search

aeris / cryptcheck

Verify some SSL/TLS website or XMPP implementation
GNU Affero General Public License v3.0
185 stars 20 forks source link

Issue with scanning https://searx.bar #54

Closed zevlee closed 3 years ago

zevlee commented 3 years ago

It seems as though https://cryptcheck.fr and https://tls.imirhil.fr/ are unable to resolve the web address https://searx.bar for some reason (Cryptcheck Results, Imirhil Results). I am not certain why, because an identical configuration works just fine: https://search.zevlee.me (Cryptcheck Results, Imirhil Results). When I run the docker image, I'm able to get proper results for https://searx.bar as shown below. Any idea where the discrepancy is coming from?

zev@zevlee:~$ sudo docker run aeris22/cryptcheck https searx.bar
129.213.118.27:443 [searx.bar]

Supported methods
  Method TLSv1_2

Supported ciphers
  Cipher TLSv1_2 ECDHE-ECDSA-AES128-GCM-SHA256 [aead]
    PFS : ECC 256 bits
  Cipher TLSv1_2 ECDHE-ECDSA-AES256-GCM-SHA384 [aead]
    PFS : ECC 256 bits
  Cipher TLSv1_2 ECDHE-ECDSA-CHACHA20-POLY1305 [aead]
    PFS : ECC 256 bits

Cipher suite preferences
  TLSv1_2  : ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-CHACHA20-POLY1305

Supported elliptic curves
  ECC curve secp256k1
  ECC curve prime256v1
Curves preference : prime256v1, secp256k1

Fallback SCSV : not applicable

Certificates
  Certificate /CN=searx.bar [284771186420546172516573984173817450912279] issued by /C=US/O=Let's Encrypt/CN=R3
    Key : ECC prime256v1 256 bits
    Identity : valid
    Trust : trusted
HSTS : 31536000

Grade : A+
{
    :critical => {
        :mdc2_sign => false,
         :md2_sign => false,
         :md4_sign => false,
         :md5_sign => false,
         :sha_sign => false,
        :sha1_sign => false,
              :ecc => false,
            :sslv2 => false,
            :sslv3 => false,
              :dss => false,
        :anonymous => false,
             :null => false,
           :export => false,
              :des => false,
              :md5 => false,
              :rc4 => false,
          :sweet32 => false
    },
       :error => {
            :ecc => false,
        :tlsv1_0 => false,
        :tlsv1_1 => false,
            :pfs => false
    },
     :warning => {
        :hsts => false,
         :ecc => false,
        :sha1 => false,
         :dhe => false
    },
        :good => {
        :fallback_scsv => nil,
                 :hsts => true,
                 :aead => true
    },
       :great => {
        :hsts => true
    },
        :best => {}
}
aeris commented 3 years ago

Seems a trouble with Scaleway DNS

# dig searx.bar @10.194.3.3 

; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> searx.bar @10.194.3.3
;; global options: +cmd
;; connection timed out; no servers could be reached

I reroute DNS to internal unbound and it's now working :blush: 

# dig searx.bar @::1       

; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> searx.bar @::1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31409
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;searx.bar.                     IN      A

;; ANSWER SECTION:
searx.bar.              10702   IN      A       129.213.118.27

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Dec 24 23:11:28 UTC 2020
;; MSG SIZE  rcvd: 54

https://cryptcheck.fr/https/searx.bar

zevlee commented 3 years ago

It looks like the issue has reappeared. I'm seeing the same error as before. Is there a way to make the change persistent?

aeris commented 3 years ago

< Seems something reset /etc/resolv.conf… Will look for that.

zevlee commented 3 years ago

Maybe you could try making /etc/resolv.conf be a symbolic link to some other file? That's what I did to prevent my resolv.conf from being overwritten.