drwetter
commented
5 years ago Hi @rcombs ,
if I use --debug=5:
sending client hello... sending client hello...
"\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03\x54\x51\x1e\x7a\xde\xad\xbe\xef\x31\x33\x07\x00\x00\x00\x00\x00\xcf\xbd\x39\x04\xcc\x16\x0b\x85\x03\x90\x9f\x77\x04\x33\xd4\xde\x00\x00\xfe\xcc\x14\xcc\x13\xcc\x15\xc0\x30\xc0\x2c\xc0\x28\xc0\x24\x00\xa5\x00\xa3\x00\xa1\x00\x9f\xcc\xa9\xcc\xa8\xcc\xaa\xc0\xaf\xc0\xad\xc0\xa3\xc0\x9f\x00\x6b\x00\x6a\x00\x69\x00\x68\xc0\x77\xc0\x73\x00\xc4\x00\xc3\x00\xc2\x00\xc1\xc0\x32\xc0\x2e\xc0\x2a\xc0\x26\xc0\x79\xc0\x75\x00\x9d\xc0\xa1\xc0\x9d\x00\x3d\x00\xc0\xc0\x3d\xc0\x3f\xc0\x41\xc0\x43\xc0\x45\xc0\x49\xc0\x4b\xc0\x4d\xc0\x4f\xc0\x51\xc0\x53\xc0\x55\xc0\x57\xc0\x59\xc0\x5d\xc0\x5f\xc0\x61\xc0\x63\xc0\x7b\xc0\x7d\xc0\x7f\xc0\x81\xc0\x83\xc0\x87\xc0\x89\xc0\x8b\xc0\x8d\x16\xb7\x16\xb8\x16\xb9\x16\xba\xc0\x2f\xc0\x2b\xc0\x27\xc0\x23\x00\xa4\x00\xa2\x00\xa0\x00\x9e\xc0\xae\xc0\xac\xc0\xa2\xc0\x9e\xc0\xa0\xc0\x9c\x00\x67\x00\x40\x00\x3f\x00\x3e\xc0\x76\xc0\x72\x00\xbe\x00\xbd\x00\xbc\x00\xbb\xc0\x31\xc0\x2d\xc0\x29\xc0\x25\xc0\x78\xc0\x74\x00\x9c\x00\x3c\x00\xba\xc0\x3c\xc0\x3e\xc0\x40\xc0\x42\xc0\x44\xc0\x48\xc0\x4a\xc0\x4c\xc0\x4e\xc0\x50\xc0\x52\xc0\x54\xc0\x56\xc0\x58\xc0\x5c\xc0\x5e\xc0\x60\xc0\x62\xc0\x7a\xc0\x7c\xc0\x7e\xc0\x80\xc0\x82\x00\xff\x01\x00\x00\xd5\x00\x00\x00\x1a\x00\x18\x00\x00\x15\x61\x62\x73\x74\x72\x61\x63\x74\x2e\x73\x6c\x61\x73\x68\x6e\x65\x74\x2e\x6f\x72\x67\x00\x23\x00\x00\x33\x74\x00\x00\x00\x0d\x00\x20\x00\x1e\x06\x01\x06\x02\x06\x03\x05\x01\x05\x02\x05\x03\x04\x01\x04\x02\x04\x03\x03\x01\x03\x02\x03\x03\x02\x01\x02\x02\x02\x03\x00\x0a\x00\x3e\x00\x3c\x00\x0e\x00\x0d\x00\x19\x00\x1c\x00\x1e\x00\x0b\x00\x0c\x00\x1b\x00\x18\x00\x09\x00\x0a\x00\x1a\x00\x16\x00\x17\x00\x1d\x00\x08\x00\x06\x00\x07\x00\x14\x00\x15\x00\x04\x00\x05\x00\x12\x00\x13\x00\x01\x00\x02\x00\x03\x00\x0f\x00\x10\x00\x11\x00\x0b\x00\x02\x01\x00\x00\x0f\x00\x01\x01\x00\x15\x00\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
reading server hello...
00000000 45 52 52 4f 52 20 3a 43 6c 6f 73 69 6e 67 20 4c |ERROR :Closing L|
00000010 69 6e 6b 3a 20 5b 37 37 2e 36 2e 31 37 38 2e 31 |ink: [XX.YY.178.1|
00000020 34 31 5d 20 28 54 68 72 6f 74 74 6c 65 64 3a 20 |41] (Throttled: |
00000030 52 65 63 6f 6e 6e 65 63 74 69 6e 67 20 74 6f 6f |Reconnecting too|
00000040 20 66 61 73 74 29 20 2d 45 6d 61 69 6c 20 6b 6c | fast) -Email kl|
00000050 69 6e 65 40 73 6c 61 73 68 6e 65 74 2e 6f 72 67 |ine@slashnet.org|This is not a valid ServerHello but reveals a server side measure. Thus closing.
Cheers, Dirk
Please make sure that you provide enough information so that we understand what your issue is about.
testssl version from the banner (testssl.sh -b 2>/dev/null | head -4 | tail -2)
what exactly was happening, output is needed
########################################################### testssl.sh 2.9.5-7 from https://testssl.sh/ (5938cde0c 2019-03-09 03:49:55 -- )
###########################################################
Using "OpenSSL 1.0.2q 20 Nov 2018" [~125 ciphers] on MacBook-Pro:/usr/local/opt/openssl/bin/openssl (built: "reproducible build, date unspecified", platform: "darwin64-x86_64-cc")
Start 2019-03-19 23:32:49 -->> 173.255.234.71:6697 (abstract.slashnet.org) <<--
further IP addresses: 2600:3c03::f03c:91ff:fedf:243b rDNS (173.255.234.71): abstract.slashnet.org. Service detected: Couldn't determine what's running on port 6697, assuming no HTTP service => skipping all HTTP checks
Testing protocols via sockets except SPDY+HTTP2
SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 not offered SPDY/NPN (SPDY is an HTTP protocol and thus not tested here) HTTP2/ALPN (HTTP/2 is a HTTP protocol and thus not tested here)
Testing ~standard cipher categories
NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES encryption (w/o export) not offered (OK) Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) not offered (OK) Triple DES Ciphers (Medium) not offered (OK) High encryption (AES+Camellia, no AEAD) not offered Strong encryption (AEAD ciphers) not offered
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
No ciphers supporting Forward Secrecy offered
Testing server preferences
Has server cipher order? no matching cipher in this list found (pls report this): DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256 .
Testing server defaults (Server Hello)
TLS extensions (standard) (none) Session Ticket RFC 5077 hint (no lifetime advertised) SSL Session ID support yes Session Resumption Ticket resumption test failed, pls report / ID resumption test failed, pls report TLS clock skew SSLv3 through TLS 1.2 didn't return a timestamp
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. -- (applicable only for HTTPS) Secure Renegotiation (CVE-2009-3555) handshake didn't succeed Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) test failed (couldn't connect) POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below) TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK) SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) no RSA certificate, thus certificate can't be used with SSLv2 elsewhere LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected BEAST (CVE-2011-3389) no SSL3 or TLS1 (OK) LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
Could not determine which protocol was started, only simulating generic clients.
Running client simulations via sockets
Java 6u45 No connection Java 7u25 No connection Java 8u31 No connection OpenSSL 1.0.1l No connection OpenSSL 1.0.2e No connection
Done 2019-03-19 23:34:24 [0100s] -->> 173.255.234.71:6697 (abstract.slashnet.org) <<--