search

drwetter / testssl.sh

Testing TLS/SSL encryption anywhere on any port
https://testssl.sh
GNU General Public License v2.0
7.92k stars 1.02k forks source link

built in openssl cannot connect to ChaCha20 only server #1670

Open ghost opened 4 years ago

ghost commented 4 years ago

  1. uname -a: Linux debian 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux

  2. testssl version from the banner: 

    testssl.sh       3.1dev from https://testssl.sh/dev/
(9122ffe 2020-06-26 10:02:23 -- )

  3. git log | head -1: commit 9122ffec1d0c511f96286059792f4d39868a13e8

  4. openssl version used by testssl.sh: ./bin/openssl.Linux.x86_64

  5. steps to reproduce:

  1. what exactly was happening, output is needed

########################################################### testssl.sh 3.1dev from https://testssl.sh/dev/ (9122ffe 2020-06-26 10:02:23 -- )

  This program is free software. Distribution and
         modification under GPLv2 permitted.
  USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

   Please file bugs @ https://testssl.sh/bugs/

###########################################################

Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~179 ciphers] on sweettale49:./bin/openssl.Linux.x86_64 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")

Start 2020-07-07 00:43:58 -->> 51.15.217.33:443 (rany.eu.org) <<--

Further IP addresses: 2001:bc8:608:1213::1 rDNS (51.15.217.33): 33-217-15-51.instances.scw.cloud. Your OpenSSL cannot connect to 51.15.217.33:443 The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes Service detected: Couldn't determine what's running on port 443, assuming no HTTP service => skipping all HTTP checks

Testing protocols via sockets except NPN+ALPN

SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 offered (OK): final NPN/SPDY not offered ALPN/HTTP2 not offered

Testing cipher categories

NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsoleted CBC ciphers (AES, ARIA etc.) not offered Strong encryption (AEAD ciphers) with no FS not offered Forward Secrecy strong encryption (AEAD ciphers) offered (OK)

Testing server's cipher preferences

Has server cipher order? no matching cipher in this list found (pls report this): DHE-RSA-SEED-SHA:SEED-SHA:DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:ADH-AES256-GCM-SHA384:AECDH-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA .

Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4

FS is offered (OK) TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-CHACHA20-POLY1305 Elliptic curves offered: secp384r1 secp521r1 X448

Testing server defaults (Server Hello)

TLS extensions (standard) "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35" "supported versions/#43" "key share/#51" "supported_groups/#10" "max fragment length/#1" "extended master secret/#23" Session Ticket RFC 5077 hint no -- no lifetime advertised SSL Session ID support yes Session Resumption Tickets no, ID resumption test failed TLS clock skew Random values, no fingerprinting possible Signature Algorithm SHA256 with RSA Server key size RSA 4096 bits (exponent is 65537) Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication Serial / Fingerprints 03DD8D0C86849D4B9DA0C74679BDDEC2DE7A / SHA1 C71078EFE349BE164F845F89B65CEE8522A1EF2C SHA256 289C021380856C4B2547F195BE9A6D9120464F24C14CDE94341AF29BA8FE4DFF Common Name (CN) rany.eu.org (request w/o SNI didn't succeed) subjectAltName (SAN) rany.eu.org Issuer Let's Encrypt Authority X3 (Let's Encrypt from US) Trust (hostname) Ok via SAN and CN (SNI mandatory) Chain of trust Ok
EV cert (experimental) no ETS/"eTLS", visibility info not present Certificate Validity (UTC) 78 >= 30 days (2020-06-26 00:16 --> 2020-09-24 00:16)

of certificates provided 2

Certificate Revocation List -- OCSP URI http://ocsp.int-x3.letsencrypt.org OCSP stapling not offered OCSP must staple extension -- DNS CAA RR (experimental) available - please check for match with "Issuer" above issue=letsencrypt.org, issuewild=letsencrypt.org Certificate Transparency yes (certificate extension)

Testing vulnerabilities

Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. -- (applicable only for HTTPS) ROBOT Server does not support any cipher suites that use RSA key transport Secure Renegotiation (RFC 5746) OpenSSL handshake didn't succeed Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) test failed (couldn't connect) POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=289C021380856C4B2547F195BE9A6D9120464F24C14CDE94341AF29BA8FE4DFF could help you to find out LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)

Could not determine the protocol, only simulating generic clients.

Running client simulations via sockets

Android 4.4.2 No connection Android 5.0.0 No connection Android 6.0 No connection Android 7.0 (native) No connection Android 8.1 (native) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 384 bit ECDH (P-384) Android 9.0 (native) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 384 bit ECDH (P-384) Android 10.0 (native) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 384 bit ECDH (P-384) Chrome 74 (Win 10) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 384 bit ECDH (P-384) Chrome 79 (Win 10) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 384 bit ECDH (P-384) Firefox 66 (Win 8.1/10) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 521 bit ECDH (P-521) Firefox 71 (Win 10) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 521 bit ECDH (P-521) IE 6 XP No connection IE 8 Win 7 No connection IE 8 XP No connection IE 11 Win 7 No connection IE 11 Win 8.1 No connection IE 11 Win Phone 8.1 No connection IE 11 Win 10 No connection Edge 15 Win 10 No connection Edge 17 (Win 10) No connection Opera 66 (Win 10) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 384 bit ECDH (P-384) Safari 9 iOS 9 No connection Safari 9 OS X 10.11 No connection Safari 10 OS X 10.12 No connection Safari 12.1 (iOS 12.2) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 521 bit ECDH (P-521) Safari 13.0 (macOS 10.14.6) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 521 bit ECDH (P-521) Apple ATS 9 iOS 9 No connection Java 6u45 No connection Java 7u25 No connection Java 8u161 No connection Java 11.0.2 (OpenJDK) No connection Java 12.0.1 (OpenJDK) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 521 bit ECDH (P-521) OpenSSL 1.0.2e No connection OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 521 bit ECDH (P-521) OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 448 bit ECDH (X448) Thunderbird (68.3) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 521 bit ECDH (P-521)

Rating (experimental)

Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30) Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide Protocol Support (weighted) 100 (30) Key Exchange (weighted) 100 (30) Cipher Strength (weighted) 60 (24) Final Score 84 Overall Grade A+

Done 2020-07-07 00:47:21 [ 208s] -->> 51.15.217.33:443 (rany.eu.org) <<--

drwetter commented 4 years ago

Hi @rany0 ,

I think there are places where testssl.sh could be better, especially the cipher order seems in this edge case not handled properly. Using a newer openssl version (./testssl.sh --openssl=/usr/bin/openssl rany.eu.org) works better in general but still fails here.

We'll look into it later to see what we can do for the time being.

On the longer run we need to make our minds up to get the constraint off the table when the supplied openssl has little overlap with the server which has not much to offer in terms of cipher or protocols. As you can see most of it still works but there are leftovers which don't -- yet.