SSL_get_error in Supported Server Cipher(s) list

[jordantrc]

When scanning a host without --verbose, I get an empty list of Supported Server Cipher(s). When I add the --verbose option, I get three "SSL_get_error(ssl, cipherStatus) said: 1" errors in the Supported Server Cipher(s) list.

root@kali:~/# sslscan --verbose host Version: 1.11.10-static OpenSSL 1.0.2-chacha (1.0.2g-dev)

Some servers will fail to response to SSLv3 ciphers over STARTTLS If your scan hangs, try using the --tlsall option

Testing SSL server host on port 443 using SNI name host

TLS Fallback SCSV: OpenSSL OpenSSL 1.0.2-chacha (1.0.2g-dev) looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation OpenSSL OpenSSL 1.0.2-chacha (1.0.2g-dev) looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation Server does not support TLS Fallback SCSV

TLS renegotiation: OpenSSL OpenSSL 1.0.2-chacha (1.0.2g-dev) looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation use_unsafe_renegotiation_op Session renegotiation not supported

TLS Compression: OpenSSL OpenSSL 1.0.2-chacha (1.0.2g-dev) looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation Compression disabled

Heartbleed: TLS 1.2 not vulnerable to heartbleed TLS 1.1 not vulnerable to heartbleed TLS 1.0 not vulnerable to heartbleed

Supported Server Cipher(s): SSL_get_error(ssl, cipherStatus) said: 1 SSL_get_error(ssl, cipherStatus) said: 1 SSL_get_error(ssl, cipherStatus) said: 1

I'm able to use the nmap ssl-enum-ciphers script to enumerate the ciphers without issue, see below:

root@kali:~/# nmap -P0 -sV -p 443 --script=ssl-enum-ciphers --max-rate 100 host

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-30 11:22 EDT Nmap scan report for host (IP) Host is up (0.051s latency).

PORT STATE SERVICE VERSION 443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBCSHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | least strength: A Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.37 seconds

Is it possible to get anymore verbosity out of the sslscan application? Has this error been encountered before and is there a workaround or other mitigation?

Thanks for any help you can provide. Jordan

[MarcT512]

I've seen this issue when the server requires a client certificate (which sslscan doesn't have), but I think a number of things could cause it.

If it's still an issue for you in 2019 and you have the inclination to test, I've submitted a pull request that will display the underlying SSL error here: https://github.com/rbsec/sslscan/pull/179

...however it doesn't address the "client certificate" case.

You might just see:

SSL_get_error(ssl, cipherStatus) returned: 1 (SSL_ERROR_SSL) [sslscan.c:testCipher@1584]:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

...which is caused by testing for SSLv3 against a server that doesn't support SSLv3.

[pandasauce]

I have the same issue, the error is SSL_get_error(ssl, cipherStatus) returned: 5 (SSL_ERROR_SYSCALL)

No issues under WSL/Linux; no issues with testssl.sh under MSYS/MinGW using a MinGW build of Peter Mosman's OpenSSL. The only other case with issues is SSLyze, but I haven't tried debugging that to confirm if it's the same problem causing it.

To reproduce it, scan a server started like this using a Windows version of sslscan:

export KEYDIR=.
openssl req -x509 -nodes -sha1 -newkey rsa:1024-keyout selfsigned.key -out selfsigned.crt -days 9999
openssl dhparam -out dhparam.pem 512
openssl s_server -4 -accept 8081 -www -cert $KEYDIR/selfsigned.crt -key $KEYDIR/selfsigned.key -dhparam $KEYDIR/dhparam.pem -cipher "ALL:eNULL:ADH:EXPORT"