konklone / shaaaaaaaaaaaaa

Check if a website has weak SHA-1 TLS certificates.
https://shaaaaaaaaaaaaa.com
BSD 3-Clause "New" or "Revised" License
207 stars 27 forks source link

Getting error trying to check site #76

Closed RichardEichhorn closed 9 years ago

RichardEichhorn commented 9 years ago

Hi,

I'm trying to track down a problem with one of my sites. I used the online service and was getting a fail for my site demo.netbi.net.au.

In the browser console I get the message -

Command failed: depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 139950555604640:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

I downloaded shaaaaaaaaaaaaa and tried running the command line version, to see what was going on.

I get this error -

hermes:shaaaaaaaaaaaaa-master rme$ ./bin/shaaaaaaaaaaaaa demo.netbi.net.au /Users/rme/sha/shaaaaaaaaaaaaa-master/node_modules/x509/index.js:10 var ret = x509.parseCert(path); ^ TypeError: Certificate must be a string. at TypeError (native) at Object.exports.parseCert (/Users/rme/sha/shaaaaaaaaaaaaa-master/node_modules/x509/index.js:10:18) at Object.Shaaa.cert (/Users/rme/sha/shaaaaaaaaaaaaa-master/shaaaaa.js:127:21) at /Users/rme/sha/shaaaaaaaaaaaaa-master/shaaaaa.js:171:25 at /Users/rme/sha/shaaaaaaaaaaaaa-master/shaaaaa.js:115:7 at ChildProcess.exithandler (child_process.js:735:7) at ChildProcess.emit (events.js:110:17) at maybeClose (child_process.js:1008:16) at Socket. (child_process.js:1176:11) at Socket.emit (events.js:107:17)

Has anyone seen this before?

I have another site which works fine - apps.netbi.net.au. It's on a different server, but running the same Geotrust SHA-2 wildcard certificate.

I've come to this site due to a problem I'm having with Google Chrome, where I am unable to access demo.netbi.net.au since the last Chrome update. I'm thinking it has something to do with my SHA-2 certificate setup, but can't figure out what.

Any help would be greatly appreciated.

jonnybarnes commented 9 years ago

I can’t access apps.netbi.net.au at all. Even a ping times out. I can ping demo.netbi.net.au but my browser times out.

RichardEichhorn commented 9 years ago

Thanks, but ping is disabled on apps.netbi.net.au.

I get NICE doing this - https://shaaaaaaaaaaaaa.com/check/apps.netbi.net.au

I get ARGH when doing https://shaaaaaaaaaaaaa.com/check/demo.netbi.net.au.

konklone commented 9 years ago

I'm not sure, but https://www.ssllabs.com/ssltest/analyze.html?d=demo.netbi.net.au has a pretty crazy set of configuration errors for you to work out.

It looks like my code is having trouble downloading your cert. It's difficult for me to debug, especially since the configuration seems so strange. Mind re-opening after you've narrowed the problem down a bit?

jonnybarnes commented 9 years ago

For reference this is what OpenSSL says when I try to connect:

➜  ~  brewssl s_client -connect demo.netbi.net.au:443 -servername demo.netbi.net.au -CAfile /usr/local/etc/openssl/cert.pem
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify return:1
depth=0 OU = GT38651010, OU = See www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSSL(R), CN = *.netbi.net.au
verify return:1
140735164146512:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/OU=GT38651010/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.netbi.net.au
   i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEsDCCA5igAwIBAgICBUUwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx
FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1
NiBDQSAtIEczMB4XDTE0MDkxNzA4NDkwMVoXDTE2MDgwMjA2MTYxNFowgZIxEzAR
BgNVBAsTCkdUMzg2NTEwMTAxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t
L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh
bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRcwFQYDVQQDDA4qLm5ldGJpLm5ldC5hdTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNEmMZszYz7PSTHD7/e/CcX
UFefwFf3yGe272RDjWcq/xE7Uc2cHIDZKyt8cV6rifJMHYV2te+WrSCqEQTJN//A
hjMFOjyLuZhyXO8AhAjmqn4HHiBAyMQldzYD4eZLq3ifLHrFuUKLoNIOZ9VBmCav
4Ni7AfmNLkK2lCbaQuBdZL/XmtF0JXxxbzC1kWgQP+Dix+ZcJcF0hQr9FbpYuxhF
rRzsTdMP+jnkjWkwQ6ryWSk8Jx+l9dg8vsFfau1Eqf7yLcnE5EeeuxuxNCj4PRXs
FlkLJDltjR3SUoLeS34FGRTTosegYRCiHOT94XmhMYkIw/SrqCT44s88uWWOTe0C
AwEAAaOCAVgwggFUMB8GA1UdIwQYMBaAFMOc8/zTRgg0u85Gf6B8W/PiCMtZMFcG
CCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2d2LnN5bWNkLmNvbTAm
BggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcnQwDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAnBgNVHREEIDAe
gg4qLm5ldGJpLm5ldC5hdYIMbmV0YmkubmV0LmF1MCsGA1UdHwQkMCIwIKAeoByG
Gmh0dHA6Ly9ndi5zeW1jYi5jb20vZ3YuY3JsMAwGA1UdEwEB/wQCMAAwRQYDVR0g
BD4wPDA6BgpghkgBhvhFAQc2MCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnJh
cGlkc3NsLmNvbS9sZWdhbDANBgkqhkiG9w0BAQsFAAOCAQEAICYeaSmuREWalLAq
m3UhkzWTxj6Rmv/lQSjd/w34qMWThAe6d9RzduikJ6ECDHvJJqV7w8bMvWOibrpN
QP92Kfr8972d5Q+22kg9kt39n68oufqIOB51FUUYCSNk7bGOSKJyGlQhfgjb+qoM
1dXOfpePcf29MUGBu2n/0hTRY9E1zMpJNBaKQwNHbGslHYZq9axoqOFVGX0NL3CP
MqFDyGOGG72tJnOwtA/4lJ8DvxrfEV2azdafNncsHI6/0w9oCbdbI8uW9sJBGYY6
R5BIMaZAc7p3Gdf8I24u9au+QTLxrAocrJteTsooNEN+BIRPD1tOIQ0GxBNqyefZ
quZxlw==
-----END CERTIFICATE-----
subject=/OU=GT38651010/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.netbi.net.au
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 3812 bytes and written 198 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: E1CC14B4082900541AAB27C3556E144BEA444DDD2EB73C550C60971D6974AF5F
    Session-ID-ctx: 
    Master-Key: 0D6FE09C87B90A8AB9740DC6D493D323B04092DE2C19B32B841DD0535B0E2F4D3188159D81C4F90BF024B8966BDFA2FA
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1428081611
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---