] : not supported
  Cipher TLSv1_2 RC4-SHA [rc4 pfs sha1] : not supported
  Cipher TLSv1_2 SRP-DSS-3DES-EDE-CBC-SHA [dss pfs sha1] : not supported
  Cipher TLSv1_2 SRP-DSS-AES-128-CBC-SHA [dss pfs sha1] : not supported
  Cipher TLSv1_2 SRP-DSS-AES-256-CBC-SHA [dss pfs sha1] : not supported

Cipher suite preferences
  TLSv1_2  : ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-CHACHA20-POLY1305

Supported elliptic curves
  ECC curve secp256k1 : not supported
  ECC curve sect283k1 : not supported
  ECC curve sect283r1 : not supported
  ECC curve secp384r1
  ECC curve sect409k1 : not supported
  ECC curve sect409r1 : not supported
  ECC curve secp521r1
  ECC curve sect571k1 : not supported
  ECC curve sect571r1 : not supported
  ECC curve prime192v1 : not supported
  ECC curve prime256v1
  ECC curve brainpoolP256r1 : not supported
  ECC curve brainpoolP384r1 : not supported
  ECC curve brainpoolP512r1 : not supported
  ECC curve x25519 : not supported
Curves preference : prime256v1, secp521r1, secp384r1

Fallback SCSV : not applicable

Certificates
  Certificate  [207483412387225913038490] issued by /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 CA 5
    Key : RSA 2048 bits
    Identity : valid
    Trust : trusted
execution expired
No HSTS

Grade : E
{
    :critical => {
        :mdc2_sign => false,
         :md2_sign => false,
         :md4_sign => false,
         :md5_sign => false,
         :sha_sign => false,
        :sha1_sign => false,
              :rsa => false,
            :sslv2 => false,
            :sslv3 => false,
              :dss => false,
        :anonymous => false,
             :null => false,
           :export => false,
              :des => false,
              :md5 => false,
              :rc4 => false,
          :sweet32 => false
    },
       :error => {
            :rsa => false,
        :tlsv1_0 => false,
        :tlsv1_1 => false,
            :pfs => false
    },
     :warning => {
        :hsts => true,
        :sha1 => false,
         :dhe => false
    },
        :good => {
        :fallback_scsv => nil,
                 :hsts => false,
                 :aead => true
    },
       :great => {
        :hsts => false
    },
        :best => {}
}

aeris commented 4 years ago

I guess for a network trouble somewhere with IPv6, perhaps docker related.

2020-07-06_16-52

You got a bunch of SYN retry on TLSv1.2 test. TLSv1.1 too. TLSv1 starts passing, but hit SYN retry too. And then again at the end, bunch of SYN retry. In all cases, TCP connection was not able to be established.

dalf commented 4 years ago

I close the issue since it is not related to cryptcheck.

aeris / cryptcheck