Sslyze outputs unexpected errors on one site

[hjcoumans]

By verifying SSLlabs results of sites with ROBOT vulnerability, I got very consistent results. Major kudos! And I love the speed of the scan.

The inconsistent ROBOT vulnerability test results (SSLlabs: "Yes EXPLOITABLE", sslyze: "UNKNOWN - Received inconsistent results"), made me run the full test for this site. Sslyze 2.4 seems to lose it at some places, while testing the site below.

Reproducible: Not exactly as reported below at all times, but with unexpected errors at every run.

Disclaimer: The site was published at SSLlabs receiving an F; I'm not affiliated with the owner of the site, not as employee or working for his customer or supplier or competitor.

All output copied/pasted from the fully updated Kali distro; (sslyze was installed using the 2 pip commands):

root@kali:~# sslyze --regular autopay.jpb.jio.com

AVAILABLE PLUGINS

RobotPlugin OpenSslCipherSuitesPlugin OpenSslCcsInjectionPlugin FallbackScsvPlugin SessionResumptionPlugin CompressionPlugin HeartbleedPlugin HttpHeadersPlugin SessionRenegotiationPlugin CertificateInfoPlugin

CHECKING HOST(S) AVAILABILITY

autopay.jpb.jio.com:443 => 49.40.25.13

SCAN RESULTS FOR AUTOPAY.JPB.JIO.COM:443 - 49.40.25.13

• SSLV2 Cipher Suites: Server rejected all cipher suites.

• Resumption Support: With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts). With TLS Tickets: NOT SUPPORTED - TLS ticket not assigned.

• OpenSSL Heartbleed: OK - Not vulnerable to Heartbleed

• Session Renegotiation: Client-initiated Renegotiation: OK - Rejected Secure Renegotiation: OK - Supported

• TLSV1 Cipher Suites: Server rejected all cipher suites. Undefined - An unexpected error happened: TLS_DH_anon_WITH_AES_256_CBC_SHA timeout - timed out

• TLSV1_3 Cipher Suites: Server rejected all cipher suites. Undefined - An unexpected error happened: TLS_AES_256_GCM_SHA384 OpenSSLError - error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error

  TLS_AES_128_GCM_SHA256                            OpenSSLError - error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error
  
  TLS_AES_128_CCM_SHA256                            OpenSSLError - error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error
  
  TLS_AES_128_CCM_8_SHA256                          OpenSSLError - error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error

• TLSV1_2 Cipher Suites: Preferred: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits HTTP 200 OK
  Accepted: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256 bits HTTP 200 OK
  TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits HTTP 200 OK
  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits HTTP 200 OK
  TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits HTTP 200 OK
  TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits HTTP 200 OK
  TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK
  TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits HTTP 200 OK
  TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits HTTP 200 OK
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits HTTP 200 OK
  TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK
  Undefined - An unexpected error happened: TLS_ECDH_anon_WITH_AES_128_CBC_SHA timeout - timed out
  TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 OpenSSLError - error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error

  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256     OpenSSLError - error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error
  
  TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384      OpenSSLError - error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error
  
  TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256      OpenSSLError - error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error
  
  TLS_DH_anon_WITH_SEED_CBC_SHA                     timeout - timed out                                         
  TLS_DH_anon_WITH_RC4_128_MD5                      timeout - timed out                                         
  RSA_WITH_AES_128_CCM_8                            timeout - timed out                                         
  ECDHE_ECDSA_WITH_AES_256_CCM_8                    OpenSSLError - error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error
  
  ECDHE_ECDSA_WITH_AES_128_CCM_8                    OpenSSLError - error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error
  
  ECDHE_ECDSA_WITH_AES_128_CCM                      OpenSSLError - error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error
  
  DHE_RSA_WITH_AES_128_CCM                          timeout - timed out                                         

• SSLV3 Cipher Suites: Server rejected all cipher suites. Undefined - An unexpected error happened: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA timeout - timed out
  TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA timeout - timed out

• Downgrade Attacks: TLS_FALLBACK_SCSV: OK - Supported

• Deflate Compression: OK - Compression disabled

• OpenSSL CCS Injection: OK - Not vulnerable to OpenSSL CCS injection

• Certificate Information: Content SHA1 Fingerprint: c1050e36bd825adc6629cb8e8e36d6c64658c178 Common Name: autopay.jpb.jio.com Issuer: Go Daddy Secure Certificate Authority - G2 Serial Number: 242726693397780616 Not Before: 2018-02-05 11:04:02 Not After: 2019-02-05 11:04:02 Signature Algorithm: sha256 Public Key Algorithm: RSA Key Size: 2048 Exponent: 65537 (0x10001) DNS Subject Alternative Names: [u'autopay.jpb.jio.com', u'www.autopay.jpb.jio.com']

  Trust Hostname Validation: OK - Certificate matches autopay.jpb.jio.com Android CA Store (8.1.0_r7): OK - Certificate is trusted iOS CA Store (11): OK - Certificate is trusted macOS CA Store (High Sierra): OK - Certificate is trusted Mozilla CA Store (2018-01-14): OK - Certificate is trusted Windows CA Store (2017-12-28): OK - Certificate is trusted Received Chain: autopay.jpb.jio.com --> Go Daddy Secure Certificate Authority - G2 Verified Chain: autopay.jpb.jio.com --> Go Daddy Secure Certificate Authority - G2 --> Go Daddy Root Certificate Authority - G2 Received Chain Contains Anchor: OK - Anchor certificate not sent Received Chain Order: OK - Order is valid Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain

  Extensions OCSP Must-Staple: NOT SUPPORTED - Extension not found Certificate Transparency: NOT SUPPORTED - Extension not found

  OCSP Stapling NOT SUPPORTED - Server did not send back an OCSP response

• ROBOT Attack: UNKNOWN - Received inconsistent results

• TLSV1_1 Cipher Suites: Server rejected all cipher suites. Undefined - An unexpected error happened: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA timeout - timed out
  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA timeout - timed out
  TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA timeout - timed out

  SCAN COMPLETED IN 42.94 S

[nabla-c0d3]

Hello, The timeouts seem to be because of the speed of your connection. Try running the scans again with --slow_connection ?