Closed bboortz closed 5 years ago
Thanks. What's your Host OS?
date && time ./testssl.sh/testssl.sh (your host) && date
Hint: In the trailing banner as well in the logfile output there's the time spend
is stucking during sending client hello for about 10 seconds
Interesting observation but it seems not what we can control
Client | Host | t @ BM/VM | t @ Docker |
---|---|---|---|
A | testssl.net | 90 | 145 |
B | testssl.net | 77 | 75 |
A | owasp.org | 191 | 309 |
B | owasp.org | 312 | 307 |
A | dev.testssl.sh | 90 | 137 |
B | dev.testssl.sh | 95 | 98 |
BM=bare metal VM=virtual machine
A=Client is one of my VMs (KVM) on a hosted bare metal machine B=Client is a Laptop with a dialin (50Mbit/s)
Everything is under Linux.
t is in seconds, just one measurement per value. testssl.net time is for one IP only.
So, first line A means: 90s on a VM, 145s in a Docker container in a VM. Second line B: Laptop bare metal, Docker container on the Laptop.
Given this data only -- this is not a scientific approach -- it looks to me like a VM under Docker container slows things down considerably. But never as much as you experienced.
If you could tell me your host OS that would be great.
I see the same for my webinterface https://github.com/shartge/testssl-web https://hub.docker.com/r/hartge/testssl-web forked from https://github.com/TKCERT/testssl.sh-webfrontend
I found out the main culprit seem to be the Heartbleed, CCS and mainly the ROBOT checks. Sometime the check would even time out on those checks, with the dd-process just hanging there, but no other packets transferred for 300+ seconds.
Because of this I run testssl inside my container with --ids-friendly
which speeds up things considerably.
With --ids-friendly
and dev.testssl.sh for example, I get 49s from Docker in a VM (on ESXi 6.5) and 74s from my PC running on bare metal.
Without --ids-friendly
and dev.testssl.sh, I get a timeout from Docker in a VM and 99s from my PC.
Host OS for the Docker VM in my case is Debian Testing (4.19.0-4-amd64 #1 SMP Debian 4.19.28-2) and Debian Sid (same Kernel) for my PC.
The OS inside the Docker Container is Debian Stretch.
testssl.sh version is ff527f524.
Yes, Heartbleed and espcially ROBOT cost a lot of time -- unless there are no certain RSA ciphers or there's not heartbeat extension. It is the checks which just take long -- if you want to have accurate results.
But this is true for any platform.
I found out the main culprit seem to be the Heartbleed, CCS and mainly the ROBOT checks. Sometime the check would even time out on those checks, with the dd-process just hanging there, but no other packets transferred for 300+ seconds.
The latter shouldn't happen though.
Sorry for delay. Let me try to provide more information with respect to my case as a table:
command | docker | host |
---|---|---|
time ./testssl.sh HOST | Runs more than 5m - aborted | 0m45.372s |
time ./testssl.sh --openssl-timeout 1 HOST | Runs more than 5m - aborted | 0m41.884s |
time ./testssl.sh --nodns none IP | Runs more than 5m - aborted | 0m36.576s |
time ./testssl.sh --openssl-timeout 1 --nodns none IP | Runs more than 5m - aborted | 0m40.798s |
time ./testssl.sh --ids-friendly IP | Runs more than 5m - aborted | 0m41.593s |
time ./testssl.sh --breach IP | 0m42.829s | 0m5.716s |
time ./testssl.sh --poodle IP | 0m48.180s | 0m5.941s |
time ./testssl.sh --crime IP | 0m37.782s | 0m3.706s |
time ./testssl.sh --rc4 IP | 1m38.948s | 0m4.648s |
time ./testssl.sh --heartbleed IP | 0m48.781s | 0m4.338s |
time ./testssl.sh --renegotiation IP | 0m42.859s | 0m4.904s |
time ./testssl.sh --pfs IP | 1m40.646s | 0m6.939s |
time ./testssl.sh --crime --ssl-native IP | 0m27.539s | 0m3.558s |
time ./testssl.sh --rc4 --ssl-native IP | 0m27.760s | 0m3.671s |
time ./testssl.sh --pfs--ssl-native IP | 0m28.142s | 0m3.982s |
time ./testssl.sh --nodns min --rc4 --ssl-native IP | 0m27.835s | 0m3.693s |
Summary: RC4 and PFS scans seems to be very slow. ssl-native is reducing the difference between a scan from docker and host.
Glossary
Versions
Example Output for a run in docker - aborted after about 20 seconds
# time ./testssl.sh --openssl-timeout 1 --nodns none --debug 2 11.217.32.122
tty: ignoring all arguments
/dev/pts/0
###########################################################
testssl.sh 3.0rc4 from https://testssl.sh/dev/
(e110e34 2019-04-02 05:37:29 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "" [~0 ciphers]
on 251f3bd6-122b-4799-73ac-242c53db0009:./bin/openssl.Linux.x86_64
(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")
11.217.32.122:443
/
Start 2019-04-05 21:27:16 -->> 11.217.32.122:443 (11.217.32.122) <<--
rDNS (11.217.32.122): (instructed to minimize DNS queries)
sending client hello... sending client hello... reading server hello...
sending close_notify...
(437 lines returned)
proto: 03
OPTIMAL_PROTO: -tls1_2
sending client hello... sending client hello... ^C
DEBUG (level 2): see files in /tmp/testssl.CIJpDp
real 0m21.819s
user 0m1.319s
sys 0m0.592s
Example Output for a run in docker with ssl-native
###################################################
testssl.sh 3.0rc4 from https://testssl.sh/dev/
(e110e34 2019-04-02 05:37:29 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
on 251f3bd6-122b-4799-73ac-242c53db0009:./bin/openssl.Linux.x86_64
(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")
11.217.32.122:443
/
Start 2019-04-05 22:21:31 -->> 11.217.32.122:443 (11.217.32.122) <<--
rDNS (11.217.32.122): (instructed to minimize DNS queries)
one proto determined: tls1_2
OPTIMAL_PROTO: -tls1_2
sending client hello... sending client hello... reading server hello...
server hello empty, TCP connection closed
(1 lines returned)
sending client hello... sending client hello...
server hello empty, TCP connection closed
(1 lines returned)
HTTP/1.1 200 OK
Connection: close
Last-Modified: Wed, 15 Aug 2018 11:12:46 GMT
Content-Length: 1087
Content-Type: text/html
Accept-Ranges: bytes
Date: Fri, 05 Apr 2019 22:21:52 GMT
[...]
Service detected: HTTP
Checking for vulnerable RC4 Ciphers
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Done 2019-04-05 22:21:57 [ 28s] -->> 11.217.32.122:443 (11.217.32.122) <<--
DEBUG (level 2): see files in /tmp/testssl.DJghgd
real 0m27.931s
user 0m1.905s
sys 0m0.865s
In case I should provide some more information, just tell me.
After some more investigation it looks for me like testssl.sh is hanging in method "sockread_serverhello"
dd bs=$1 of=$SOCK_REPLY_FILE count=1 <&5 2>/dev/null &
reproducable with: ./testssl.sh --openssl-timeout 1 --nodns none --debug 2 --rc4 IP
This is the same I saw: everytime testssl.sh was hanging, it was hanging in a dd
process.
After installing package procps like in https://github.com/drwetter/testssl.sh/blob/2.9dev/Dockerfile#L4 the scan with "time ./testssl.sh --openssl-timeout 1 --nodns none --debug 2 --rc4 IP" akes only about 6.37s.
Interesting. But this is not the problem I see, I have procps (for Debian) in my Dockerfile.
After installing package procps like in https://github.com/drwetter/testssl.sh/blob/2.9dev/Dockerfile#L4 the scan with "time ./testssl.sh --openssl-timeout 1 --nodns none --debug 2 --rc4 IP" akes only about 6.37s.
Oh well.
sockread_serverhello()
needs `ps. In the Dockerfile I provide there'\s a
ps. <s>But there seem to be a problem in
check_base_requirements()`` which needs to be fixed.
But there seem to be a problem in
check_base_requirements()
which needs to be fixed.
Selfcomment: There's none. On my system there were two ps
.
Bottom line: Hard to tell how you @bboortz managed to run testssl.sh (version 3.0rc4) in a container without ps. But your problem seem to be solved.
@shartge : Also it is hard to tell for me how testssl.sh can hang in a dd process. The one in "sockread_serverhello()
in runing in the background and gets killed in MAXSLEEP seconds.
If dd hangs I would need more info like the process of dd incl. command line. Also info on the testssl.sh command line pls.
Would an strace from the dd processes testssl.sh spawns be sufficient? I can also throw in a wireshark capture of the traffic, if needed.
Na, the least I need is the complete dd command from the process list
Sure, in addition to that. Should I use a particular debug level for testssl.sh while collection the data? What is most helpful for you?
that'll be helpful when we know where it hangs
But there seem to be a problem in
check_base_requirements()
which needs to be fixed.Selfcomment: There's none. On my system there were two
ps
.Bottom line: Hard to tell how you @bboortz managed to run testssl.sh (version 3.0rc4) in a container without ps. But your problem seem to be solved.
Yes, my problem is fixed but the method check_base_requirements
needs a fix.
Let me answer how I run testssl.sh without procps
docker run -it alpine:latest /bin/sh
/ # apk update && apk upgrade
[...]
/ # apk add --no-cache curl git coreutils drill bash
[...]
/ # git clone https://github.com/drwetter/testssl.sh.git
[...]
/ # cd testssl.sh/
/testssl.sh # ./testssl.sh --version
###########################################################
testssl.sh 3.0rc4 from https://testssl.sh/dev/
(0e88072 2019-04-05 21:30:40 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
on b46f039bbf10:./bin/openssl.Linux.x86_64
(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")
/testssl.sh # which ps
/bin/ps
/testssl.sh # /bin/ps --help
BusyBox v1.28.4 (2018-12-31 18:05:13 UTC) multi-call binary.
Usage: ps [-o COL1,COL2=HEADER]
Show list of processes
-o COL1,COL2=HEADER Select columns for display
/testssl.sh # time ./testssl.sh --rc4 example.com >/dev/null
real 2m 2.72s
user 0m 3.03s
sys 0m 1.82s
testssl.sh # apk add procps
(1/3) Installing libintl (0.19.8.1-r2)
(2/3) Installing libproc (3.3.15-r0)
(3/3) Installing procps (3.3.15-r0)
Executing busybox-1.28.4-r3.trigger
OK: 30 MiB in 34 packages
/testssl.sh # which ps
/bin/ps
/testssl.sh # /bin/ps --help
Usage:
ps [options]
Try 'ps --help <simple|list|output|threads|misc|all>'
or 'ps --help <s|l|o|t|m|a>'
for additional help text.
For more details see ps(1).
/testssl.sh # time ./testssl.sh --rc4 example.com >/dev/null
real 0m 19.05s
user 0m 2.67s
sys 0m 1.45s
So a performance impact of about 6 times in case procps is missing
The method check_base_requirements
is checking if /bin/ps is present but is not checking for the correct version from procps.
Furthermore I have created one Dockerfile alpine but missing procps
The alpine dockerfile
FROM alpine:latest
RUN apk update && apk upgrade
RUN apk add bash drill git coreutils
RUN apk add --no-cache curl
RUN addgroup testssl
RUN adduser -G testssl -g "testssl user" -s /bin/bash -D testssl
RUN ln -s /home/testssl/testssl.sh /usr/local/bin/
USER testssl
WORKDIR /home/testssl/
RUN git clone --depth=1 https://github.com/drwetter/testssl.sh.git .
ENTRYPOINT ["testssl.sh"]
CMD ["--help"]
build it
docker build -f Dockerfile_alpine -t testssl_alpine .
and the run
$ docker run -it --name testssl testssl_alpine --debug 6 --rc4 example.com
do_allciphers = false
do_vulnerabilities = false
do_beast = false
do_lucky13 = false
do_breach = false
do_ccs_injection = false
do_ticketbleed = false
do_cipher_per_proto = false
do_crime = false
do_freak = false
do_logjam = false
do_drown = false
do_header = false
do_heartbleed = false
do_mx_all_ips = false
do_pfs = false
do_protocols = false
do_rc4 = true
do_grease = false
do_robot = false
do_renego = false
do_cipherlists = false
do_server_defaults = false
do_server_preference = false
do_ssl_poodle = false
do_tls_fallback_scsv = false
do_sweet32 = false
do_client_simulation = false
do_cipher_match = false
do_tls_sockets = false
do_mass_testing = false
do_display_only = false
URI: : example.com
###########################################################
testssl.sh 3.0rc4 from https://testssl.sh/dev/
(0e88072 2019-04-05 21:30:40 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
on 4feea8dafe31:$PWD/bin/openssl.Linux.x86_64
(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")
example.com:443
/
Start 2019-04-08 18:56:21 -->> 93.184.216.34:443 (example.com) <<--
Further IP addresses: 2606:2800:220:1:248:1893:25c8:1946
rDNS (93.184.216.34): --
sending client hello... sending client hello...
"\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03\x54\x51\x1e\x7a\xde\xad\xbe\xef\x31\x33\x07\x00\x00\x00\x00\x00\xcf\xbd\x39\x04\xcc\x16\x0b\x85\x03\x90\x9f\x77\x04\x33\xd4\xde\x00\x01\x00\xc0\x30\xc0\x2c\xc0\x28\xc0\x24\xc0\x14\xc0\x0a\x00\x9f\x00\x6b\x00\x39\x00\x9d\x00\x3d\x00\x35\xc0\x2f\xc0\x2b\xc0\x27\xc0\x23\xc0\x13\xc0\x09\x00\x9e\x00\x67\x00\x33\x00\x9c\x00\x3c\x00\x2f\xcc\xa9\xcc\xa8\xcc\xaa\xcc\x14\xcc\x13\xcc\x15\x00\xa5\x00\xa3\x00\xa1\x00\x6a\x00\x69\x00\x68\x00\x38\x00\x37\x00\x36\xc0\x77\xc0\x73\x00\xc4\x00\xc3\x00\xc2\x00\xc1\x00\x88\x00\x87\x00\x86\x00\x85\xc0\x32\xc0\x2e\xc0\x2a\xc0\x26\xc0\x0f\xc0\x05\xc0\x79\xc0\x75\x00\xc0\x00\x84\x00\xa4\x00\xa2\x00\xa0\x00\x40\x00\x3f\x00\x3e\x00\x32\x00\x31\x00\x30\xc0\x76\xc0\x72\x00\xbe\x00\xbd\x00\xbc\x00\xbb\x00\x9a\x00\x99\x00\x98\x00\x97\x00\x45\x00\x44\x00\x43\x00\x42\xc0\x31\xc0\x2d\xc0\x29\xc0\x25\xc0\x0e\xc0\x04\xc0\x78\xc0\x74\x00\xba\x00\x96\x00\x41\x00\x07\xc0\x11\xc0\x07\x00\x66\xc0\x0c\xc0\x02\x00\x05\x00\x04\xc0\x12\xc0\x08\x00\x16\x00\x13\x00\x10\x00\x0d\xc0\x0d\xc0\x03\x00\x0a\x00\x80\x00\x81\x00\x82\x00\x83\x00\x63\x00\x15\x00\x12\x00\x0f\x00\x0c\x00\x62\x00\x09\x00\x65\x00\x64\x00\x14\x00\x11\x00\x08\x00\x03\x00\xff\x01\x00\x00\xd3\x00\x00\x00\x10\x00\x0e\x00\x00\x0b\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f\x6d\x00\x23\x00\x00\x33\x74\x00\x00\x00\x0d\x00\x20\x00\x1e\x06\x01\x06\x02\x06\x03\x05\x01\x05\x02\x05\x03\x04\x01\x04\x02\x04\x03\x03\x01\x03\x02\x03\x03\x02\x01\x02\x02\x02\x03\x00\x0a\x00\x3e\x00\x3c\x00\x0e\x00\x0d\x00\x19\x00\x1c\x00\x1e\x00\x0b\x00\x0c\x00\x1b\x00\x18\x00\x09\x00\x0a\x00\x1a\x00\x16\x00\x17\x00\x1d\x00\x08\x00\x06\x00\x07\x00\x14\x00\x15\x00\x04\x00\x05\x00\x12\x00\x13\x00\x01\x00\x02\x00\x03\x00\x0f\x00\x10\x00\x11\x00\x0b\x00\x02\x01\x00\x00\x0f\x00\x01\x01\x00\x15\x00\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1105 testssl 0:00 dd bs=32768 of=/tmp/testssl.Axih7L/ddreply.UQ9t3R count=1
1107 testssl 0:00 ps 1105
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1110 testssl 0:00 ps 1105
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1113 testssl 0:00 ps 1105
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1116 testssl 0:00 ps 1105
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1119 testssl 0:00 ps 1105
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1122 testssl 0:00 ps 1105
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1125 testssl 0:00 ps 1105
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1128 testssl 0:00 ps 1105
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1131 testssl 0:00 ps 1105
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1134 testssl 0:00 ps 1105
reading server hello...
00000000 16 03 03 00 5a 02 00 00 56 03 03 a1 08 14 57 ed |....Z...V.....W.|
00000010 8e 9a f6 8b 0e cd 19 fe 28 16 1c 7d bf 0a 35 35 |........(..}..55|
00000020 48 d8 af 44 4f 57 4e 47 52 44 01 00 c0 2f 00 00 |H..DOWNGRD.../..|
00000030 2e ff 01 00 01 00 00 00 00 00 00 0b 00 04 03 00 |................|
00000040 01 02 00 23 00 00 33 74 00 15 02 68 32 08 68 74 |...#..3t...h2.ht|
00000050 74 70 2f 31 2e 31 08 68 74 74 70 2f 31 2e 30 16 |tp/1.1.http/1.0.|
160303005A020000560303A1081457ED8E9AF68B0ECD19FE28161C7DBF0A353548D8AF444F574E4752440100C02F00002EFF0100010000000000000B000403000102002300003374001502683208687474702F312E3108687474702F312E301603030F9F0B000F9B000F980007443082074030820628A00302010202100FD078DD48F1A2BD4D0F2BA96B6038FE300D06092A864886F70D01010B0500304D310B300906035504061302555331153013060355040A130C446967694365727420496E63312730250603550403131E446967694365727420534841322053656375726520536572766572204341301E170D3138313132383030303030305A170D3230313230323132303030305A3081A5310B3009060355040613025553311330110603550408130A43616C69666F726E6961311430120603550407130B4C6F7320416E67656C6573313C303A060355040A1333496E7465726E657420436F72706F726174696F6E20666F722041737369676E6564204E616D657320616E64204E756D6265727331133011060355040B130A546563686E6F6C6F6779311830160603550403130F7777772E6578616D706C652E6F726730820122300D06092A864886F70D01010105000382010F003082010A0282010100D0F01274A0962072086519125A5D4AD03A8C668FA0292BA7DBD5AC0CCFA57192154215B00792763175D7278E4D506A75D17B535E27AAEDEBA4603AF28E45186B45335C8511AA2012FE60AC9D4C458FDDD30E3E770F09C2856534C722FB7413B9429FF721F6F09C44746DC9DFB31F8F60B77111069063419D8F347B244946ACF2F08D0B48F4D3921AF7A245EECCE5D7837F2E82BD71DD281958336E11A13AA06A72609201599F63177A49427B9C3FDBD305E8CC877EF8AAFC9DD10550AB75B11EBA20CB89D46D6C3782284CC53F7CC110F5A0A5666B5353C9DBED85C36D05F864A7C90EEB8FE1C4B1EB2D680E153FE5E2DCFC21642DEE692B0478DB7765CB54F90203010001A38203C1308203BD301F0603551D230418301680140F80611C823161D52F28E78D4638B42CE1C6D9E2301D0603551D0E0416041466986202E00991A7D9E336FB76C6B0BFA16DA7BE3081810603551D11047A3078820F7777772E6578616D706C652E6F7267820B6578616D706C652E636F6D820B6578616D706C652E656475820B6578616D706C652E6E6574820B6578616D706C652E6F7267820F7777772E6578616D706C652E636F6D820F7777772E6578616D706C652E656475820F7777772E6578616D706C652E6E6574300E0603551D0F0101FF0404030205A0301D0603551D250416301406082B0601050507030106082B06010505070302306B0603551D1F04643062302FA02DA02B8629687474703A2F2F63726C332E64696769636572742E636F6D2F737363612D736861322D67362E63726C302FA02DA02B8629687474703A2F2F63726C342E64696769636572742E636F6D2F737363612D736861322D67362E63726C304C0603551D2004453043303706096086480186FD6C0101302A302806082B06010505070201161C68747470733A2F2F7777772E64696769636572742E636F6D2F4350533008060667810C010202307C06082B060105050701010470306E302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304606082B06010505073002863A687474703A2F2F636163657274732E64696769636572742E636F6D2F44696769436572745348413253656375726553657276657243412E637274300C0603551D130101FF040230003082017F060A2B06010401D6790204020482016F0482016B0169007700A4B90990B418581487BB13A2CC67700A3C359804F91BDFB8E377CD0EC80DDC10000001675C3195460000040300483046022100846481B7211DFA1A48F576AE4BE84686572717B07BE93BB74A57426CA284C46C022100BB93B5FE30C464E4164C7C6E585357EEEC7F
TLS message fragments:
protocol (rec. layer): 0x0303
tls_content_type: 0x16 (handshake)
msg_len: 90
protocol (rec. layer): 0x0303
tls_content_type: 0x16 (handshake)
msg_len: 3999
TLS handshake messages:
handshake type: 0x02 (server_hello)
msg_len: 86
handshake type: 0x0B (certificate)
msg_len: 3995
TLS server hello message:
tls_protocol: 0x0303
tls_sid_len: 0x00 / = 0
tls_hello_time: 0xA1081457 date: invalid date '2701661271'
tls_cipher_suite: 0xC02F (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
tls_compression_method: 0x2E (unrecognized compression method)
tls_extensions: "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35" "next protocol/#13172"
NPN protocols:
sending close_notify...
"\x15\x03\x01\x00\x02\x02\x00"
(91 lines returned)
proto: 03
OPTIMAL_PROTO: -tls1_2
sending client hello... sending client hello...
"\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03\x54\x51\x1e\x7a\xde\xad\xbe\xef\x31\x33\x07\x00\x00\x00\x00\x00\xcf\xbd\x39\x04\xcc\x16\x0b\x85\x03\x90\x9f\x77\x04\x33\xd4\xde\x20\x44\xb8\x92\x56\xaf\x74\x52\x9e\xd8\xcf\x52\x14\xc8\xaf\xd8\x34\x0b\xe7\x7f\xeb\x86\x01\x84\x50\x5d\xe4\xa1\x6a\x09\x3b\xbf\x6e\x00\x0a\x13\x01\x13\x02\x13\x03\x13\x04\x13\x05\x01\x00\x01\xa9\x00\x00\x00\x10\x00\x0e\x00\x00\x0b\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f\x6d\x00\x2d\x00\x02\x01\x01\x00\x23\x00\x00\x33\x74\x00\x00\x00\x0d\x00\x22\x00\x20\x04\x03\x05\x03\x06\x03\x08\x04\x08\x05\x08\x06\x04\x01\x05\x01\x06\x01\x08\x09\x08\x0a\x08\x0b\x08\x07\x08\x08\x02\x01\x02\x03\x00\x0a\x00\x10\x00\x0e\x00\x1d\x00\x17\x00\x1e\x00\x18\x00\x19\x01\x00\x01\x01\x00\x33\x00\x6b\x00\x69\x00\x1d\x00\x20\x4d\xfa\x57\x44\xb7\xf7\x48\xb8\x95\x77\x5a\xc1\xff\x86\xbf\xae\xf7\x3a\x33\x69\x54\xde\x6a\xf5\x2e\x89\x84\x6c\xf2\xd8\xb2\x43\x00\x17\x00\x41\x04\xb4\x24\xef\x11\x99\x9c\xa4\xe8\xce\x88\x25\xc3\x8e\x7c\x0c\x6a\x94\xde\x33\x6d\xff\xcd\x17\xb7\x5c\x65\xdb\xd1\x58\x46\x95\x69\x80\xc8\xbc\xfc\xe6\xd9\x22\x39\xbb\x3f\x63\xab\x3d\x5c\xba\xcc\xeb\x1a\x90\x1b\xd4\x75\xff\x58\xc4\x00\x58\x50\x21\xd0\xaa\xe4\x00\x0b\x00\x02\x01\x00\x00\x2b\x00\x0f\x0e\x03\x04\x7f\x1c\x7f\x1b\x7f\x1a\x7f\x19\x7f\x18\x7f\x17\x00\x0f\x00\x01\x01\x00\x15\x00\xbc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1239 testssl 0:00 dd bs=32768 of=/tmp/testssl.Axih7L/ddreply.8HOLzB count=1
1241 testssl 0:00 ps 1239
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1244 testssl 0:00 ps 1239
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1247 testssl 0:00 ps 1239
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1250 testssl 0:00 ps 1239
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1253 testssl 0:00 ps 1239
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1256 testssl 0:00 ps 1239
PID USER TIME COMMAND
1 testssl 0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
1259 testssl 0:00 ps 1239
^C
A lot text but I hope it helps.
Thanks, it does!
see e0f8a2e.
and a correction in ef63fd6
Hi,
in case I am running testssl.sh inside a docker container the execution takes about 5 times longer than usual. The normal execution on my host takes about 45 seconds. The execution inside a docker image about 4-5 minutes. The root cause is unclear. Therefore I tried to gather some information:
uname -a Linux f0b71691-a094-43ef-5b73-3426879bf068 4.15.0-32-generic #35~16.04.1-Ubuntu SMP Fri Aug 10 21:54:34 UTC 2018 x86_64 Linux
testssl version from the banner: testssl.sh -b 2>/dev/null | head -4 | tail -2 ########################################################## testssl.sh 3.0rc4 from https://testssl.sh/dev/
git log | head -1 (if running from git repo) Downloaded from https://github.com/drwetter/testssl.sh/archive/3.0rc4.tar.gz
openssl version: testssl.sh -b 2>/dev/null | awk -F':' '/openssl/ { print $2}' ./bin/openssl.Linux.x86_64
openssl version OpenSSL 1.1.1b 26 Feb 2019 (Library: OpenSSL 1.1.1a 20 Nov 2018)
cat /etc/*release 3.9.0 NAME="Alpine Linux" ID=alpine VERSION_ID=3.9.0 PRETTY_NAME="Alpine Linux v3.9" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/"
steps to reproduce: date && time ./testssl.sh/testssl.sh id-qa.projects.de-wob-2.cloud.vwgroup.com && date
Normal runtime takes about 45 seconds. Runtime in docker more takes more than 4 minutes.
sending client hello...
Thanks