Closed ealashwali closed 6 years ago
Please provide steps to reproduce. In this case, I would expect the full command line parameters used, server, and the output you received.
Here is an example:
./tls-scan --connect=100.0.35.204 --ip --port=443 --cacert=../../../../../etc/ssl/certs/ca-certificates.crt --timeout=5 --ciphers="AES128-SHA:AES256-SHA"
Output:
{ "ip": "100.0.35.204", "port": 443, "cipher": "AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1", "secureRenego": false, "compression": "NONE", "expansion": "NONE", "x509ChainDepth": 1, "verifyCertResult": false, "verifyCertError": "self signed certificate", "verifyHostResult": false, "ocspStapled": false, "certificateChain": [ { "version": 3, "subject": "CN=ORname_Jungo: OpenRG Products Group; C=US", "issuer": "CN=ORname_Jungo: OpenRG Products Group; C=US", "subjectCN": "ORname_Jungo: OpenRG Products Group", "signatureAlg": "md5WithRSAEncryption", "notBefore": "Jun 3 11:11:43 2004 GMT", "notAfter": "May 29 11:11:43 2024 GMT", "expired": false, "serialNo": "00", "keyUsage": "Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign", "extKeyUsage": "TLS Web Client Authentication, Code Signing, E-mail Protection, TLS Web Server Authentication", "publicKeyAlg": "RSA", "publicKeySize": 1024, "basicConstraints": "CA:TRUE, pathlen:5", "sha1Fingerprint": "43:88:33:C0:94:F6:AF:C8:64:C6:0E:4A:6F:57:E9:F4:D1:28:14:11" } ] }
the version in the output is SSLv3. The actual negotiated by inspecting the packets is TLS 1.0.
There are two other issues I posted after this. I just need two things: 1) parse SSLv3, TLS1.0, TLS1.1. correctly in the results. Also, I want to be able to disable SSLv3 from the associated OpenSSL (1.1.0) but when I do this I get compilation error (related to ssl3) which only get solved if I enable ssl3 and ssl3-methods in the OpenSSL compilation. I wil appreciate if you can let me know if these issues can be solved any soon?
Please note that the same cipher can be used with multiple SSL/TLS versions. I would recommend to review the cipher and TLS version support
openssl ciphers -stdname
https://wiki.mozilla.org/Security/Server_Side_TLS
I am referring to the TLS version in the ServerHello message (i.e. the session's TLS version). But this seems the min. TLS version that supports the ciphersuite. Is there any way I am missing, through which I can get the session's TLS version (not the ciphersuite's TLS version).
unless you use --version-enum
, by default the output doesn't include the the default negotiated TLS version (the example CLI you used). I should be able to add this to the scan output. give me couple of days.
I have added a new field tlsVersion
. Please close the ticket if this satisfies your requirement.
./tls-scan --connect=100.0.35.204 --ip --port=443 --cacert=ca-bundle.crt --timeout=5 --ciphers="AES128-SHA:AES256-SHA" --pretty
{
"ip": "100.0.35.204",
"port": 443,
"tlsVersion": "TLSv1",
"cipher": "AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1",
"secureRenego": false,
"compression": "NONE",
"expansion": "NONE",
"x509ChainDepth": 1,
"verifyCertResult": false,
"verifyCertError": "self signed certificate",
"verifyHostResult": false,
"ocspStapled": false,
"certificateChain": [
{
"version": 3,
"subject": "CN=ORname_Jungo: OpenRG Products Group; C=US",
"issuer": "CN=ORname_Jungo: OpenRG Products Group; C=US",
"subjectCN": "ORname_Jungo: OpenRG Products Group",
"signatureAlg": "md5WithRSAEncryption",
"notBefore": "Jun 3 11:11:43 2004 GMT",
"notAfter": "May 29 11:11:43 2024 GMT",
"expired": false,
"serialNo": "00",
"keyUsage": "Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign",
"extKeyUsage": "TLS Web Client Authentication, Code Signing, E-mail Protection, TLS Web Server Authentication",
"publicKeyAlg": "RSA",
"publicKeySize": 1024,
"basicConstraints": "CA:TRUE, pathlen:5",
"sha1Fingerprint": "43:88:33:C0:94:F6:AF:C8:64:C6:0E:4A:6F:57:E9:F4:D1:28:14:11"
} ]
}
Hi, I suspect there is some bug in recording the TLS version in the results (json file) or somewhere. Using tls-scan on a large set of addresses I get very high number of SSLv3 in the results (around 70%) which sounds unusual. The SSLv3 version code as far as I know is:
SSLv3: 0x00000300 TLS1.0: 0x00000301 TLS1.1: 0x00000302 TLS1.2: 0x00000303
Do you suspect any issue in parsing the server's selected version value (from the server hello)? I am using the tls-scan tool not for enumeration, just a regular handshake. I compiled my tls-scan using this .sh file (and I specified OpenSSL 1.1.0g): https://github.com/prbinu/tls-scan/blob/master/build-x86-64-openssl-1.1.0.sh
Thanks.