Closed gkroon closed 5 years ago
Hi @gkroon ,
thx for your report. I am curious, could you DM me (grep SWCONTACT testssl.sh
) the server hostname?
While here might be a few constraints left using this curve only: The version of testssl.sh you're using is a bit old. Don't know the repo you're referring to but that should be updated, too.
As a start I'd recommend to use a newer one. Then pls use --assume-http
, so that the client simulation will assume HTTP.
Don't know whether this is deliberate: No Safari and no IE browser can't connect to your site, probably other less used browsers too.
Hi @drwetter ,
Thanks for your reply! I've now updated using the latest testing ebuild (2.9.5-4) from the Gentoo packages (https://packages.gentoo.org/packages/net-analyzer/testssl) and ran another test using --assume-http
this time:
###########################################################
testssl.sh 2.9.5-4 from https://testssl.sh/
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2o 27 Mar 2018" [~125 ciphers]
on nostromo:/usr/bin/openssl
(built: "reproducible build, date unspecified", platform: "linux-x86_64")
Start 2018-07-16 11:29:08 -->> xxx.xxx.xxx.xxx:443 (xxx.xxx) <<--
further IP addresses: xxxx
rDNS (xxx.xxx.xxx.xxx): xxxx
xxx.xxx.xxx.xxx:443 doesn't seem to be a TLS/SSL enabled server
The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes
Service detected: Couldn't determine what's running on port 443 -- ASSUME_HTTP set though
Testing protocols via sockets except SPDY+HTTP2
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
SPDY/NPN not offered
HTTP2/ALPN not offered
Testing ~standard cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES encryption (w/o export) not offered (OK)
Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) not offered (OK)
Triple DES Ciphers (Medium) not offered (OK)
High encryption (AES+Camellia, no AEAD) not offered
Strong encryption (AEAD ciphers) offered (OK)
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
PFS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305
Elliptic curves offered: X25519
Testing server preferences
Has server cipher order? no matching cipher in this list found (pls report this): DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256 .
Testing server defaults (Server Hello)
TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11"
"extended master secret/#23"
"application layer protocol negotiation/#16"
Session Ticket RFC 5077 hint (no lifetime advertised)
SSL Session ID support yes
Session Resumption Ticket resumption test failed, pls report / ID resumption test failed, pls report
TLS clock skew Random values, no fingerprinting possible
Testing HTTP header response @ "/"
HTTP Status Code No status code
Testing HTTP header response @ "/"
HTTP Status Code No status code
Testing HTTP header response @ "/"
HTTP Status Code No status code
Testing HTTP header response @ "/"
HTTP Status Code No status code
Testing HTTP header response @ "/"
HTTP Status Code No status code
Testing HTTP header response @ "/"
HTTP Status Code No status code
Testing HTTP header response @ "/"
HTTP Status Code No status code
Testing HTTP header response @ "/"
HTTP Status Code No status code
Testing HTTP header response @ "/"
HTTP Status Code No status code
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension
Secure Renegotiation (CVE-2009-3555) handshake didn't succeed
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) test failed (couldn't connect)
BREACH (CVE-2013-3587) failed (HTTP header request stalled)
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, TLS 1.2 is the only protocol (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
BEAST (CVE-2011-3389) no SSL3 or TLS1 (OK)
LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK)
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Running client simulations via sockets
Android 2.3.7 No connection
Android 4.1.1 No connection
Android 4.3 No connection
Android 4.4.2 No connection
Android 5.0.0 No connection
Android 6.0 No connection
Android 7.0 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
Chrome 51 Win 7 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
Chrome 57 Win 7 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
Firefox 49 Win 7 No connection
Firefox 53 Win 7 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
IE 6 XP No connection
IE 7 Vista No connection
IE 8 XP No connection
IE 8 Win 7 No connection
IE 11 Win 7 No connection
IE 11 Win 8.1 No connection
IE 11 Win Phone 8.1 Update No connection
IE 11 Win 10 No connection
Edge 13 Win 10 No connection
Edge 13 Win Phone 10 No connection
Opera 17 Win 7 No connection
Safari 5.1.9 OS X 10.6.8 No connection
Safari 7 iOS 7.1 No connection
Safari 9 OS X 10.11 No connection
Safari 10 OS X 10.12 No connection
Apple ATS 9 iOS 9 No connection
Tor 17.0.9 Win 7 No connection
Java 6u45 No connection
Java 7u25 No connection
Java 8u31 No connection
OpenSSL 1.0.1l No connection
OpenSSL 1.0.2e No connection
Done 2018-07-16 11:29:55 [ 47s] -->> xxx.xxx.xxx.xxx:443 (xxx.xxx) <<--
I then also cloned your GitHub repo and ran the the script from the 2.9dev branch:
###########################################################
testssl.sh 3.0beta from https://testssl.sh/dev/
(c0921c8 2018-07-11 11:03:52 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
on nostromo:./bin/openssl.Linux.x86_64
(built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")
Start 2018-07-16 11:33:46 -->> xxx.xxx.xxx.xxx:443 (xxx.xxx) <<--
Further IP addresses: xxxx
rDNS (xxx.xxx.xxx.xxx): xxxx
xxx.xxx.xxx.xxx:443 doesn't seem to be a TLS/SSL enabled server
The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes
Service detected: Couldn't determine what's running on port 443 -- ASSUME_HTTP set though
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 not offered
NPN/SPDY not offered
ALPN/HTTP2 not offered
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES encryption (w/o export) not offered (OK)
Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) not offered (OK)
Triple DES Ciphers (Medium) not offered (OK)
High encryption (AES+Camellia, no AEAD) not offered
Strong encryption (AEAD ciphers) offered (OK)
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
PFS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305
Elliptic curves offered: X25519
Testing server preferences
Has server cipher order? no matching cipher in this list found (pls report this): DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:ADH-AES256-GCM-SHA384:AECDH-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 .
Testing server defaults (Server Hello)
TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11"
"extended master secret/#23"
"application layer protocol negotiation/#16"
Session Ticket RFC 5077 hint (no lifetime advertised)
SSL Session ID support yes
Session Resumption Ticket resumption test failed, pls report / ID resumption test failed, pls report
TLS clock skew Random values, no fingerprinting possible
Testing HTTP header response @ "/"
HTTP header reply empty
HTTP header reply empty
HTTP header reply empty
Fatal error: repeatedly HTTP header was zero, doesn't make sense to continue
Sadly none of them seem to scan my web server properly yet, but yes, my configuration is deliberate as this is my personal web server I experiment with. And sure, I would like to DM you the hostname, but can you confirm 332E315A3ADDAAEE6A113957C9AEECE1D0A74569
is the fingerprint of your GPG key?
_Note: I've deleted my previous comment as this showed my hostname so you should already have it in your email. :manfacepalming:
Sadly none of them seem to scan my web server properly
Slightly disagree here. 2.9.5 went through but the repeated header request seem unreasonable. This is because here openssl is used as a vehicle for getting the http header. Normally this is done once and the retrieved header is being parsed. The uglyness is due the fact that as the first request failed it tried every time.
For 3.0beta there's a measure in place counting failures. This shouldn't happen here though. You can set the threshold higher untill this is being fixed (see man page).
The server preference check is needing attention.
Cheers, Dirk -- Sent from my mobile. Excuse my brevity&typos+the phone's autocorrection
Hi @gkroon,
testssl.sh relies on OpenSSL for some tests that it performs, but not for others. For the tests that rely on OpenSSL, testssl.sh won't be able to produce good results unless the version of OpenSSL being used supports at least one cipher suite that is also supported by the server.
In this case, the server only supports two cipher suites, both of involve an ephemeral ECDH key, and, since the server only supports X25519, they require the client to support X25519. Support for X25519 was added to OpenSSL in version 1.1.0, and the version that you are using with testssl.sh is 1.0.2.
If you want to use testssl.sh to scan a server that only supports cipher suites that require support for X25519 then try using OpenSSL 1.1.0 or the test version of 1.1.1, both of which are available from https://www.openssl.org/source.
We have been working to make testssl.sh more and more independent of OpenSSL, but there are still some places where it is needed.
Thank you both for explaining! What you said is correct, in so far that I'm aware of my configuration. But I didn't know that this is due to an older OpenSSL version. Which also explains that other scanners are showing similar issues, assuming they also use older an OpenSSL. SSL Labs also can't handle my configuration, and neither can Internet.nl.
It seems I'll have to wait for Gentoo to update their OpenSSL ebuilds to 1.1.x in the future.
Is there no newer version in Gentoo? I am a Gentoo n00b but I thought you always get the latest and greatest? -- Sent from my mobile. Excuse my brevity&typos+the phone's autocorrection
It seems I'll have to wait for Gentoo to update their OpenSSL ebuilds to 1.1.x in the future.
You don't have to wait. You can just download OpenSSL 1.1.0h or 1.1.1-pre8 from https://www.openssl.org/source, compile it, and then use that version with testssl.sh. You can use the --openssl
to specify which OpenSSL binary to use.
@drwetter That kind of depends, Arch is in some cases more bleeding edge than Gentoo, in my experience. Judging from the current state of dev-libs/openssl, OpenSSL 1.0.2o-r3 is the latest stable ebuild available. It seems that Arch is already on 1.1.0h-1.
I'm willing to compile the available 1.1.0h-r2 testing ebuild, perform a rebuild of all affected packages, and see if that helps. I'll let you guys know. :slightly_smiling_face:
I deemed it too risky to use a testing ebuild, and then recompile all affected packages with the testing ebuild when I can, indeed, just compile a binary myself. I chose to create a simple script (mostly for my own reference) to automatically fetch the source code tarball and compile it.
The only (expected) warning I'm left with is:
Chain of trust Ok (Your /tmp/openssl/apps/openssl <= 1.0.2 might be too unreliable to determine trust)
So this indeed solved my problem and I can continue to scan my web server. Thanks again, guys!
@gkroon no prob. I like to leave this open as there were a couple of minor issues you ran into, at least as long as there no separate issues.
Thanks for your script. I uploaded my compile script for openssl 1.1.1 to ~/utils, it is derived from the script for Peter Mosmans openssl tree.
@drwetter That's great, can we also expect a new bin/openssl.Linux.x86_64 binary of 1.1.x in the next few coming releases as well then? Of course, I don't mind using my own binaries in the mean time.
That is the way to go. Providing the binaries is not the problem. There are some known obstacles which need to be addressed and there might be problems on the other side as yours like deprecated curves.
What needs to be fixed for 3.0:
HTTP header reply empty
Oops: HTTP header zero
HTTP header reply empty
Oops: HTTP header zero
HTTP header reply empty
Fatal error: repeatedly HTTP header was zero, doesn't make sense to continue
Also the server defaults section stops before Signature Algorithm
, without any comment
Open:
run_server_defaults()
will continue to rundetermine_optimal_proto()
The missing certificate was addressed by @dcooper16 in 8488b84136acc7a324176198514685c8c0b07c2a.
Please find below the detailed information regarding my problem, what I expected and how to reproduce.
1. testssl version from the banner (testssl.sh -b 2>/dev/null | head -4 | tail -2)
testssl.sh 2.9dev from https://testssl.sh/dev/
2. what exactly was happening, output is needed When switching from
secp384r1
toX25519
, no full TLS handshakes seem to be parsed correctly by the script. I cannot test servers with similar configurations as a result.3. what did you expect instead? I expected a normal report without warnings/errors like:
[...]
Has server cipher order? no matching cipher in this list found (pls report this): DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256 .
[...]
Session Resumption Ticket resumption test failed, pls report / ID resumption test failed, pls report
[...]
Secure Renegotiation (CVE-2009-3555) handshake didn't succeed
and
CRIME, TLS (CVE-2012-4929) test failed (couldn't connect)
4. steps to reproduce
testssl.sh command line
testssl.sh foo.bar
(target needs to (only) support X25519.if possible: target IP I'd like to avoid this
openssl version used (testssl.sh -b 2>/dev/null | head -16 | tail -3)
your operating system (uname -a)
Linux nostromo 4.17.5-zen #1 ZEN SMP PREEMPT Tue Jul 10 20:13:39 -00 2018 x86_64 Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz GenuineIntel GNU/Linux
I'm on Gentoo and I've successfully built net-analyzer/testssl with thebundled-openssl
USE flag.