Closed xeron closed 7 years ago
Could you pls give it a swing?
Nope, the same issue for both Heartbleed and CCS:
Heartbleed (CVE-2014-0160) ./testssl.sh: line 1442: warning: command substitution: ignored null byte in input
./testssl.sh: line 1442: warning: command substitution: ignored null byte in input
Am 28. Mai 2016 22:08:48 MESZ, schrieb Ivan Larionov notifications@github.com:
Nope, the same issue for both Heartbleed and CCS:
Heartbleed (CVE-2014-0160) ./testssl.sh: line 1442: warning: command substitution: ignored null byte in input ./testssl.sh: line 1442: warning: command substitution: ignored null byte in input
Thx.
I doubt this is a typical OS X behavior. But as a baseline @ all: can anybody please double check?
@ Ivan: you need to provide proper input if this should be a bug report, see wiki.
Cheers, Dirk
Set from my mobile. Excuse my brevity&typos
That's a bash 4.4 "bug" which hiccups at NULL bytes : https://github.com/dracutdevs/dracut/issues/118#issuecomment-190857829
Better CCS and HB need to be changed to the socket functions used elsewhere (sockread_serverhello()
)
@drwetter just wanted to make sure, this issue has been fixed, right?
Yes, please. I am pretty sure it is so this ticket should have been closed already.
-- Sent from my mobile. Excuse my brevity&typos+the phone's autocorrection
I believe that this issue has only been partially resolved. I believe that it has been resolved for Heartbleed, and that it is less of a problem than before for CCS, but there is still the following code in run_ccs_injection()
:
sockreply=$(cat "$SOCK_REPLY_FILE" 2>/dev/null)
rm "$SOCK_REPLY_FILE"
byte6=$(echo "$sockreply" | "${HEXDUMPPLAIN[@]}" | sed 's/^..........//')
lines=$(echo "$sockreply" | "${HEXDUMP[@]}" | count_lines )
For some reason, though, I'm not seeing an error even if $SOCK_REPLY_FILE
does contain a null character.
However, even if the issue hasn't been totally resolved, it should only rarely occur, since it is very difficult to find a server that provides a non-empty response to the second CCS injection message.
Ok, it doesn't affect me anymore so I'm ok with either closing it or keeping open to fix run_ccs_injection()
.
The cat will disappear soon, I'll close this then.
This bug is still present in macOS, even with commit 893cad542dd51d42d03a10c5bcb56f2a6f4fb888
I get lots and lots of these:
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
./testssl.sh: line 6804: warning: command substitution: ignored null byte in input
./testssl.sh: line 1264: warning: command substitution: ignored null byte in input
Hi Brad,
don't know which version are you using but this doesn't seem related -- the line numbers do not fit.
While I don't understand what's happening @ L6804, L1264 looks to me like you targeted google.com which in 1 or two requests they send non-printable chars over openssl s_client
Maybe you you open a separate issue and fill in the details?
Cheers, Dirk
On my copy of testssl.sh, looking at the latest 2.9dev branch, line 6804 looks like it came from commit 32b8c70d, and appears like this:
6803 sclient_connect_successful() {
6804 local server_hello="$(<"$2")"
6805 local re='Master-Key: ([^\
6806 ]*)'
It's the "local server_hello" definition that seems to be a problem.
The code is basically the same on line 1264:
1262 get_cipher() {
1263 local cipher=""
1264 local server_hello="$(< "$1")"
Although in this case, it appears line 1264 came from commit 11d74d2f.
I'm happy to open a new issue, if this is actually unrelated to the one that was originally reported by @xeron.
Doing a git log
, the most recent commit here looks like:
commit 893cad542dd51d42d03a10c5bcb56f2a6f4fb888 (HEAD -> 2.9dev, origin/HEAD, origin/2.9dev)
Author: Dirk Wetter <dirk@testssl.sh>
Date: Wed Apr 24 18:44:14 2019 +0000
Delete CHANGELOG.stable-releases.txt
Note that I've verified this status on both my work laptop and on my home laptop. I had not previously cloned this repo on my work laptop, so that was a completely fresh copy of the repo. I had previously cloned the repo on my home laptop, so I did a git pull
, then git checkout 2.9dev
, and then another git pull
.
Unless maybe there is a branch I should be looking at that is something other than 2.9dev?
3.0 is the latest.
Don't use 2.9dev anymore.
Which server did you aim at?
Sorry, I thought I had checked all the github and testssl.sh website before posting that addendum to this issue, and everywhere I could find had said that 2.9dev was the latest so long as you were in RC mode, and a 3.0 branch would be created once you actually did a release. My bad. I'll retest with 3.0.
I was hitting an internal non-HTTP server that sits on an RFC-1918 private network, so there's no way you could possibly hit it from the outside. At least, I hope not....
Okay, I just retested with 3.0rc5 (eef63b1). Same problem, different lines:
The error message:
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
PFS is offered (OK) ./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
^C
The code around line 1265:
1262 # retrieve cipher from ServerHello (via openssl)
1263 get_cipher() {
1264 local cipher=""
1265 local server_hello="$(< "$1")"
1266
1267 if [[ "$server_hello" =~ Cipher\ *:\ ([A-Z0-9]+-[A-Za-z0-9\-]+|TLS_[A-Za-z0-9_]+) ]]; then
1268 cipher="${BASH_REMATCH##* }"
The code around line 6941:
6935 # core function determining whether handshake succeeded or not
6936 # arg1: return value of "openssl s_client connect"
6937 # arg2: temporary file with the server hello
6938 # returns 0 if connect was successful, 1 if not
6939 #
6940 sclient_connect_successful() {
6941 local server_hello="$(<"$2")"
6942 local re='Master-Key: ([^\
6943 ]*)'
In both cases, the problem is clearly the code that starts with local server_hello=
.
Here's the top entry from git log
for the 3.0 branch I've checked out:
commit eef63b1726b9f44ff63a6dc19c6e2ea16e78b644 (HEAD -> 3.0, origin/3.0)
Merge: 3d5982e af6f232
Author: Dirk Wetter <dirk@testssl.sh>
Date: Wed Jul 3 11:54:56 2019 +0200
Merge pull request #1289 from drwetter/tput_sgr_fix
Fix terminal codes / tput
So, is there a reason why we're using local server_hello=
on these lines instead of something like sockread_serverhello
?
That is part of the very few places where we need openssl. E.g. when we finish the TLS handshake and look into HTTP headers.
Still curious about the TLS stack of server and the check where this happened. Was that only PFS? Do you use --ssl-native
?
So far I have seen this only @ google.TLD (under Linux), and only one check (and only one line)
Unfortunately, that TIBCO server at the moment is having problems. The port in question is somehow open while the application behind that port is not working, and at the moment we can't get any kind of SSL connection to it with any of the programs we throw at it.
I'll try --ssl-native
the next time I can get some sort of connection working.
Of course, the moment I say that, it looks like the server is now working again (for at least some values of "working"), and so I'm now re-testing.
¯\(ツ)/¯
As Dirk noted, this isn't really related to the original issue that was reported here.
The problem that was reported 3 years ago was that binary data was being loaded into a bash variable.
In the two lines where you are experiencing a problem, the data that is being loaded into a bash variable is the text that openssl s_client
prints to stdout and stderr. So, if you are receiving an error saying that the input contains a null byte, that seems to suggest that openssl s_client
is printing a null byte to either stdout or stderr, which seems odd. I think we need more information to figure out why that is happening.
Dirk suggested that the server may be sending non-printable characters, but that would only seem to apply in tests such as the one that retrieves the server's HTTP headers, where the server is sending data over the TLS connection that is established. In PFS, the TLS connection is established, but no data is sent.
The only guess I have at the moment is the server's certificate. openssl s_client
prints the issuer and subject names in the certificates sent by the server to the client. If one of these names (incorrectly) included a null byte, then perhaps OpenSSL would just print that null byte to the terminal.
Here's the first part of the --ssl-native
run, with a redacted hostname:
$ ./testssl.sh --color=3 --ssl-native https://hostname.domain.private:7233
###########################################################
testssl.sh 3.0rc5 from https://testssl.sh/dev/
(eef63b1 2019-07-03 11:54:56 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
on CECEN-SX2EVGTFL:./bin/openssl.Darwin.x86_64
(built: "Feb 22 09:55:43 2019", platform: "darwin64-x86_64-cc")
Start 2019-07-08 13:42:34 -->> 10.0.0.0:7233 (hostname.domain.private) <<--
rDNS (10.6.54.98): --
Service detected: Couldn't determine what's running on port 7233, assuming no HTTP service => skipping all HTTP checks
Testing protocols via native openssl
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 ./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
offered
TLS 1.1 ./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
offered
TLS 1.2 ./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
offered (OK)
TLS 1.3 Local problem: ./bin/openssl.Darwin.x86_64 doesn't support "s_client -tls1_3"
NPN/SPDY not offered
ALPN/HTTP2 not offered
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4] (w/o export) ./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
offered (NOT ok)
Triple DES Ciphers / IDEA ./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
offered (NOT ok)
Average: SEED + 128+256 Bit CBC ciphers ./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
offered
Strong encryption (AEAD ciphers) ./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
offered (OK)
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
PFS is offered (OK) ./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-SEED-SHA ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
Elliptic curves offered: sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp256k1 prime256v1 secp384r1 secp521r1 brainpoolP256r1
brainpoolP384r1 brainpoolP512r1
Testing server preferences
Has server cipher order? ./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 1278: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
nope (NOT ok)
Negotiated protocol TLSv1.2
Negotiated cipher ./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
ECDHE-RSA-RC4-SHA, 570 bit ECDH (B-571) -- inconclusive test, matching cipher in list missing, better see below
Negotiated cipher per proto (matching cipher in list missing)
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1278: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1278: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1278: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
(TLSv1.3: Local problem: ./bin/openssl.Darwin.x86_64 doesn't support "s_client -tls1_3")
ECDHE-RSA-AES256-SHA: TLSv1, TLSv1.1
ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2
No further cipher order check has been done as order is determined by the client
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 7126: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 7126: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 7126: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 7126: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
Here's the same test, omitting --ssl-native
:
$ ./testssl.sh --color=3 https://hostname.domain.private:7233
###########################################################
testssl.sh 3.0rc5 from https://testssl.sh/dev/
(eef63b1 2019-07-03 11:54:56 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
on CECEN-SX2EVGTFL:./bin/openssl.Darwin.x86_64
(built: "Feb 22 09:55:43 2019", platform: "darwin64-x86_64-cc")
Start 2019-07-08 13:47:22 -->> 10.0.0.0:7233 (hostname.domain.private) <<--
rDNS (10.6.54.98): --
Service detected: Couldn't determine what's running on port 7233, assuming no HTTP service => skipping all HTTP checks
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
TLS 1.3 not offered
NPN/SPDY not offered
ALPN/HTTP2 not offered
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4] (w/o export) offered (NOT ok)
Triple DES Ciphers / IDEA offered (NOT ok)
Average: SEED + 128+256 Bit CBC ciphers offered
Strong encryption (AEAD ciphers) offered (OK)
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
PFS is offered (OK) ./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
Elliptic curves offered: sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp256k1 prime256v1 secp384r1 secp521r1 brainpoolP256r1
brainpoolP384r1 brainpoolP512r1
DH group offered: Unknown DH group (1024 bits)
Testing server preferences
Has server cipher order? ./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
nope (NOT ok)
Negotiated protocol TLSv1.2
Negotiated cipher ECDHE-RSA-RC4-SHA, 570 bit ECDH (B-571) -- inconclusive test, matching cipher in list missing, better see below
Negotiated cipher per proto (matching cipher in list missing)
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1278: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
./testssl.sh: line 1278: warning: command substitution: ignored null byte in input
./testssl.sh: line 1265: warning: command substitution: ignored null byte in input
ECDHE-RSA-AES256-SHA: TLSv1, TLSv1.1
ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2
No further cipher order check has been done as order is determined by the client
./testssl.sh: line 6941: warning: command substitution: ignored null byte in input
So, using --ssl-native
, the connection gets errors when looking at the TLS 1, TLS 1.1, and TLS 1.2 connection strings, but without --ssl-native
, and using your bundled SSL library at least those parts are parsed okay.
If you guys can give me some clues on how I would determine whether or not the certificate has null characters in it somewhere, I'll be happy to look at that.
But in any event, it sounds like maybe the output from s_client should be post-processed to remove nulls, and before trying to parse those results with bash?
Hi @bknowles,
I would suggest trying the following test:
testssl.sh --protocols --ssl-native --debug 1 <hostname>
When testssl.sh is done, you should see a line that looks like:
DEBUG (level 1): see files in /tmp/testssl.xxxxxx
In the directory that it mentions will be some of the files that were created during the test, including the ones that seem to be causing problems. For example, \<IP address>.run_prototest_openssl-tls1.txt, where \<IP address> is the IP address of your server. Try looking at that file for a null character. You might try:
hexdump -C <IP address>.run_prototest_openssl-tls1.txt | grep --color -A 4 -B 4 " 00 "
Some of the things grep
finds may be "false positives" (i.e., the string " 00 " appearing the plain text on the right), but this should make it relatively easy to find the null character in the file. Then print the file in plain text (more <IP address>.run_prototest_openssl-tls1.txt
) and look for the text that contained the null character.
So, the irony here is that 2.9.5 and 2.9dev don't have this error, when running the exact same tests against the same targets.
So, it seems to me that there may have been some sort of regression between 2.9dev and 3.0.
I'll still try to help debug what's going on, and why.
@bknowles : see David's comment.
The problem I spotted before but which had only two hiccups when testing was easily detectable by bin/openssl.Linux.x86_64 s_client -tls1_2 -connect google.com:443 -servername google.com </dev/null
. The were some non-printable chars. Tthis is not anymore the case though.
Please open a new issue once you have more information for us.
Okay, I opened a new ticket at https://github.com/drwetter/testssl.sh/issues/1292
testssl.sh
: latest master.OS X
: 10.11.4.bash
: 4.4.0(1)-rc1Tried with default bash from OS X (3.2.57(1)-release) – same result.