search

drwetter / testssl.sh

Testing TLS/SSL encryption anywhere on any port
https://testssl.sh
GNU General Public License v2.0
7.89k stars 1.02k forks source link

X25519 curve produces weird test results #1087

Closed gkroon closed 5 years ago

gkroon commented 6 years ago

Please find below the detailed information regarding my problem, what I expected and how to reproduce.

1. testssl version from the banner (testssl.sh -b 2>/dev/null | head -4 | tail -2) testssl.sh 2.9dev from https://testssl.sh/dev/

2. what exactly was happening, output is needed When switching from secp384r1 to X25519, no full TLS handshakes seem to be parsed correctly by the script. I cannot test servers with similar configurations as a result.

###########################################################
    testssl.sh       2.9dev from https://testssl.sh/dev/

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2o  27 Mar 2018" [~125 ciphers]
 on nostromo:/usr/bin/openssl
 (built: "reproducible build, date unspecified", platform: "linux-x86_64")

 Start 2018-07-16 00:18:52        -->> xxx.xxx.xxx.xxx:443 (xxx.xxx) <<--

 further IP addresses:   xxxx 
 rDNS (xxx.xxx.xxx.xxx):   xxxx 

 xxx.xxx.xxx.xxx:443 doesn't seem to be a TLS/SSL enabled server
 The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes
 Service detected:       Couldn't determine what's running on port 443, assuming no HTTP service => skipping all HTTP checks

 Testing protocols via sockets except SPDY+HTTP2 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 SPDY/NPN   (SPDY is an HTTP protocol and thus not tested here)
 HTTP2/ALPN (HTTP/2 is a HTTP protocol and thus not tested here)

 Testing ~standard cipher categories 

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES encryption (w/o export)     not offered (OK)
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    not offered (OK)
 Triple DES Ciphers (Medium)                   not offered (OK)
 High encryption (AES+Camellia, no AEAD)       not offered
 Strong encryption (AEAD ciphers)              offered (OK)

 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK)          ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 
 Elliptic curves offered:     X25519 

 Testing server preferences 

 Has server cipher order?     no matching cipher in this list found (pls report this): DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256  . 

 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "extended master secret/#23" "application layer protocol negotiation/#16"
 Session Ticket RFC 5077 hint (no lifetime advertised)
 SSL Session ID support       yes
 Session Resumption           Ticket resumption test failed, pls report / ID resumption test failed, pls report
 TLS clock skew               Random values, no fingerprinting possible 

 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  --   (applicable only for HTTPS)
 Secure Renegotiation (CVE-2009-3555)      handshake didn't succeed
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                test failed (couldn't connect)
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible, TLS 1.2 is the only protocol (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
 BEAST (CVE-2011-3389)                     no SSL3 or TLS1 (OK)
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)

 Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        

Could not determine which protocol was started, only simulating generic clients.

 Running client simulations via sockets 

 Java 6u45                    No connection
 Java 7u25                    No connection
 Java 8u31                    No connection
 OpenSSL 1.0.1l               No connection
 OpenSSL 1.0.2e               No connection

 Done 2018-07-16 00:19:19 [  27s] -->> xxx.xxx.xxx.xxx:xxx (xxx.xxx) <<--

3. what did you expect instead? I expected a normal report without warnings/errors like:

 xxx.xxx.xxx.xxx:443 doesn't seem to be a TLS/SSL enabled server
 The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes
 Service detected:       Couldn't determine what's running on port 443, assuming no HTTP service => skipping all HTTP checks

[...]

Has server cipher order? no matching cipher in this list found (pls report this): DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256 .

[...]

Session Resumption Ticket resumption test failed, pls report / ID resumption test failed, pls report

[...]

Secure Renegotiation (CVE-2009-3555) handshake didn't succeed

and

CRIME, TLS (CVE-2012-4929) test failed (couldn't connect)

4. steps to reproduce

  1. testssl.sh command line testssl.sh foo.bar (target needs to (only) support X25519.

    1. if possible: target IP I'd like to avoid this

    2. openssl version used (testssl.sh -b 2>/dev/null | head -16 | tail -3)

      on nostromo:/usr/bin/openssl
(built: "reproducible build, date unspecified", platform: "linux-x86_64")

    3. your operating system (uname -a) Linux nostromo 4.17.5-zen #1 ZEN SMP PREEMPT Tue Jul 10 20:13:39 -00 2018 x86_64 Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz GenuineIntel GNU/Linux I'm on Gentoo and I've successfully built net-analyzer/testssl with the bundled-openssl USE flag.

drwetter commented 6 years ago

Hi @gkroon ,

thx for your report. I am curious, could you DM me (grep SWCONTACT testssl.sh) the server hostname?

While here might be a few constraints left using this curve only: The version of testssl.sh you're using is a bit old. Don't know the repo you're referring to but that should be updated, too.

As a start I'd recommend to use a newer one. Then pls use --assume-http, so that the client simulation will assume HTTP.

Don't know whether this is deliberate: No Safari and no IE browser can't connect to your site, probably other less used browsers too.

gkroon commented 6 years ago

Hi @drwetter ,

Thanks for your reply! I've now updated using the latest testing ebuild (2.9.5-4) from the Gentoo packages (https://packages.gentoo.org/packages/net-analyzer/testssl) and ran another test using --assume-http this time:


###########################################################
    testssl.sh       2.9.5-4 from https://testssl.sh/

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2o  27 Mar 2018" [~125 ciphers]
 on nostromo:/usr/bin/openssl
 (built: "reproducible build, date unspecified", platform: "linux-x86_64")

 Start 2018-07-16 11:29:08        -->> xxx.xxx.xxx.xxx:443 (xxx.xxx) <<--

 further IP addresses:   xxxx 
 rDNS (xxx.xxx.xxx.xxx):   xxxx

 xxx.xxx.xxx.xxx:443 doesn't seem to be a TLS/SSL enabled server
 The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes
 Service detected:       Couldn't determine what's running on port 443 -- ASSUME_HTTP set though

 Testing protocols via sockets except SPDY+HTTP2 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 SPDY/NPN   not offered
 HTTP2/ALPN not offered

 Testing ~standard cipher categories 

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES encryption (w/o export)     not offered (OK)
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    not offered (OK)
 Triple DES Ciphers (Medium)                   not offered (OK)
 High encryption (AES+Camellia, no AEAD)       not offered
 Strong encryption (AEAD ciphers)              offered (OK)

 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK)          ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 
 Elliptic curves offered:     X25519 

 Testing server preferences 

 Has server cipher order?     no matching cipher in this list found (pls report this): DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256  . 

 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11"
                              "extended master secret/#23"
                              "application layer protocol negotiation/#16"
 Session Ticket RFC 5077 hint (no lifetime advertised)
 SSL Session ID support       yes
 Session Resumption           Ticket resumption test failed, pls report / ID resumption test failed, pls report
 TLS clock skew               Random values, no fingerprinting possible 

 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK), no session ticket extension
 Secure Renegotiation (CVE-2009-3555)      handshake didn't succeed
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                test failed (couldn't connect)
 BREACH (CVE-2013-3587)                    failed (HTTP header request stalled) 
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible, TLS 1.2 is the only protocol (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
 BEAST (CVE-2011-3389)                     no SSL3 or TLS1 (OK)
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)

 Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        

 Running client simulations via sockets 

 Android 2.3.7                No connection
 Android 4.1.1                No connection
 Android 4.3                  No connection
 Android 4.4.2                No connection
 Android 5.0.0                No connection
 Android 6.0                  No connection
 Android 7.0                  TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Chrome 51 Win 7              TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Chrome 57 Win 7              TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Firefox 49 Win 7             No connection
 Firefox 53 Win 7             TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 IE 6 XP                      No connection
 IE 7 Vista                   No connection
 IE 8 XP                      No connection
 IE 8 Win 7                   No connection
 IE 11 Win 7                  No connection
 IE 11 Win 8.1                No connection
 IE 11 Win Phone 8.1 Update   No connection
 IE 11 Win 10                 No connection
 Edge 13 Win 10               No connection
 Edge 13 Win Phone 10         No connection
 Opera 17 Win 7               No connection
 Safari 5.1.9 OS X 10.6.8     No connection
 Safari 7 iOS 7.1             No connection
 Safari 9 OS X 10.11          No connection
 Safari 10 OS X 10.12         No connection
 Apple ATS 9 iOS 9            No connection
 Tor 17.0.9 Win 7             No connection
 Java 6u45                    No connection
 Java 7u25                    No connection
 Java 8u31                    No connection
 OpenSSL 1.0.1l               No connection
 OpenSSL 1.0.2e               No connection

 Done 2018-07-16 11:29:55 [  47s] -->> xxx.xxx.xxx.xxx:443 (xxx.xxx) <<--

I then also cloned your GitHub repo and ran the the script from the 2.9dev branch:


###########################################################
    testssl.sh       3.0beta from https://testssl.sh/dev/
    (c0921c8 2018-07-11 11:03:52 -- )

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
 on nostromo:./bin/openssl.Linux.x86_64
 (built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")

 Start 2018-07-16 11:33:46        -->> xxx.xxx.xxx.xxx:443 (xxx.xxx) <<--

 Further IP addresses:   xxxx 
 rDNS (xxx.xxx.xxx.xxx):   xxxx

 xxx.xxx.xxx.xxx:443 doesn't seem to be a TLS/SSL enabled server
 The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes
 Service detected:       Couldn't determine what's running on port 443 -- ASSUME_HTTP set though

 Testing protocols via sockets except NPN+ALPN 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

 Testing cipher categories 

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES encryption (w/o export)     not offered (OK)
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    not offered (OK)
 Triple DES Ciphers (Medium)                   not offered (OK)
 High encryption (AES+Camellia, no AEAD)       not offered
 Strong encryption (AEAD ciphers)              offered (OK)

 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK)          ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 
 Elliptic curves offered:     X25519 

 Testing server preferences 

 Has server cipher order?     no matching cipher in this list found (pls report this): DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:ADH-AES256-GCM-SHA384:AECDH-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256  . 

 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11"
                              "extended master secret/#23"
                              "application layer protocol negotiation/#16"
 Session Ticket RFC 5077 hint (no lifetime advertised)
 SSL Session ID support       yes
 Session Resumption           Ticket resumption test failed, pls report / ID resumption test failed, pls report
 TLS clock skew               Random values, no fingerprinting possible 

 Testing HTTP header response @ "/" 

 HTTP header reply empty
 HTTP header reply empty
 HTTP header reply empty

Fatal error: repeatedly HTTP header was zero, doesn't make sense to continue

Sadly none of them seem to scan my web server properly yet, but yes, my configuration is deliberate as this is my personal web server I experiment with. And sure, I would like to DM you the hostname, but can you confirm 332E315A3ADDAAEE6A113957C9AEECE1D0A74569 is the fingerprint of your GPG key?

_Note: I've deleted my previous comment as this showed my hostname so you should already have it in your email. :manfacepalming:

drwetter commented 6 years ago

Sadly none of them seem to scan my web server properly

Slightly disagree here. 2.9.5 went through but the repeated header request seem unreasonable. This is because here openssl is used as a vehicle for getting the http header. Normally this is done once and the retrieved header is being parsed. The uglyness is due the fact that as the first request failed it tried every time.

For 3.0beta there's a measure in place counting failures. This shouldn't happen here though. You can set the threshold higher untill this is being fixed (see man page).

The server preference check is needing attention.

Cheers, Dirk -- Sent from my mobile. Excuse my brevity&typos+the phone's autocorrection

dcooper16 commented 6 years ago

Hi @gkroon,

testssl.sh relies on OpenSSL for some tests that it performs, but not for others. For the tests that rely on OpenSSL, testssl.sh won't be able to produce good results unless the version of OpenSSL being used supports at least one cipher suite that is also supported by the server.

In this case, the server only supports two cipher suites, both of involve an ephemeral ECDH key, and, since the server only supports X25519, they require the client to support X25519. Support for X25519 was added to OpenSSL in version 1.1.0, and the version that you are using with testssl.sh is 1.0.2.

If you want to use testssl.sh to scan a server that only supports cipher suites that require support for X25519 then try using OpenSSL 1.1.0 or the test version of 1.1.1, both of which are available from https://www.openssl.org/source.

We have been working to make testssl.sh more and more independent of OpenSSL, but there are still some places where it is needed.

gkroon commented 6 years ago

Thank you both for explaining! What you said is correct, in so far that I'm aware of my configuration. But I didn't know that this is due to an older OpenSSL version. Which also explains that other scanners are showing similar issues, assuming they also use older an OpenSSL. SSL Labs also can't handle my configuration, and neither can Internet.nl.

It seems I'll have to wait for Gentoo to update their OpenSSL ebuilds to 1.1.x in the future.

drwetter commented 6 years ago

Is there no newer version in Gentoo? I am a Gentoo n00b but I thought you always get the latest and greatest? -- Sent from my mobile. Excuse my brevity&typos+the phone's autocorrection

dcooper16 commented 6 years ago

It seems I'll have to wait for Gentoo to update their OpenSSL ebuilds to 1.1.x in the future.

You don't have to wait. You can just download OpenSSL 1.1.0h or 1.1.1-pre8 from https://www.openssl.org/source, compile it, and then use that version with testssl.sh. You can use the --openssl to specify which OpenSSL binary to use.

gkroon commented 6 years ago

@drwetter That kind of depends, Arch is in some cases more bleeding edge than Gentoo, in my experience. Judging from the current state of dev-libs/openssl, OpenSSL 1.0.2o-r3 is the latest stable ebuild available. It seems that Arch is already on 1.1.0h-1.

I'm willing to compile the available 1.1.0h-r2 testing ebuild, perform a rebuild of all affected packages, and see if that helps. I'll let you guys know. :slightly_smiling_face:

gkroon commented 6 years ago

I deemed it too risky to use a testing ebuild, and then recompile all affected packages with the testing ebuild when I can, indeed, just compile a binary myself. I chose to create a simple script (mostly for my own reference) to automatically fetch the source code tarball and compile it.

The only (expected) warning I'm left with is: Chain of trust Ok (Your /tmp/openssl/apps/openssl <= 1.0.2 might be too unreliable to determine trust) So this indeed solved my problem and I can continue to scan my web server. Thanks again, guys!

drwetter commented 6 years ago

@gkroon no prob. I like to leave this open as there were a couple of minor issues you ran into, at least as long as there no separate issues.

Thanks for your script. I uploaded my compile script for openssl 1.1.1 to ~/utils, it is derived from the script for Peter Mosmans openssl tree.

gkroon commented 6 years ago

@drwetter That's great, can we also expect a new bin/openssl.Linux.x86_64 binary of 1.1.x in the next few coming releases as well then? Of course, I don't mind using my own binaries in the mean time.

drwetter commented 6 years ago

That is the way to go. Providing the binaries is not the problem. There are some known obstacles which need to be addressed and there might be problems on the other side as yours like deprecated curves.

drwetter commented 5 years ago

What needs to be fixed for 3.0:


 HTTP header reply empty
 Oops: HTTP header zero
 HTTP header reply empty
 Oops: HTTP header zero
 HTTP header reply empty

Fatal error: repeatedly HTTP header was zero, doesn't make sense to continue
drwetter commented 5 years ago

Also the server defaults section stops before Signature Algorithm, without any comment

drwetter commented 5 years ago

Open:

drwetter commented 5 years ago

The missing certificate was addressed by @dcooper16 in 8488b84136acc7a324176198514685c8c0b07c2a.