ealashwali
commented
6 years ago As an example, this IP 100.0.35.204 is TLS1.0 but tls-scan record it as SSLv3. I will appreciate and acknowledge your response and help plz if this can be fixed.
Closed ealashwali closed 6 years ago
ealashwali
commented
6 years ago As an example, this IP 100.0.35.204 is TLS1.0 but tls-scan record it as SSLv3. I will appreciate and acknowledge your response and help plz if this can be fixed.
prbinu
commented
6 years ago ./tls-scan -c 100.0.35.204 --cacert=../etc/tls-scan/ca-bundle.crt --pretty -V -e
{
"host": "100.0.35.204",
"ip": "100.0.35.204",
"port": 443,
"cipher": "AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1",
"secureRenego": false,
"compression": "NONE",
"expansion": "NONE",
"tlsVersions": [
"SSLv2",
"SSLv3",
"TLSv1"
],
"cipherSuite": {
"supported": [
"AES256-SHA",
"AES128-SHA",
"RC4-SHA",
"DES-CBC3-SHA"
]
},
"x509ChainDepth": 1,
"verifyCertResult": false,
"verifyCertError": "self signed certificate",
"verifyHostResult": false,
"ocspStapled": false,
"certificateChain": [
{
"version": 3,
"subject": "CN=ORname_Jungo: OpenRG Products Group; C=US",
"issuer": "CN=ORname_Jungo: OpenRG Products Group; C=US",
"subjectCN": "ORname_Jungo: OpenRG Products Group",
"signatureAlg": "md5WithRSAEncryption",
"notBefore": "Jun 3 11:11:43 2004 GMT",
"notAfter": "May 29 11:11:43 2024 GMT",
"expired": false,
"serialNo": "00",
"keyUsage": "Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign",
"extKeyUsage": "TLS Web Client Authentication, Code Signing, E-mail Protection, TLS Web Server Authentication",
"publicKeyAlg": "RSA",
"publicKeySize": 1024,
"basicConstraints": "CA:TRUE, pathlen:5",
"sha1Fingerprint": "43:88:33:C0:94:F6:AF:C8:64:C6:0E:4A:6F:57:E9:F4:D1:28:14:11"
} ]
}
<|---------Scan Summary---------|>
[11793] ciphers : ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ADH-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:ADH-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA256:ADH-AES128-SHA256:ADH-CAMELLIA128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-SHA:ADH-SEED-SHA:ADH-CAMELLIA128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:AECDH-RC4-SHA:ADH-RC4-MD5:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AECDH-DES-CBC3-SHA:ADH-DES-CBC3-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM8:DHE-PSK-AES256-CCM:AES256-GCM-SHA384:AES256-CCM8:AES256-CCM:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM8:DHE-PSK-AES128-CCM:AES128-GCM-SHA256:AES128-CCM8:AES128-CCM:AES256-SHA256:CAMELLIA256-SHA256:AES128-SHA256:CAMELLIA128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:ECDHE-PSK-CAMELLIA256-SHA384:RSA-PSK-CAMELLIA256-SHA384:DHE-PSK-CAMELLIA256-SHA384:AES256-SHA:CAMELLIA256-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:ECDHE-PSK-CAMELLIA128-SHA256:RSA-PSK-CAMELLIA128-SHA256:DHE-PSK-CAMELLIA128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-PSK-RC4-SHA:RSA-PSK-RC4-SHA:DHE-PSK-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-PSK-3DES-EDE-CBC-SHA:RSA-PSK-3DES-EDE-CBC-SHA:DHE-PSK-3DES-EDE-CBC-SHA:DES-CBC3-SHA:AECDH-NULL-SHA:ECDHE-ECDSA-NULL-SHA:ECDHE-RSA-NULL-SHA:NULL-SHA256:ECDHE-PSK-NULL-SHA384:ECDHE-PSK-NULL-SHA256:ECDHE-PSK-NULL-SHA:RSA-PSK-NULL-SHA384:RSA-PSK-NULL-SHA256:DHE-PSK-NULL-SHA384:DHE-PSK-NULL-SHA256:RSA-PSK-NULL-SHA:DHE-PSK-NULL-SHA:NULL-SHA:NULL-MD5: (140)
[11793] dns-lookup : 1
[11793] network-error : 138
[11793] dns-errcount : 0
[11793] remote-close-error : 0
[11793] unknown-error : 0
[11793] timeout-error : 0
[11793] connect-error : 0
[11793] tls-handshake : 1
[11793] gross-tls-handshake : 8
[11793] elapsed-time : 7.775612 secs
<|------------------------------|>But the actual version this IP selects is TLS1.0 not SSLv3. In your results, it show SSLv3 in the "cipher". I made sure by using tls-scan and inspect the actual seelcted version using wireshark. The actual one is TLS1.0. The tls-scan recorded one is SSLv3. Also, from a large set that I can not post, tls-scan does not record TLS1.0 or TLS1.1 versions. Only SSLv3 and TLS1.2.
prbinu
commented
6 years ago "cipher": "AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1",
This is because the cipher is originally a SSLv3 cipher, but also works on TLS versions.
ealashwali
commented
6 years ago I get you now. I am referring to the TLS version in the ServerHello message (i.e. the session's TLS version). But this seems the min. TLS version that supports the ciphersuite. Is there any way I am missing, through which I can get the session's TLS version (not the ciphersuite's TLS version).
Using this build from the file:
./build-x86-64-openssl-1.1.0.shI never get TLS1.0 or TLSv1.1 in the results. It seems that tls-scan always record them as SSLv3. Can you please advise in this issue?