drwetter / testssl.sh

Testing TLS/SSL encryption anywhere on any port
https://testssl.sh
GNU General Public License v2.0
8.01k stars 1.03k forks source link

Performance Issues if running testssl.sh in docker #1225

Closed bboortz closed 5 years ago

bboortz commented 5 years ago

Hi,

in case I am running testssl.sh inside a docker container the execution takes about 5 times longer than usual. The normal execution on my host takes about 45 seconds. The execution inside a docker image about 4-5 minutes. The root cause is unclear. Therefore I tried to gather some information:

  1. uname -a Linux f0b71691-a094-43ef-5b73-3426879bf068 4.15.0-32-generic #35~16.04.1-Ubuntu SMP Fri Aug 10 21:54:34 UTC 2018 x86_64 Linux

  2. testssl version from the banner: testssl.sh -b 2>/dev/null | head -4 | tail -2 ########################################################## testssl.sh 3.0rc4 from https://testssl.sh/dev/

  3. git log | head -1 (if running from git repo) Downloaded from https://github.com/drwetter/testssl.sh/archive/3.0rc4.tar.gz

  4. openssl version: testssl.sh -b 2>/dev/null | awk -F':' '/openssl/ { print $2}' ./bin/openssl.Linux.x86_64

  5. openssl version OpenSSL 1.1.1b 26 Feb 2019 (Library: OpenSSL 1.1.1a 20 Nov 2018)

  6. cat /etc/*release 3.9.0 NAME="Alpine Linux" ID=alpine VERSION_ID=3.9.0 PRETTY_NAME="Alpine Linux v3.9" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/"

  7. steps to reproduce: date && time ./testssl.sh/testssl.sh id-qa.projects.de-wob-2.cloud.vwgroup.com && date

Normal runtime takes about 45 seconds. Runtime in docker more takes more than 4 minutes.

  1. command output The output looks normal but it I am increasing the debug output with --debug 2 it looks testssl.sh is stucking during sending client hello for about 10 seconds

sending client hello...

Thanks

drwetter commented 5 years ago

Thanks. What's your Host OS?

date && time ./testssl.sh/testssl.sh (your host) && date

Hint: In the trailing banner as well in the logfile output there's the time spend

is stucking during sending client hello for about 10 seconds

Interesting observation but it seems not what we can control

drwetter commented 5 years ago
Client Host t @ BM/VM t @ Docker
A testssl.net 90 145
B testssl.net 77 75
A owasp.org 191 309
B owasp.org 312 307
A dev.testssl.sh 90 137
B dev.testssl.sh 95 98

BM=bare metal VM=virtual machine

A=Client is one of my VMs (KVM) on a hosted bare metal machine B=Client is a Laptop with a dialin (50Mbit/s)

Everything is under Linux.

t is in seconds, just one measurement per value. testssl.net time is for one IP only.

So, first line A means: 90s on a VM, 145s in a Docker container in a VM. Second line B: Laptop bare metal, Docker container on the Laptop.

Given this data only -- this is not a scientific approach -- it looks to me like a VM under Docker container slows things down considerably. But never as much as you experienced.

If you could tell me your host OS that would be great.

shartge commented 5 years ago

I see the same for my webinterface https://github.com/shartge/testssl-web https://hub.docker.com/r/hartge/testssl-web forked from https://github.com/TKCERT/testssl.sh-webfrontend

I found out the main culprit seem to be the Heartbleed, CCS and mainly the ROBOT checks. Sometime the check would even time out on those checks, with the dd-process just hanging there, but no other packets transferred for 300+ seconds.

Because of this I run testssl inside my container with --ids-friendly which speeds up things considerably.

With --ids-friendly and dev.testssl.sh for example, I get 49s from Docker in a VM (on ESXi 6.5) and 74s from my PC running on bare metal.

Without --ids-friendly and dev.testssl.sh, I get a timeout from Docker in a VM and 99s from my PC.

Host OS for the Docker VM in my case is Debian Testing (4.19.0-4-amd64 #1 SMP Debian 4.19.28-2) and Debian Sid (same Kernel) for my PC.

The OS inside the Docker Container is Debian Stretch.

testssl.sh version is ff527f524.

drwetter commented 5 years ago

Yes, Heartbleed and espcially ROBOT cost a lot of time -- unless there are no certain RSA ciphers or there's not heartbeat extension. It is the checks which just take long -- if you want to have accurate results.

But this is true for any platform.

I found out the main culprit seem to be the Heartbleed, CCS and mainly the ROBOT checks. Sometime the check would even time out on those checks, with the dd-process just hanging there, but no other packets transferred for 300+ seconds.

The latter shouldn't happen though.

bboortz commented 5 years ago

Sorry for delay. Let me try to provide more information with respect to my case as a table:

command docker host
time ./testssl.sh HOST Runs more than 5m - aborted 0m45.372s
time ./testssl.sh --openssl-timeout 1 HOST Runs more than 5m - aborted 0m41.884s
time ./testssl.sh --nodns none IP Runs more than 5m - aborted 0m36.576s
time ./testssl.sh --openssl-timeout 1 --nodns none IP Runs more than 5m - aborted 0m40.798s
time ./testssl.sh --ids-friendly IP Runs more than 5m - aborted 0m41.593s
time ./testssl.sh --breach IP 0m42.829s 0m5.716s
time ./testssl.sh --poodle IP 0m48.180s 0m5.941s
time ./testssl.sh --crime IP 0m37.782s 0m3.706s
time ./testssl.sh --rc4 IP 1m38.948s 0m4.648s
time ./testssl.sh --heartbleed IP 0m48.781s 0m4.338s
time ./testssl.sh --renegotiation IP 0m42.859s 0m4.904s
time ./testssl.sh --pfs IP 1m40.646s 0m6.939s
time ./testssl.sh --crime --ssl-native IP 0m27.539s 0m3.558s
time ./testssl.sh --rc4 --ssl-native IP 0m27.760s 0m3.671s
time ./testssl.sh --pfs--ssl-native IP 0m28.142s 0m3.982s
time ./testssl.sh --nodns min --rc4 --ssl-native IP 0m27.835s 0m3.693s

Summary: RC4 and PFS scans seems to be very slow. ssl-native is reducing the difference between a scan from docker and host.

Glossary

Versions

Example Output for a run in docker - aborted after about 20 seconds

# time ./testssl.sh  --openssl-timeout 1 --nodns none --debug 2 11.217.32.122
tty: ignoring all arguments
/dev/pts/0

###########################################################
    testssl.sh       3.0rc4 from https://testssl.sh/dev/
    (e110e34 2019-04-02 05:37:29 -- )

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "" [~0 ciphers]
 on 251f3bd6-122b-4799-73ac-242c53db0009:./bin/openssl.Linux.x86_64
 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")

11.217.32.122:443
/
 Start 2019-04-05 21:27:16        -->> 11.217.32.122:443 (11.217.32.122) <<--

 rDNS (11.217.32.122):   (instructed to minimize DNS queries)

sending client hello... sending client hello... reading server hello...
sending close_notify...
  (437 lines returned)
proto: 03
OPTIMAL_PROTO: -tls1_2

sending client hello... sending client hello... ^C
DEBUG (level 2): see files in /tmp/testssl.CIJpDp

real    0m21.819s
user    0m1.319s
sys     0m0.592s

Example Output for a run in docker with ssl-native

###################################################
    testssl.sh       3.0rc4 from https://testssl.sh/dev/
    (e110e34 2019-04-02 05:37:29 -- )

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
 on 251f3bd6-122b-4799-73ac-242c53db0009:./bin/openssl.Linux.x86_64
 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")

11.217.32.122:443
/
 Start 2019-04-05 22:21:31        -->> 11.217.32.122:443 (11.217.32.122) <<--

 rDNS (11.217.32.122):   (instructed to minimize DNS queries)
one proto determined: tls1_2
OPTIMAL_PROTO: -tls1_2

sending client hello... sending client hello... reading server hello...
server hello empty, TCP connection closed
  (1 lines returned)

sending client hello... sending client hello...
server hello empty, TCP connection closed
  (1 lines returned)
HTTP/1.1 200 OK
Connection: close
Last-Modified: Wed, 15 Aug 2018 11:12:46 GMT
Content-Length: 1087
Content-Type: text/html
Accept-Ranges: bytes
Date: Fri, 05 Apr 2019 22:21:52 GMT

[...] 

 Service detected:       HTTP

 Checking for vulnerable RC4 Ciphers

 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)

 Done 2019-04-05 22:21:57 [  28s] -->> 11.217.32.122:443 (11.217.32.122) <<--

DEBUG (level 2): see files in /tmp/testssl.DJghgd

real    0m27.931s
user    0m1.905s
sys     0m0.865s

In case I should provide some more information, just tell me.

bboortz commented 5 years ago

After some more investigation it looks for me like testssl.sh is hanging in method "sockread_serverhello"

dd bs=$1 of=$SOCK_REPLY_FILE count=1 <&5 2>/dev/null &

reproducable with: ./testssl.sh --openssl-timeout 1 --nodns none --debug 2 --rc4 IP

shartge commented 5 years ago

This is the same I saw: everytime testssl.sh was hanging, it was hanging in a dd process.

bboortz commented 5 years ago

After installing package procps like in https://github.com/drwetter/testssl.sh/blob/2.9dev/Dockerfile#L4 the scan with "time ./testssl.sh --openssl-timeout 1 --nodns none --debug 2 --rc4 IP" akes only about 6.37s.

shartge commented 5 years ago

Interesting. But this is not the problem I see, I have procps (for Debian) in my Dockerfile.

drwetter commented 5 years ago

After installing package procps like in https://github.com/drwetter/testssl.sh/blob/2.9dev/Dockerfile#L4 the scan with "time ./testssl.sh --openssl-timeout 1 --nodns none --debug 2 --rc4 IP" akes only about 6.37s.

Oh well.

sockread_serverhello() needs `ps. In the Dockerfile I provide there'\s aps. <s>But there seem to be a problem incheck_base_requirements()`` which needs to be fixed.

drwetter commented 5 years ago

But there seem to be a problem in check_base_requirements() which needs to be fixed.

Selfcomment: There's none. On my system there were two ps.

Bottom line: Hard to tell how you @bboortz managed to run testssl.sh (version 3.0rc4) in a container without ps. But your problem seem to be solved.

@shartge : Also it is hard to tell for me how testssl.sh can hang in a dd process. The one in "sockread_serverhello() in runing in the background and gets killed in MAXSLEEP seconds.

If dd hangs I would need more info like the process of dd incl. command line. Also info on the testssl.sh command line pls.

shartge commented 5 years ago

Would an strace from the dd processes testssl.sh spawns be sufficient? I can also throw in a wireshark capture of the traffic, if needed.

drwetter commented 5 years ago

Na, the least I need is the complete dd command from the process list

shartge commented 5 years ago

Sure, in addition to that. Should I use a particular debug level for testssl.sh while collection the data? What is most helpful for you?

drwetter commented 5 years ago

that'll be helpful when we know where it hangs

bboortz commented 5 years ago

But there seem to be a problem in check_base_requirements() which needs to be fixed.

Selfcomment: There's none. On my system there were two ps.

Bottom line: Hard to tell how you @bboortz managed to run testssl.sh (version 3.0rc4) in a container without ps. But your problem seem to be solved.

Yes, my problem is fixed but the method check_base_requirements needs a fix. Let me answer how I run testssl.sh without procps

 docker run -it alpine:latest /bin/sh
/ # apk update && apk upgrade
[...]
/ # apk add --no-cache curl git coreutils drill bash
[...]
/ # git clone https://github.com/drwetter/testssl.sh.git
[...]
/ # cd testssl.sh/
/testssl.sh # ./testssl.sh --version

###########################################################
    testssl.sh       3.0rc4 from https://testssl.sh/dev/
    (0e88072 2019-04-05 21:30:40 -- )

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
 on b46f039bbf10:./bin/openssl.Linux.x86_64
 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")

/testssl.sh # which ps
/bin/ps
/testssl.sh # /bin/ps --help
BusyBox v1.28.4 (2018-12-31 18:05:13 UTC) multi-call binary.

Usage: ps [-o COL1,COL2=HEADER]

Show list of processes

    -o COL1,COL2=HEADER Select columns for display
/testssl.sh # time ./testssl.sh --rc4 example.com >/dev/null
real    2m 2.72s
user    0m 3.03s
sys 0m 1.82s
testssl.sh # apk add procps
(1/3) Installing libintl (0.19.8.1-r2)
(2/3) Installing libproc (3.3.15-r0)
(3/3) Installing procps (3.3.15-r0)
Executing busybox-1.28.4-r3.trigger
OK: 30 MiB in 34 packages
/testssl.sh # which ps
/bin/ps
/testssl.sh # /bin/ps --help

Usage:
 ps [options]

 Try 'ps --help <simple|list|output|threads|misc|all>'
  or 'ps --help <s|l|o|t|m|a>'
 for additional help text.

For more details see ps(1).
/testssl.sh # time ./testssl.sh --rc4 example.com >/dev/null
real    0m 19.05s
user    0m 2.67s
sys 0m 1.45s

So a performance impact of about 6 times in case procps is missing

The method check_base_requirements is checking if /bin/ps is present but is not checking for the correct version from procps.

Furthermore I have created one Dockerfile alpine but missing procps

The alpine dockerfile

FROM alpine:latest

RUN apk update && apk upgrade
RUN apk add bash drill git coreutils
RUN apk add --no-cache curl

RUN addgroup testssl
RUN adduser -G testssl -g "testssl user"  -s /bin/bash -D testssl

RUN ln -s /home/testssl/testssl.sh /usr/local/bin/

USER testssl
WORKDIR /home/testssl/

RUN git clone --depth=1 https://github.com/drwetter/testssl.sh.git .

ENTRYPOINT ["testssl.sh"]

CMD ["--help"]

build it

docker build -f Dockerfile_alpine -t testssl_alpine .

and the run

$ docker run -it --name testssl testssl_alpine --debug 6 --rc4 example.com
do_allciphers          = false
do_vulnerabilities     = false
do_beast               = false
do_lucky13             = false
do_breach              = false
do_ccs_injection       = false
do_ticketbleed         = false
do_cipher_per_proto    = false
do_crime               = false
do_freak               = false
do_logjam              = false
do_drown               = false
do_header              = false
do_heartbleed          = false
do_mx_all_ips          = false
do_pfs                 = false
do_protocols           = false
do_rc4                 = true
do_grease              = false
do_robot               = false
do_renego              = false
do_cipherlists         = false
do_server_defaults     = false
do_server_preference   = false
do_ssl_poodle          = false
do_tls_fallback_scsv   = false
do_sweet32             = false
do_client_simulation   = false
do_cipher_match        = false
do_tls_sockets         = false
do_mass_testing        = false
do_display_only        = false
URI:                   : example.com

###########################################################
    testssl.sh       3.0rc4 from https://testssl.sh/dev/
    (0e88072 2019-04-05 21:30:40 -- )

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################
 Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
 on 4feea8dafe31:$PWD/bin/openssl.Linux.x86_64
 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")

example.com:443
/
 Start 2019-04-08 18:56:21        -->> 93.184.216.34:443 (example.com) <<--

 Further IP addresses:   2606:2800:220:1:248:1893:25c8:1946 
 rDNS (93.184.216.34):   --

sending client hello... sending client hello... 
"\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03\x54\x51\x1e\x7a\xde\xad\xbe\xef\x31\x33\x07\x00\x00\x00\x00\x00\xcf\xbd\x39\x04\xcc\x16\x0b\x85\x03\x90\x9f\x77\x04\x33\xd4\xde\x00\x01\x00\xc0\x30\xc0\x2c\xc0\x28\xc0\x24\xc0\x14\xc0\x0a\x00\x9f\x00\x6b\x00\x39\x00\x9d\x00\x3d\x00\x35\xc0\x2f\xc0\x2b\xc0\x27\xc0\x23\xc0\x13\xc0\x09\x00\x9e\x00\x67\x00\x33\x00\x9c\x00\x3c\x00\x2f\xcc\xa9\xcc\xa8\xcc\xaa\xcc\x14\xcc\x13\xcc\x15\x00\xa5\x00\xa3\x00\xa1\x00\x6a\x00\x69\x00\x68\x00\x38\x00\x37\x00\x36\xc0\x77\xc0\x73\x00\xc4\x00\xc3\x00\xc2\x00\xc1\x00\x88\x00\x87\x00\x86\x00\x85\xc0\x32\xc0\x2e\xc0\x2a\xc0\x26\xc0\x0f\xc0\x05\xc0\x79\xc0\x75\x00\xc0\x00\x84\x00\xa4\x00\xa2\x00\xa0\x00\x40\x00\x3f\x00\x3e\x00\x32\x00\x31\x00\x30\xc0\x76\xc0\x72\x00\xbe\x00\xbd\x00\xbc\x00\xbb\x00\x9a\x00\x99\x00\x98\x00\x97\x00\x45\x00\x44\x00\x43\x00\x42\xc0\x31\xc0\x2d\xc0\x29\xc0\x25\xc0\x0e\xc0\x04\xc0\x78\xc0\x74\x00\xba\x00\x96\x00\x41\x00\x07\xc0\x11\xc0\x07\x00\x66\xc0\x0c\xc0\x02\x00\x05\x00\x04\xc0\x12\xc0\x08\x00\x16\x00\x13\x00\x10\x00\x0d\xc0\x0d\xc0\x03\x00\x0a\x00\x80\x00\x81\x00\x82\x00\x83\x00\x63\x00\x15\x00\x12\x00\x0f\x00\x0c\x00\x62\x00\x09\x00\x65\x00\x64\x00\x14\x00\x11\x00\x08\x00\x03\x00\xff\x01\x00\x00\xd3\x00\x00\x00\x10\x00\x0e\x00\x00\x0b\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f\x6d\x00\x23\x00\x00\x33\x74\x00\x00\x00\x0d\x00\x20\x00\x1e\x06\x01\x06\x02\x06\x03\x05\x01\x05\x02\x05\x03\x04\x01\x04\x02\x04\x03\x03\x01\x03\x02\x03\x03\x02\x01\x02\x02\x02\x03\x00\x0a\x00\x3e\x00\x3c\x00\x0e\x00\x0d\x00\x19\x00\x1c\x00\x1e\x00\x0b\x00\x0c\x00\x1b\x00\x18\x00\x09\x00\x0a\x00\x1a\x00\x16\x00\x17\x00\x1d\x00\x08\x00\x06\x00\x07\x00\x14\x00\x15\x00\x04\x00\x05\x00\x12\x00\x13\x00\x01\x00\x02\x00\x03\x00\x0f\x00\x10\x00\x11\x00\x0b\x00\x02\x01\x00\x00\x0f\x00\x01\x01\x00\x15\x00\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PID   USER     TIME  COMMAND

    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1105 testssl   0:00 dd bs=32768 of=/tmp/testssl.Axih7L/ddreply.UQ9t3R count=1
 1107 testssl   0:00 ps 1105
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1110 testssl   0:00 ps 1105
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1113 testssl   0:00 ps 1105
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1116 testssl   0:00 ps 1105
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1119 testssl   0:00 ps 1105
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1122 testssl   0:00 ps 1105
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1125 testssl   0:00 ps 1105
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1128 testssl   0:00 ps 1105
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1131 testssl   0:00 ps 1105
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1134 testssl   0:00 ps 1105
reading server hello...
00000000  16 03 03 00 5a 02 00 00  56 03 03 a1 08 14 57 ed  |....Z...V.....W.|
00000010  8e 9a f6 8b 0e cd 19 fe  28 16 1c 7d bf 0a 35 35  |........(..}..55|
00000020  48 d8 af 44 4f 57 4e 47  52 44 01 00 c0 2f 00 00  |H..DOWNGRD.../..|
00000030  2e ff 01 00 01 00 00 00  00 00 00 0b 00 04 03 00  |................|
00000040  01 02 00 23 00 00 33 74  00 15 02 68 32 08 68 74  |...#..3t...h2.ht|
00000050  74 70 2f 31 2e 31 08 68  74 74 70 2f 31 2e 30 16  |tp/1.1.http/1.0.|

160303005A020000560303A1081457ED8E9AF68B0ECD19FE28161C7DBF0A353548D8AF444F574E4752440100C02F00002EFF0100010000000000000B000403000102002300003374001502683208687474702F312E3108687474702F312E301603030F9F0B000F9B000F980007443082074030820628A00302010202100FD078DD48F1A2BD4D0F2BA96B6038FE300D06092A864886F70D01010B0500304D310B300906035504061302555331153013060355040A130C446967694365727420496E63312730250603550403131E446967694365727420534841322053656375726520536572766572204341301E170D3138313132383030303030305A170D3230313230323132303030305A3081A5310B3009060355040613025553311330110603550408130A43616C69666F726E6961311430120603550407130B4C6F7320416E67656C6573313C303A060355040A1333496E7465726E657420436F72706F726174696F6E20666F722041737369676E6564204E616D657320616E64204E756D6265727331133011060355040B130A546563686E6F6C6F6779311830160603550403130F7777772E6578616D706C652E6F726730820122300D06092A864886F70D01010105000382010F003082010A0282010100D0F01274A0962072086519125A5D4AD03A8C668FA0292BA7DBD5AC0CCFA57192154215B00792763175D7278E4D506A75D17B535E27AAEDEBA4603AF28E45186B45335C8511AA2012FE60AC9D4C458FDDD30E3E770F09C2856534C722FB7413B9429FF721F6F09C44746DC9DFB31F8F60B77111069063419D8F347B244946ACF2F08D0B48F4D3921AF7A245EECCE5D7837F2E82BD71DD281958336E11A13AA06A72609201599F63177A49427B9C3FDBD305E8CC877EF8AAFC9DD10550AB75B11EBA20CB89D46D6C3782284CC53F7CC110F5A0A5666B5353C9DBED85C36D05F864A7C90EEB8FE1C4B1EB2D680E153FE5E2DCFC21642DEE692B0478DB7765CB54F90203010001A38203C1308203BD301F0603551D230418301680140F80611C823161D52F28E78D4638B42CE1C6D9E2301D0603551D0E0416041466986202E00991A7D9E336FB76C6B0BFA16DA7BE3081810603551D11047A3078820F7777772E6578616D706C652E6F7267820B6578616D706C652E636F6D820B6578616D706C652E656475820B6578616D706C652E6E6574820B6578616D706C652E6F7267820F7777772E6578616D706C652E636F6D820F7777772E6578616D706C652E656475820F7777772E6578616D706C652E6E6574300E0603551D0F0101FF0404030205A0301D0603551D250416301406082B0601050507030106082B06010505070302306B0603551D1F04643062302FA02DA02B8629687474703A2F2F63726C332E64696769636572742E636F6D2F737363612D736861322D67362E63726C302FA02DA02B8629687474703A2F2F63726C342E64696769636572742E636F6D2F737363612D736861322D67362E63726C304C0603551D2004453043303706096086480186FD6C0101302A302806082B06010505070201161C68747470733A2F2F7777772E64696769636572742E636F6D2F4350533008060667810C010202307C06082B060105050701010470306E302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304606082B06010505073002863A687474703A2F2F636163657274732E64696769636572742E636F6D2F44696769436572745348413253656375726553657276657243412E637274300C0603551D130101FF040230003082017F060A2B06010401D6790204020482016F0482016B0169007700A4B90990B418581487BB13A2CC67700A3C359804F91BDFB8E377CD0EC80DDC10000001675C3195460000040300483046022100846481B7211DFA1A48F576AE4BE84686572717B07BE93BB74A57426CA284C46C022100BB93B5FE30C464E4164C7C6E585357EEEC7F
TLS message fragments:
     protocol (rec. layer):  0x0303
     tls_content_type:       0x16 (handshake)
     msg_len:                90

     protocol (rec. layer):  0x0303
     tls_content_type:       0x16 (handshake)
     msg_len:                3999

TLS handshake messages:
     handshake type:         0x02 (server_hello)
     msg_len:                86

     handshake type:         0x0B (certificate)
     msg_len:                3995

TLS server hello message:
     tls_protocol:           0x0303
     tls_sid_len:            0x00 / = 0
     tls_hello_time:         0xA1081457 date: invalid date '2701661271'
     tls_cipher_suite:       0xC02F (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
     tls_compression_method: 0x2E (unrecognized compression method)
     tls_extensions: "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35" "next protocol/#13172"
     NPN protocols:          

sending close_notify...

"\x15\x03\x01\x00\x02\x02\x00"
  (91 lines returned)  
proto: 03
OPTIMAL_PROTO: -tls1_2

sending client hello... sending client hello...
"\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03\x54\x51\x1e\x7a\xde\xad\xbe\xef\x31\x33\x07\x00\x00\x00\x00\x00\xcf\xbd\x39\x04\xcc\x16\x0b\x85\x03\x90\x9f\x77\x04\x33\xd4\xde\x20\x44\xb8\x92\x56\xaf\x74\x52\x9e\xd8\xcf\x52\x14\xc8\xaf\xd8\x34\x0b\xe7\x7f\xeb\x86\x01\x84\x50\x5d\xe4\xa1\x6a\x09\x3b\xbf\x6e\x00\x0a\x13\x01\x13\x02\x13\x03\x13\x04\x13\x05\x01\x00\x01\xa9\x00\x00\x00\x10\x00\x0e\x00\x00\x0b\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f\x6d\x00\x2d\x00\x02\x01\x01\x00\x23\x00\x00\x33\x74\x00\x00\x00\x0d\x00\x22\x00\x20\x04\x03\x05\x03\x06\x03\x08\x04\x08\x05\x08\x06\x04\x01\x05\x01\x06\x01\x08\x09\x08\x0a\x08\x0b\x08\x07\x08\x08\x02\x01\x02\x03\x00\x0a\x00\x10\x00\x0e\x00\x1d\x00\x17\x00\x1e\x00\x18\x00\x19\x01\x00\x01\x01\x00\x33\x00\x6b\x00\x69\x00\x1d\x00\x20\x4d\xfa\x57\x44\xb7\xf7\x48\xb8\x95\x77\x5a\xc1\xff\x86\xbf\xae\xf7\x3a\x33\x69\x54\xde\x6a\xf5\x2e\x89\x84\x6c\xf2\xd8\xb2\x43\x00\x17\x00\x41\x04\xb4\x24\xef\x11\x99\x9c\xa4\xe8\xce\x88\x25\xc3\x8e\x7c\x0c\x6a\x94\xde\x33\x6d\xff\xcd\x17\xb7\x5c\x65\xdb\xd1\x58\x46\x95\x69\x80\xc8\xbc\xfc\xe6\xd9\x22\x39\xbb\x3f\x63\xab\x3d\x5c\xba\xcc\xeb\x1a\x90\x1b\xd4\x75\xff\x58\xc4\x00\x58\x50\x21\xd0\xaa\xe4\x00\x0b\x00\x02\x01\x00\x00\x2b\x00\x0f\x0e\x03\x04\x7f\x1c\x7f\x1b\x7f\x1a\x7f\x19\x7f\x18\x7f\x17\x00\x0f\x00\x01\x01\x00\x15\x00\xbc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1239 testssl   0:00 dd bs=32768 of=/tmp/testssl.Axih7L/ddreply.8HOLzB count=1
 1241 testssl   0:00 ps 1239
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1244 testssl   0:00 ps 1239
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1247 testssl   0:00 ps 1239
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1250 testssl   0:00 ps 1239
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1253 testssl   0:00 ps 1239
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1256 testssl   0:00 ps 1239
PID   USER     TIME  COMMAND
    1 testssl   0:00 bash /usr/local/bin/testssl.sh --debug 6 --rc4 example.com
 1259 testssl   0:00 ps 1239
^C

A lot text but I hope it helps.

drwetter commented 5 years ago

Thanks, it does!

drwetter commented 5 years ago

see e0f8a2e.

drwetter commented 5 years ago

and a correction in ef63fd6