search

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.
https://badssl.com
Apache License 2.0
2.78k stars 186 forks source link

null.badssl.com does not offer NULL cipher suites, does offer non-NULL cipher suites #512

Closed kitzmiller closed 1 year ago

kitzmiller commented 1 year ago

On modern versions of OpenSSL (1.1.1f, 1.1.1q) I'm not able to connect to null.badssl.com but with older versions (1.0.1e, 1.0.1t) I'm able to connect with TLSv1.1 and TLSv1.0 and get cipher suites with AES128, AES256, 3DES, and Camellia but do not get any NULL cipher suites.

  $ openssl version ; echo | openssl s_client -tls1_1 -connect null.badssl.com:443 2>/dev/null | grep Cipher
  OpenSSL 1.0.1e 11 Feb 2013
  New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
      Cipher    : ECDHE-RSA-AES128-SHA

  $ openssl version ; echo | openssl s_client -tls1_1 -connect null.badssl.com:443 2>/dev/null | grep Cipher
  OpenSSL 1.0.1t  3 May 2016
  New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
      Cipher    : ECDHE-RSA-AES128-SHA

Enumerating the ciphers at null.badssl.com shows that it supports the following cipher suites with TLSv1.1 and TLSv1.0:

ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA:CAMELLIA128-SHA

Using either -cipher 'eNULL', -cipher 'COMPLEMENTOFALL', or -cipher 'ECDHE-RSA-NULL-SHA:ECDHE-ECDSA-NULL-SHA:AECDH-NULL-SHA:ECDH-RSA-NULL-SHA:ECDH-ECDSA-NULL-SHA:NULL-SHA256:NULL-SHA:NULL-MD5' I get:

  $ openssl version ; echo | openssl s_client -tls1_1 -cipher 'eNULL' -connect null.badssl.com:443 2>/dev/null | grep Cipher
  OpenSSL 1.0.1e 11 Feb 2013
  New, (NONE), Cipher is (NONE)
      Cipher    : 0000

I'm not sure why newer OpenSSL versions don't connect at all. I'm guessing that because null.badssl.com doesn't appear to support TLSv1.2 that no modern browsers are able to connect to it and then it generates the expected result (but for the wrong reason).

kitzmiller commented 1 year ago

Whoops, my bad. I was unaware that s_client did not do SNI by default. Adding -servername null.badssl.com allows the older versions of OpenSSL to connect and they see the following ciphers:

ECDHE-RSA-NULL-SHA:AECDH-NULL-SHA:NULL-SHA:AECDH-AES256-SHA:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:AECDH-AES128-SHA:ADH-AES128-SHA:ADH-SEED-SHA

Adding @SECLEVEL=0 to the front of my -cipher string for 1.1.1f and 1.1.1q got:

ECDHE-RSA-NULL-SHA:AECDH-NULL-SHA:NULL-SHA256:NULL-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-SEED-SHA:ADH-CAMELLIA128-SHA