search

rbsec / sslscan

sslscan tests SSL/TLS enabled services to discover supported cipher suites
GNU General Public License v3.0
2.3k stars 381 forks source link

"Unable to parse certificate" with version 2.1.1 #298

Open strongBurger opened 10 months ago

strongBurger commented 10 months ago

C:\Users\user7>sslscan maccosmetics.fr Version: 2.1.1 Windows 64-bit (Mingw) OpenSSL 3.0.9 30 May 2023

Connected to 63.158.167.241

Testing SSL server maccosmetics.fr on port 443 using SNI name maccosmetics.fr

SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 disabled

TLS Fallback SCSV: Server supports TLS Fallback SCSV

TLS renegotiation: Session renegotiation not supported

TLS Compression: Compression disabled

Heartbleed: TLSv1.2 not vulnerable to heartbleed

Supported Server Cipher(s):

Server Key Exchange Group(s): TLSv1.2 112 bits secp224r1 TLSv1.2 128 bits secp256r1 (NIST P-256) TLSv1.2 192 bits secp384r1 (NIST P-384) TLSv1.2 260 bits secp521r1 (NIST P-521) Unable to parse certificate Unable to parse certificate Unable to parse certificate Unable to parse certificate Certificate information cannot be retrieved.

compared to version 2.0.16:

C:\Users\user7>sslscan maccosmetics.fr Version: 2.0.16 Windows 64-bit (Mingw) OpenSSL 1.1.1u-dev xx XXX xxxx

Connected to 63.158.167.241

Testing SSL server maccosmetics.fr on port 443 using SNI name maccosmetics.fr

SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 disabled

TLS Fallback SCSV: Server supports TLS Fallback SCSV

TLS renegotiation: Session renegotiation not supported

TLS Compression: Compression disabled

Heartbleed: TLSv1.2 not vulnerable to heartbleed

Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256

Server Key Exchange Group(s): TLSv1.2 112 bits secp224r1 TLSv1.2 128 bits secp256r1 (NIST P-256) TLSv1.2 192 bits secp384r1 (NIST P-384) TLSv1.2 260 bits secp521r1 (NIST P-521)

SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 2048

Subject: maccosmetics.fr Altnames: DNS:maccosmetics.fr Issuer: R3

Not valid before: Sep 30 09:18:48 2023 GMT Not valid after: Dec 29 09:18:47 2023 GMT

jtesta commented 10 months ago

@strongBurger : thanks for reporting! I submitted PR #299 to address this issue.

strongBurger commented 10 months ago

thanks, also the "Supported Server Cipher(s):" doesnt show anything, i hope this fixes that too

jtesta commented 10 months ago

On Sat, 2023-11-11 at 01:54 -0800, strongBurger wrote:

thanks, also the "Supported Server Cipher(s):" doesnt show anything, i hope this fixes that too

I missed that part the first time around. I just updated the PR to fix ciphersuite enumeration as well. Thanks!

rbsec commented 10 months ago

@strongBurger I've tagged a new release as 2.1.2 with the fixes for this included, so hopefully that'll work for you.

@jtesta fantastic as always. You don't see many systems around that still use unsafe renegotiation (especially ones that only support TLSv1.2?). A rather odd setup..