sslproto module fails to detect clients connecting with export-grade ciphers #42

Closed
abbbe opened this Issue Jun 12, 2012 · 28 comments

Comments

Projects
None yet
2 participants
@abbbe
Owner

abbbe commented Jun 12, 2012

To reproduce the problem checkout fix-sslproto-export-ciphers branch. This branch has sslv2 disabled. Run bin/test-sslcaudit:

bin/test-sslcaudit

test_curl_rejects_export_ciphers (test.TestSSLProtoModule.TestSSLProtoModule) ... ok
test_opensssl_accepts_all_ciphers (test.TestSSLProtoModule.TestSSLProtoModule) ...
unexpected results
ACCAR(sslproto(sslv3, EXPORT), no shared cipher)
ACCAR(sslproto(tlsv1, EXPORT), no shared cipher)
missing results
ECCAR(sslproto(sslv3, EXPORT), <sslcaudit.modules.sslproto.ServerHandler.Connected object at 0x29b3090>)
ECCAR(sslproto(tlsv1, EXPORT), <sslcaudit.modules.sslproto.ServerHandler.Connected object at 0x29bb4d0>)
FAIL

It can be shown that openssl itself behaves correctly. Do the following from sslcaudit/ directory, to make sure paths to certs and key are correct.

Running openssl server with export cipher

openssl s_server -cert test/certs/www.example.com-cert.pem -key test/certs/www.example.com-key.pem -cipher EXPORT

Asking openssl client connect to it.

openssl s_client -connect localhost:4433 -cipher EXPORT

...
Cipher : EXP-EDH-RSA-DES-CBC-SHA
It works as expected, an export-grade cipher is chosen

Now, replace the server with sslcaudit (run the client the same way, in a loop):

bin/sslcaudit -m sslproto -l 0.0.0.0:4433

...
127.0.0.1:40880 sslproto(sslv3, HIGH) no shared cipher
127.0.0.1:40881 sslproto(sslv3, MEDIUM) no shared cipher
127.0.0.1:40882 sslproto(sslv3, LOW) no shared cipher
127.0.0.1:40883 sslproto(sslv3, EXPORT) no shared cipher
127.0.0.1:40884 sslproto(tlsv1, HIGH) no shared cipher
127.0.0.1:40885 sslproto(tlsv1, MEDIUM) no shared cipher
127.0.0.1:40886 sslproto(tlsv1, LOW) no shared cipher
127.0.0.1:40887 sslproto(tlsv1, EXPORT) no shared cipher

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Jun 25, 2012

Owner

There is a comment on stackoverflow. I think the guy is wrong, there is "ctx.load_cert_chain(certchainfile=CERTFILE, keyfile=KEYFILE)" in the code. Unfortunately it appears I can't comment on stackoverflow anymore, maybe because of the bounty I've started.

Owner

abbbe commented Jun 25, 2012

There is a comment on stackoverflow. I think the guy is wrong, there is "ctx.load_cert_chain(certchainfile=CERTFILE, keyfile=KEYFILE)" in the code. Unfortunately it appears I can't comment on stackoverflow anymore, maybe because of the bounty I've started.

@stamparm

This comment has been minimized.

Show comment
Hide comment
@stamparm

stamparm Jun 25, 2012

Collaborator

But there is something intriguing in his answer. If you take a look you'll for sure see "no peer certificate available" in OK case. Let's wait and see if anyone writes a better answer (but I'll for sure think about this)

Collaborator

stamparm commented Jun 25, 2012

But there is something intriguing in his answer. If you take a look you'll for sure see "no peer certificate available" in OK case. Let's wait and see if anyone writes a better answer (but I'll for sure think about this)

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Jun 25, 2012

Owner

The example in your post seems to be broken. If I save the files and execute your s_server then s_client I get this:

abb@e6510:/tmp$ openssl s_client -connect localhost:4433 -cipher EXPORT
CONNECTED(00000003)
depth=0 C = BE, CN = www.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=21:unable to verify the first certificate

verify return:1

Certificate chain
0 s:/C=BE/CN=www.example.com

i:/C=BE/CN=test-ca

Server certificate
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJCRTEQ
MA4GA1UEAxMHdGVzdC1jYTAeFw0xMjA1MDYwODQyNDlaFw0yMjA1MDMwODQyNDla
MCcxCzAJBgNVBAYTAkJFMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAL7OBv9wRwtNjN984XSy22/rw6tHM6Lq/Ccf
NoHKbqwC+PsxgmgJJiGBGewrzBR42toqHJi7EjHhuvrgqV9s2duPQBAANh7tzY1h
6VekrwhIIt4o1h0F2KB16VXA8s918d+8pRGt2T11GUh/QT3m9yY1VzqdIBeAfklC
ET6ncPK/AgMBAAGjgdQwgdEwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAw
KwYJYIZIAYb4QgENBB4WHFRpbnlDQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFNGQArEZPKprJTn7A64qEFfl0m4xME8GA1UdIwRIMEaAFFuITOUJlGrJ
9lKufs8cm1MpwXrroSOkITAfMQswCQYDVQQGEwJCRTEQMA4GA1UEAxMHdGVzdC1j
YYIJALimgW7YUgdrMAkGA1UdEgQCMAAwCQYDVR0RBAIwADANBgkqhkiG9w0BAQUF
AAOBgQDWh8A0eBxI9XHy68xdjFsk2oerJeV6qqlcmtPZgz3GlarRcWcKsRJOyLLL
dCOe7tY5isWQAoLt6XALzDWjbQkTJnxBaKHif1MIikuajaYKT7LA1MvFn50Qrm6n
f9hG7gvdTpm1rlPcs0qibp1vJVubkU51mT6JT4UnLfeVIjtL7Q==
-----END CERTIFICATE-----
subject=/C=BE/CN=www.example.com

issuer=/C=BE/CN=test-ca

No client certificate CA names sent

SSL handshake has read 1141 bytes and written 242 bytes

New, TLSv1/SSLv3, Cipher is EXP-EDH-RSA-DES-CBC-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : SSLv3
Cipher : EXP-EDH-RSA-DES-CBC-SHA
Session-ID: D780218D042B2352D5EE8C74BC318B2A9303FC1702784C4212D67B5F13904141
Session-ID-ctx:
Master-Key: 435B19E68E61C4A7BCAB64DAB4802BEF6816CE3D64561E4D732075D41CE6A4AC662F821A74BF6A2840598B2000B42692
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Compression: 1 (zlib compression)
Start Time: 1340641927
Timeout : 300 (sec)

Verify return code: 21 (unable to verify the first certificate)

Owner

abbbe commented Jun 25, 2012

The example in your post seems to be broken. If I save the files and execute your s_server then s_client I get this:

abb@e6510:/tmp$ openssl s_client -connect localhost:4433 -cipher EXPORT
CONNECTED(00000003)
depth=0 C = BE, CN = www.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=21:unable to verify the first certificate

verify return:1

Certificate chain
0 s:/C=BE/CN=www.example.com

i:/C=BE/CN=test-ca

Server certificate
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJCRTEQ
MA4GA1UEAxMHdGVzdC1jYTAeFw0xMjA1MDYwODQyNDlaFw0yMjA1MDMwODQyNDla
MCcxCzAJBgNVBAYTAkJFMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAL7OBv9wRwtNjN984XSy22/rw6tHM6Lq/Ccf
NoHKbqwC+PsxgmgJJiGBGewrzBR42toqHJi7EjHhuvrgqV9s2duPQBAANh7tzY1h
6VekrwhIIt4o1h0F2KB16VXA8s918d+8pRGt2T11GUh/QT3m9yY1VzqdIBeAfklC
ET6ncPK/AgMBAAGjgdQwgdEwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAw
KwYJYIZIAYb4QgENBB4WHFRpbnlDQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFNGQArEZPKprJTn7A64qEFfl0m4xME8GA1UdIwRIMEaAFFuITOUJlGrJ
9lKufs8cm1MpwXrroSOkITAfMQswCQYDVQQGEwJCRTEQMA4GA1UEAxMHdGVzdC1j
YYIJALimgW7YUgdrMAkGA1UdEgQCMAAwCQYDVR0RBAIwADANBgkqhkiG9w0BAQUF
AAOBgQDWh8A0eBxI9XHy68xdjFsk2oerJeV6qqlcmtPZgz3GlarRcWcKsRJOyLLL
dCOe7tY5isWQAoLt6XALzDWjbQkTJnxBaKHif1MIikuajaYKT7LA1MvFn50Qrm6n
f9hG7gvdTpm1rlPcs0qibp1vJVubkU51mT6JT4UnLfeVIjtL7Q==
-----END CERTIFICATE-----
subject=/C=BE/CN=www.example.com

issuer=/C=BE/CN=test-ca

No client certificate CA names sent

SSL handshake has read 1141 bytes and written 242 bytes

New, TLSv1/SSLv3, Cipher is EXP-EDH-RSA-DES-CBC-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : SSLv3
Cipher : EXP-EDH-RSA-DES-CBC-SHA
Session-ID: D780218D042B2352D5EE8C74BC318B2A9303FC1702784C4212D67B5F13904141
Session-ID-ctx:
Master-Key: 435B19E68E61C4A7BCAB64DAB4802BEF6816CE3D64561E4D732075D41CE6A4AC662F821A74BF6A2840598B2000B42692
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Compression: 1 (zlib compression)
Start Time: 1340641927
Timeout : 300 (sec)

Verify return code: 21 (unable to verify the first certificate)

@stamparm

This comment has been minimized.

Show comment
Hide comment
@stamparm

stamparm Jun 25, 2012

Collaborator

But I believe that this is really happening from the beginning (original message of this Issue). I've just reused those cerfiticates (I believe that those are self-signed hence the "verify error:num=27:certificate not trusted") from source.

Collaborator

stamparm commented Jun 25, 2012

But I believe that this is really happening from the beginning (original message of this Issue). I've just reused those cerfiticates (I believe that those are self-signed hence the "verify error:num=27:certificate not trusted") from source.

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Jun 25, 2012

Owner

I don't know why you way it was happening from beginning. I've read the original message, there is nothing about missing certificates. What makes you think so?

Anyway, can you please check and update the post on stackoverflow to reflect real problem we are trying to solve? Or you say the whole issue is a mistake?

Owner

abbbe commented Jun 25, 2012

I don't know why you way it was happening from beginning. I've read the original message, there is nothing about missing certificates. What makes you think so?

Anyway, can you please check and update the post on stackoverflow to reflect real problem we are trying to solve? Or you say the whole issue is a mistake?

@stamparm

This comment has been minimized.

Show comment
Hide comment
@stamparm

stamparm Jun 25, 2012

Collaborator

Ok. Sorry. After a second thought this has nothing to do with the certificates. We just want to reproduce what has been done with openssl s_server. Comment is updated at http://stackoverflow.com/questions/11101794/export-ciphers-and-m2crypto-openssl

Collaborator

stamparm commented Jun 25, 2012

Ok. Sorry. After a second thought this has nothing to do with the certificates. We just want to reproduce what has been done with openssl s_server. Comment is updated at http://stackoverflow.com/questions/11101794/export-ciphers-and-m2crypto-openssl

@stamparm

This comment has been minimized.

Show comment
Hide comment
@stamparm

stamparm Jun 25, 2012

Collaborator

p.s. that "symptoms" part is now updated

Collaborator

stamparm commented Jun 25, 2012

p.s. that "symptoms" part is now updated

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Jun 25, 2012

Owner

Nice, thanks.

Owner

abbbe commented Jun 25, 2012

Nice, thanks.

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Jun 25, 2012

Owner

I think the problem is not related to m2crypto strictly. PyOpenSSL seems to be affected as well. I've made a twisted-based SSL server (test/ssl-twisted-server.py in fix-sslproto-export-ciphers branch) and it has exactly the same effect.

Owner

abbbe commented Jun 25, 2012

I think the problem is not related to m2crypto strictly. PyOpenSSL seems to be affected as well. I've made a twisted-based SSL server (test/ssl-twisted-server.py in fix-sslproto-export-ciphers branch) and it has exactly the same effect.

@stamparm

This comment has been minimized.

Show comment
Hide comment
@stamparm

stamparm Jun 25, 2012

Collaborator

Cool finding. Do you know how we could sniff and/or debug the traffic?
There obviously has to be some difference(s) at the handshake level.
On Jun 25, 2012 9:11 PM, "grwl" <
reply@reply.github.com>
wrote:

I think the problem is not related to m2crypto strictly. PyOpenSSL seems
to be affected as well. I've made a twisted-based SSL server
(test/ssl-twisted-server.py in fix-sslproto-export-ciphers branch) and it
has exactly the same effect.


Reply to this email directly or view it on GitHub:
grwl#42 (comment)

Collaborator

stamparm commented Jun 25, 2012

Cool finding. Do you know how we could sniff and/or debug the traffic?
There obviously has to be some difference(s) at the handshake level.
On Jun 25, 2012 9:11 PM, "grwl" <
reply@reply.github.com>
wrote:

I think the problem is not related to m2crypto strictly. PyOpenSSL seems
to be affected as well. I've made a twisted-based SSL server
(test/ssl-twisted-server.py in fix-sslproto-export-ciphers branch) and it
has exactly the same effect.


Reply to this email directly or view it on GitHub:
grwl#42 (comment)

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Jun 26, 2012

Owner

I've look at the handshake: the server just rejects the connection as soon as it sees the client only supports export-grade ciphers.

I've took the examples from openssl library (now under test/ in sslcaudit) and they fail too:

abb@e6510:~/dvp/sslcaudit/test/openssl-examples-20020110$ ./wserver2 -a EXP-RC4-MD5
SSL accept error
140020402464416:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353:

abb@e6510:~$ date | openssl s_client -connect localhost:4433 -cipher EXP-RC4-MD5
CONNECTED(00000003)
139688996304544:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 64 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

But if I tell it to use HIGH ciphers, for example, all works as expected. Wierd.

And at the same time openssl s_server works fine with these ciphers.

abb@e6510:/tmp$ openssl s_server -cert dummy_cert.pem -key dummy_key.pem -cipher EXP-RC4-MD5
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
Generating temp (512 bit) RSA key...
-----BEGIN SSL SESSION PARAMETERS-----
MFoCAQECAgMCBAIAAwQABDDavgNBa/Lyft5vyNhRMDTXjwseT8WWPuSFHvbj7zSg
YXBm2AcLfFKE2J37bOw9OLShBgIET+lunaIEAgIBLKQGBAQBAAAAqwMEAQE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:EXP-RC4-MD5
CIPHER is EXP-RC4-MD5
Secure Renegotiation IS supported
Tue Jun 26 10:11:09 CEST 2012
DONE
shutting down SSL
CONNECTION CLOSED
ACCEPT


abb@e6510:~$ date | openssl s_client -connect localhost:4433 -cipher EXP-RC4-MD5
CONNECTED(00000003)
depth=0 C = BE, CN = www.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=BE/CN=www.example.com
   i:/C=BE/CN=test-ca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJCRTEQ
MA4GA1UEAxMHdGVzdC1jYTAeFw0xMjA1MDYwODQyNDlaFw0yMjA1MDMwODQyNDla
MCcxCzAJBgNVBAYTAkJFMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAL7OBv9wRwtNjN984XSy22/rw6tHM6Lq/Ccf
NoHKbqwC+PsxgmgJJiGBGewrzBR42toqHJi7EjHhuvrgqV9s2duPQBAANh7tzY1h
6VekrwhIIt4o1h0F2KB16VXA8s918d+8pRGt2T11GUh/QT3m9yY1VzqdIBeAfklC
ET6ncPK/AgMBAAGjgdQwgdEwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAw
KwYJYIZIAYb4QgENBB4WHFRpbnlDQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFNGQArEZPKprJTn7A64qEFfl0m4xME8GA1UdIwRIMEaAFFuITOUJlGrJ
9lKufs8cm1MpwXrroSOkITAfMQswCQYDVQQGEwJCRTEQMA4GA1UEAxMHdGVzdC1j
YYIJALimgW7YUgdrMAkGA1UdEgQCMAAwCQYDVR0RBAIwADANBgkqhkiG9w0BAQUF
AAOBgQDWh8A0eBxI9XHy68xdjFsk2oerJeV6qqlcmtPZgz3GlarRcWcKsRJOyLLL
dCOe7tY5isWQAoLt6XALzDWjbQkTJnxBaKHif1MIikuajaYKT7LA1MvFn50Qrm6n
f9hG7gvdTpm1rlPcs0qibp1vJVubkU51mT6JT4UnLfeVIjtL7Q==
-----END CERTIFICATE-----
subject=/C=BE/CN=www.example.com
issuer=/C=BE/CN=test-ca
---
No client certificate CA names sent
---
SSL handshake has read 1185 bytes and written 190 bytes
---
New, TLSv1/SSLv3, Cipher is EXP-RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : EXP-RC4-MD5
    Session-ID: 62A4EC86E2D3CF3519C093E21BDF0F30ACF4E9F015D65F146E205B5EAE4B7E0B
    Session-ID-ctx: 
    Master-Key: DABE03416BF2F27EDE6FC8D8513034D78F0B1E4FC5963EE4851EF6E3EF34A0617066D8070B7C5284D89DFB6CEC3D38B4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 0e a0 3e 34 a4 d1 9e 15-15 99 fd eb 2c 6c 10 29   ..>4........,l.)
    0010 - e4 5b 3a d7 16 bf 66 fd-11 87 b0 c9 f4 06 6b 39   .[:...f.......k9
    0020 - ff 31 7f 64 23 04 ee 3e-49 3a e3 03 ea 15 28 6b   .1.d#..>I:....(k
    0030 - 01 be dd ff fe 98 6b dd-29 3b cd 9b 32 2c e3 a8   ......k.);..2,..
    0040 - 8d 91 21 68 e6 80 8e d8-2d 63 06 35 8f 93 58 3f   ..!h....-c.5..X?
    0050 - 74 e6 62 39 1a 61 96 de-0a 60 b4 1b 1b 37 0f 35   t.b9.a...`...7.5
    0060 - 46 a1 b5 0b 22 3d 00 ed-df ff 91 6b 6e c3 f7 d9   F..."=.....kn...
    0070 - 96 24 49 ff d8 d5 e8 aa-8f d5 42 ae 4a 3a 4d fa   .$I.......B.J:M.
    0080 - 9a a3 b6 16 7a bc 8b ff-51 cb 0f 10 62 1e ff 51   ....z...Q...b..Q
    0090 - 0e 8e 10 ea 98 f9 2d 69-ef a0 f0 03 5f 80 bb 14   ......-i...._...

    Compression: 1 (zlib compression)
    Start Time: 1340698269
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
DONE
Owner

abbbe commented Jun 26, 2012

I've look at the handshake: the server just rejects the connection as soon as it sees the client only supports export-grade ciphers.

I've took the examples from openssl library (now under test/ in sslcaudit) and they fail too:

abb@e6510:~/dvp/sslcaudit/test/openssl-examples-20020110$ ./wserver2 -a EXP-RC4-MD5
SSL accept error
140020402464416:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353:

abb@e6510:~$ date | openssl s_client -connect localhost:4433 -cipher EXP-RC4-MD5
CONNECTED(00000003)
139688996304544:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 64 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

But if I tell it to use HIGH ciphers, for example, all works as expected. Wierd.

And at the same time openssl s_server works fine with these ciphers.

abb@e6510:/tmp$ openssl s_server -cert dummy_cert.pem -key dummy_key.pem -cipher EXP-RC4-MD5
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
Generating temp (512 bit) RSA key...
-----BEGIN SSL SESSION PARAMETERS-----
MFoCAQECAgMCBAIAAwQABDDavgNBa/Lyft5vyNhRMDTXjwseT8WWPuSFHvbj7zSg
YXBm2AcLfFKE2J37bOw9OLShBgIET+lunaIEAgIBLKQGBAQBAAAAqwMEAQE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:EXP-RC4-MD5
CIPHER is EXP-RC4-MD5
Secure Renegotiation IS supported
Tue Jun 26 10:11:09 CEST 2012
DONE
shutting down SSL
CONNECTION CLOSED
ACCEPT


abb@e6510:~$ date | openssl s_client -connect localhost:4433 -cipher EXP-RC4-MD5
CONNECTED(00000003)
depth=0 C = BE, CN = www.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=BE/CN=www.example.com
   i:/C=BE/CN=test-ca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJCRTEQ
MA4GA1UEAxMHdGVzdC1jYTAeFw0xMjA1MDYwODQyNDlaFw0yMjA1MDMwODQyNDla
MCcxCzAJBgNVBAYTAkJFMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAL7OBv9wRwtNjN984XSy22/rw6tHM6Lq/Ccf
NoHKbqwC+PsxgmgJJiGBGewrzBR42toqHJi7EjHhuvrgqV9s2duPQBAANh7tzY1h
6VekrwhIIt4o1h0F2KB16VXA8s918d+8pRGt2T11GUh/QT3m9yY1VzqdIBeAfklC
ET6ncPK/AgMBAAGjgdQwgdEwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAw
KwYJYIZIAYb4QgENBB4WHFRpbnlDQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFNGQArEZPKprJTn7A64qEFfl0m4xME8GA1UdIwRIMEaAFFuITOUJlGrJ
9lKufs8cm1MpwXrroSOkITAfMQswCQYDVQQGEwJCRTEQMA4GA1UEAxMHdGVzdC1j
YYIJALimgW7YUgdrMAkGA1UdEgQCMAAwCQYDVR0RBAIwADANBgkqhkiG9w0BAQUF
AAOBgQDWh8A0eBxI9XHy68xdjFsk2oerJeV6qqlcmtPZgz3GlarRcWcKsRJOyLLL
dCOe7tY5isWQAoLt6XALzDWjbQkTJnxBaKHif1MIikuajaYKT7LA1MvFn50Qrm6n
f9hG7gvdTpm1rlPcs0qibp1vJVubkU51mT6JT4UnLfeVIjtL7Q==
-----END CERTIFICATE-----
subject=/C=BE/CN=www.example.com
issuer=/C=BE/CN=test-ca
---
No client certificate CA names sent
---
SSL handshake has read 1185 bytes and written 190 bytes
---
New, TLSv1/SSLv3, Cipher is EXP-RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : EXP-RC4-MD5
    Session-ID: 62A4EC86E2D3CF3519C093E21BDF0F30ACF4E9F015D65F146E205B5EAE4B7E0B
    Session-ID-ctx: 
    Master-Key: DABE03416BF2F27EDE6FC8D8513034D78F0B1E4FC5963EE4851EF6E3EF34A0617066D8070B7C5284D89DFB6CEC3D38B4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 0e a0 3e 34 a4 d1 9e 15-15 99 fd eb 2c 6c 10 29   ..>4........,l.)
    0010 - e4 5b 3a d7 16 bf 66 fd-11 87 b0 c9 f4 06 6b 39   .[:...f.......k9
    0020 - ff 31 7f 64 23 04 ee 3e-49 3a e3 03 ea 15 28 6b   .1.d#..>I:....(k
    0030 - 01 be dd ff fe 98 6b dd-29 3b cd 9b 32 2c e3 a8   ......k.);..2,..
    0040 - 8d 91 21 68 e6 80 8e d8-2d 63 06 35 8f 93 58 3f   ..!h....-c.5..X?
    0050 - 74 e6 62 39 1a 61 96 de-0a 60 b4 1b 1b 37 0f 35   t.b9.a...`...7.5
    0060 - 46 a1 b5 0b 22 3d 00 ed-df ff 91 6b 6e c3 f7 d9   F..."=.....kn...
    0070 - 96 24 49 ff d8 d5 e8 aa-8f d5 42 ae 4a 3a 4d fa   .$I.......B.J:M.
    0080 - 9a a3 b6 16 7a bc 8b ff-51 cb 0f 10 62 1e ff 51   ....z...Q...b..Q
    0090 - 0e 8e 10 ea 98 f9 2d 69-ef a0 f0 03 5f 80 bb 14   ......-i...._...

    Compression: 1 (zlib compression)
    Start Time: 1340698269
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
DONE
@stamparm

This comment has been minimized.

Show comment
Hide comment
@stamparm

stamparm Jun 26, 2012

Collaborator

This all "stinks" like a same type of constraint like in SSLv2
But, how the hell is that openssl s_server working :)

On Tue, Jun 26, 2012 at 10:18 AM, grwl <
reply@reply.github.com

wrote:

I've look at the handshake: the server just rejects the connection as soon
as it sees the client only supports export-grade ciphers.

I've took the examples from openssl library (now under test/ in sslcaudit)
and they fail too:

-a EXP-RC4-MD5
SSL accept error
140020402464416:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1353:

abb@e6510:~$ date | openssl s_client -connect localhost:4433 -cipher
EXP-RC4-MD5
CONNECTED(00000003)
139688996304544:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3

## alert handshake failure:s23_clnt.c:724:

## no peer certificate available

## No client certificate CA names sent

## SSL handshake has read 7 bytes and written 64 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE

## Expansion: NONE

But if I tell it to use HIGH ciphers, for example, all works as expected.
Wierd.

And at the same time openssl s_server works fine with these ciphers.

dummy_key.pem -cipher EXP-RC4-MD5
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
Generating temp (512 bit) RSA key...
-----BEGIN SSL SESSION PARAMETERS-----
MFoCAQECAgMCBAIAAwQABDDavgNBa/Lyft5vyNhRMDTXjwseT8WWPuSFHvbj7zSg
YXBm2AcLfFKE2J37bOw9OLShBgIET+lunaIEAgIBLKQGBAQBAAAAqwMEAQE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:EXP-RC4-MD5
CIPHER is EXP-RC4-MD5
Secure Renegotiation IS supported
Tue Jun 26 10:11:09 CEST 2012
DONE
shutting down SSL
CONNECTION CLOSED
ACCEPT


abb@e6510:~$ date | openssl s_client -connect localhost:4433 -cipher
EXP-RC4-MD5
CONNECTED(00000003)
depth=0 C = BE, CN = www.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=BE/CN=www.example.com
  i:/C=BE/CN=test-ca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJCRTEQ
MA4GA1UEAxMHdGVzdC1jYTAeFw0xMjA1MDYwODQyNDlaFw0yMjA1MDMwODQyNDla
MCcxCzAJBgNVBAYTAkJFMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAL7OBv9wRwtNjN984XSy22/rw6tHM6Lq/Ccf
NoHKbqwC+PsxgmgJJiGBGewrzBR42toqHJi7EjHhuvrgqV9s2duPQBAANh7tzY1h
6VekrwhIIt4o1h0F2KB16VXA8s918d+8pRGt2T11GUh/QT3m9yY1VzqdIBeAfklC
ET6ncPK/AgMBAAGjgdQwgdEwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAw
KwYJYIZIAYb4QgENBB4WHFRpbnlDQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFNGQArEZPKprJTn7A64qEFfl0m4xME8GA1UdIwRIMEaAFFuITOUJlGrJ
9lKufs8cm1MpwXrroSOkITAfMQswCQYDVQQGEwJCRTEQMA4GA1UEAxMHdGVzdC1j
YYIJALimgW7YUgdrMAkGA1UdEgQCMAAwCQYDVR0RBAIwADANBgkqhkiG9w0BAQUF
AAOBgQDWh8A0eBxI9XHy68xdjFsk2oerJeV6qqlcmtPZgz3GlarRcWcKsRJOyLLL
dCOe7tY5isWQAoLt6XALzDWjbQkTJnxBaKHif1MIikuajaYKT7LA1MvFn50Qrm6n
f9hG7gvdTpm1rlPcs0qibp1vJVubkU51mT6JT4UnLfeVIjtL7Q==
-----END CERTIFICATE-----
subject=/C=BE/CN=www.example.com
issuer=/C=BE/CN=test-ca
---
No client certificate CA names sent
---
SSL handshake has read 1185 bytes and written 190 bytes
---
New, TLSv1/SSLv3, Cipher is EXP-RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
   Protocol  : TLSv1.1
   Cipher    : EXP-RC4-MD5
   Session-ID:
62A4EC86E2D3CF3519C093E21BDF0F30ACF4E9F015D65F146E205B5EAE4B7E0B
   Session-ID-ctx:
   Master-Key:
DABE03416BF2F27EDE6FC8D8513034D78F0B1E4FC5963EE4851EF6E3EF34A0617066D8070B7C5284D89DFB6CEC3D38B4
   Key-Arg   : None
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   TLS session ticket lifetime hint: 300 (seconds)
   TLS session ticket:
   0000 - 0e a0 3e 34 a4 d1 9e 15-15 99 fd eb 2c 6c 10 29
..>4........,l.)
   0010 - e4 5b 3a d7 16 bf 66 fd-11 87 b0 c9 f4 06 6b 39
.[:...f.......k9
   0020 - ff 31 7f 64 23 04 ee 3e-49 3a e3 03 ea 15 28 6b
.1.d#..>I:....(k
   0030 - 01 be dd ff fe 98 6b dd-29 3b cd 9b 32 2c e3 a8
......k.);..2,..
   0040 - 8d 91 21 68 e6 80 8e d8-2d 63 06 35 8f 93 58 3f
..!h....-c.5..X?
   0050 - 74 e6 62 39 1a 61 96 de-0a 60 b4 1b 1b 37 0f 35
t.b9.a...`...7.5
   0060 - 46 a1 b5 0b 22 3d 00 ed-df ff 91 6b 6e c3 f7 d9
F..."=.....kn...
   0070 - 96 24 49 ff d8 d5 e8 aa-8f d5 42 ae 4a 3a 4d fa
.$I.......B.J:M.
   0080 - 9a a3 b6 16 7a bc 8b ff-51 cb 0f 10 62 1e ff 51
....z...Q...b..Q
   0090 - 0e 8e 10 ea 98 f9 2d 69-ef a0 f0 03 5f 80 bb 14
......-i...._...

   Compression: 1 (zlib compression)
   Start Time: 1340698269
   Timeout   : 300 (sec)
   Verify return code: 21 (unable to verify the first certificate)
---
DONE

Reply to this email directly or view it on GitHub:
grwl#42 (comment)

Miroslav Stampar
http://about.me/stamparm

Collaborator

stamparm commented Jun 26, 2012

This all "stinks" like a same type of constraint like in SSLv2
But, how the hell is that openssl s_server working :)

On Tue, Jun 26, 2012 at 10:18 AM, grwl <
reply@reply.github.com

wrote:

I've look at the handshake: the server just rejects the connection as soon
as it sees the client only supports export-grade ciphers.

I've took the examples from openssl library (now under test/ in sslcaudit)
and they fail too:

-a EXP-RC4-MD5
SSL accept error
140020402464416:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1353:

abb@e6510:~$ date | openssl s_client -connect localhost:4433 -cipher
EXP-RC4-MD5
CONNECTED(00000003)
139688996304544:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3

## alert handshake failure:s23_clnt.c:724:

## no peer certificate available

## No client certificate CA names sent

## SSL handshake has read 7 bytes and written 64 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE

## Expansion: NONE

But if I tell it to use HIGH ciphers, for example, all works as expected.
Wierd.

And at the same time openssl s_server works fine with these ciphers.

dummy_key.pem -cipher EXP-RC4-MD5
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
Generating temp (512 bit) RSA key...
-----BEGIN SSL SESSION PARAMETERS-----
MFoCAQECAgMCBAIAAwQABDDavgNBa/Lyft5vyNhRMDTXjwseT8WWPuSFHvbj7zSg
YXBm2AcLfFKE2J37bOw9OLShBgIET+lunaIEAgIBLKQGBAQBAAAAqwMEAQE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:EXP-RC4-MD5
CIPHER is EXP-RC4-MD5
Secure Renegotiation IS supported
Tue Jun 26 10:11:09 CEST 2012
DONE
shutting down SSL
CONNECTION CLOSED
ACCEPT


abb@e6510:~$ date | openssl s_client -connect localhost:4433 -cipher
EXP-RC4-MD5
CONNECTED(00000003)
depth=0 C = BE, CN = www.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = BE, CN = www.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=BE/CN=www.example.com
  i:/C=BE/CN=test-ca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJCRTEQ
MA4GA1UEAxMHdGVzdC1jYTAeFw0xMjA1MDYwODQyNDlaFw0yMjA1MDMwODQyNDla
MCcxCzAJBgNVBAYTAkJFMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAL7OBv9wRwtNjN984XSy22/rw6tHM6Lq/Ccf
NoHKbqwC+PsxgmgJJiGBGewrzBR42toqHJi7EjHhuvrgqV9s2duPQBAANh7tzY1h
6VekrwhIIt4o1h0F2KB16VXA8s918d+8pRGt2T11GUh/QT3m9yY1VzqdIBeAfklC
ET6ncPK/AgMBAAGjgdQwgdEwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAw
KwYJYIZIAYb4QgENBB4WHFRpbnlDQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFNGQArEZPKprJTn7A64qEFfl0m4xME8GA1UdIwRIMEaAFFuITOUJlGrJ
9lKufs8cm1MpwXrroSOkITAfMQswCQYDVQQGEwJCRTEQMA4GA1UEAxMHdGVzdC1j
YYIJALimgW7YUgdrMAkGA1UdEgQCMAAwCQYDVR0RBAIwADANBgkqhkiG9w0BAQUF
AAOBgQDWh8A0eBxI9XHy68xdjFsk2oerJeV6qqlcmtPZgz3GlarRcWcKsRJOyLLL
dCOe7tY5isWQAoLt6XALzDWjbQkTJnxBaKHif1MIikuajaYKT7LA1MvFn50Qrm6n
f9hG7gvdTpm1rlPcs0qibp1vJVubkU51mT6JT4UnLfeVIjtL7Q==
-----END CERTIFICATE-----
subject=/C=BE/CN=www.example.com
issuer=/C=BE/CN=test-ca
---
No client certificate CA names sent
---
SSL handshake has read 1185 bytes and written 190 bytes
---
New, TLSv1/SSLv3, Cipher is EXP-RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
   Protocol  : TLSv1.1
   Cipher    : EXP-RC4-MD5
   Session-ID:
62A4EC86E2D3CF3519C093E21BDF0F30ACF4E9F015D65F146E205B5EAE4B7E0B
   Session-ID-ctx:
   Master-Key:
DABE03416BF2F27EDE6FC8D8513034D78F0B1E4FC5963EE4851EF6E3EF34A0617066D8070B7C5284D89DFB6CEC3D38B4
   Key-Arg   : None
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   TLS session ticket lifetime hint: 300 (seconds)
   TLS session ticket:
   0000 - 0e a0 3e 34 a4 d1 9e 15-15 99 fd eb 2c 6c 10 29
..>4........,l.)
   0010 - e4 5b 3a d7 16 bf 66 fd-11 87 b0 c9 f4 06 6b 39
.[:...f.......k9
   0020 - ff 31 7f 64 23 04 ee 3e-49 3a e3 03 ea 15 28 6b
.1.d#..>I:....(k
   0030 - 01 be dd ff fe 98 6b dd-29 3b cd 9b 32 2c e3 a8
......k.);..2,..
   0040 - 8d 91 21 68 e6 80 8e d8-2d 63 06 35 8f 93 58 3f
..!h....-c.5..X?
   0050 - 74 e6 62 39 1a 61 96 de-0a 60 b4 1b 1b 37 0f 35
t.b9.a...`...7.5
   0060 - 46 a1 b5 0b 22 3d 00 ed-df ff 91 6b 6e c3 f7 d9
F..."=.....kn...
   0070 - 96 24 49 ff d8 d5 e8 aa-8f d5 42 ae 4a 3a 4d fa
.$I.......B.J:M.
   0080 - 9a a3 b6 16 7a bc 8b ff-51 cb 0f 10 62 1e ff 51
....z...Q...b..Q
   0090 - 0e 8e 10 ea 98 f9 2d 69-ef a0 f0 03 5f 80 bb 14
......-i...._...

   Compression: 1 (zlib compression)
   Start Time: 1340698269
   Timeout   : 300 (sec)
   Verify return code: 21 (unable to verify the first certificate)
---
DONE

Reply to this email directly or view it on GitHub:
grwl#42 (comment)

Miroslav Stampar
http://about.me/stamparm

@stamparm

This comment has been minimized.

Show comment
Hide comment
@stamparm

stamparm Jun 26, 2012

Collaborator

Might be useful for debugging SSL handshakes: sudo ssldump -a -A -H -i lo (Reference: http://prefetch.net/articles/debuggingssl.html)

Sample output:

New TCP connection #1: localhost(45977) <-> localhost(4433)
1 1 0.0004 (0.0004) C>SV3.1(66) Handshake
ClientHello
Version 3.1
random[32]=
4f e9 74 32 56 c7 a0 8b b4 2f 16 9c b7 69 60 aa
c3 8e 85 d9 a7 79 35 90 f1 67 14 8a 1a 19 40 5d
cipher suites
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
Unknown value 0xff
compression methods
unknown value
NULL
1 2 0.0005 (0.0001) S>CV3.0(2) Alert
level fatal
value handshake_failure
1 0.0006 (0.0001) S>C TCP FIN
1 0.0045 (0.0038) C>S TCP FIN

Will compare OK and NOK cases

Collaborator

stamparm commented Jun 26, 2012

Might be useful for debugging SSL handshakes: sudo ssldump -a -A -H -i lo (Reference: http://prefetch.net/articles/debuggingssl.html)

Sample output:

New TCP connection #1: localhost(45977) <-> localhost(4433)
1 1 0.0004 (0.0004) C>SV3.1(66) Handshake
ClientHello
Version 3.1
random[32]=
4f e9 74 32 56 c7 a0 8b b4 2f 16 9c b7 69 60 aa
c3 8e 85 d9 a7 79 35 90 f1 67 14 8a 1a 19 40 5d
cipher suites
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
Unknown value 0xff
compression methods
unknown value
NULL
1 2 0.0005 (0.0001) S>CV3.0(2) Alert
level fatal
value handshake_failure
1 0.0006 (0.0001) S>C TCP FIN
1 0.0045 (0.0038) C>S TCP FIN

Will compare OK and NOK cases

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Jun 26, 2012

Owner

Yes, I saw this in wireshark. As you see the server rejects the
connection instead of saying hello.

As you said, it is likely to be something similar to sslv2 problem. I
think the best thing to do is to ask on openssl maillist. Their example
does not work as expected so we have a good reason. The output I've sent
earlier is done on fully patched ubuntu 12.04 64 bit. Packages:

ii openssl
1.0.1-4ubuntu5.2 Secure Socket Layer (SSL)
binary and related cryptographic tools
ii python-openssl
0.12-1ubuntu2 Python wrapper around the
OpenSSL library

On 06/26/2012 10:38 AM, Miroslav Stampar wrote:

Might be useful for debugging SSL handshakes: sudo ssldump -a -A -H -i lo (Reference: http://prefetch.net/articles/debuggingssl.html)

Sample output:

New TCP connection #1: localhost(45977)<-> localhost(4433)
1 1 0.0004 (0.0004) C>SV3.1(66) Handshake
ClientHello
Version 3.1
random[32]=
4f e9 74 32 56 c7 a0 8b b4 2f 16 9c b7 69 60 aa
c3 8e 85 d9 a7 79 35 90 f1 67 14 8a 1a 19 40 5d
cipher suites
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
Unknown value 0xff
compression methods
unknown value
NULL
1 2 0.0005 (0.0001) S>CV3.0(2) Alert
level fatal
value handshake_failure
1 0.0006 (0.0001) S>C TCP FIN
1 0.0045 (0.0038) C>S TCP FIN

Will compare OK and NOK cases


Reply to this email directly or view it on GitHub:
grwl#42 (comment)

Alexandre Bezroutchko
Gremwell bvba
+32.479.72.65.27

Owner

abbbe commented Jun 26, 2012

Yes, I saw this in wireshark. As you see the server rejects the
connection instead of saying hello.

As you said, it is likely to be something similar to sslv2 problem. I
think the best thing to do is to ask on openssl maillist. Their example
does not work as expected so we have a good reason. The output I've sent
earlier is done on fully patched ubuntu 12.04 64 bit. Packages:

ii openssl
1.0.1-4ubuntu5.2 Secure Socket Layer (SSL)
binary and related cryptographic tools
ii python-openssl
0.12-1ubuntu2 Python wrapper around the
OpenSSL library

On 06/26/2012 10:38 AM, Miroslav Stampar wrote:

Might be useful for debugging SSL handshakes: sudo ssldump -a -A -H -i lo (Reference: http://prefetch.net/articles/debuggingssl.html)

Sample output:

New TCP connection #1: localhost(45977)<-> localhost(4433)
1 1 0.0004 (0.0004) C>SV3.1(66) Handshake
ClientHello
Version 3.1
random[32]=
4f e9 74 32 56 c7 a0 8b b4 2f 16 9c b7 69 60 aa
c3 8e 85 d9 a7 79 35 90 f1 67 14 8a 1a 19 40 5d
cipher suites
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
Unknown value 0xff
compression methods
unknown value
NULL
1 2 0.0005 (0.0001) S>CV3.0(2) Alert
level fatal
value handshake_failure
1 0.0006 (0.0001) S>C TCP FIN
1 0.0045 (0.0038) C>S TCP FIN

Will compare OK and NOK cases


Reply to this email directly or view it on GitHub:
grwl#42 (comment)

Alexandre Bezroutchko
Gremwell bvba
+32.479.72.65.27

@stamparm

This comment has been minimized.

Show comment
Hide comment
@stamparm

stamparm Jun 26, 2012

Collaborator

NOK handshake:
http://pastebin.com/YuC7d8zg

OK handshake:
http://pastebin.com/U6YGQmv9

This is one of those "satanic" problems. You can clearly see that at handshake they have the same fields except random[32] which are supposed to be different :)

Collaborator

stamparm commented Jun 26, 2012

NOK handshake:
http://pastebin.com/YuC7d8zg

OK handshake:
http://pastebin.com/U6YGQmv9

This is one of those "satanic" problems. You can clearly see that at handshake they have the same fields except random[32] which are supposed to be different :)

@stamparm

This comment has been minimized.

Show comment
Hide comment
@stamparm

This comment has been minimized.

Show comment
Hide comment
@stamparm

stamparm Jun 26, 2012

Collaborator

Sent a question to the OpenSSL ML openssl-users (http://www.mail-archive.com/openssl-users@openssl.org/) without subscribing to it so I hope that it should appear there in a day or two. If it won't appear there in archive I'll subscribe and resend it. Will keep you posted.
p.s. I would put you into the CC but I don't know your email address ;)

Collaborator

stamparm commented Jun 26, 2012

Sent a question to the OpenSSL ML openssl-users (http://www.mail-archive.com/openssl-users@openssl.org/) without subscribing to it so I hope that it should appear there in a day or two. If it won't appear there in archive I'll subscribe and resend it. Will keep you posted.
p.s. I would put you into the CC but I don't know your email address ;)

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Jun 26, 2012

Owner

Abb at gremwell dot com

Sent from my iPhone

On 26 Jun 2012, at 12:04, Miroslav Stamparreply@reply.github.com wrote:

Sent a question to the OpenSSL ML openssl-users (http://www.mail-archive.com/openssl-users@openssl.org/) without subscribing to it so I hope that it should appear there in a day or two. If it won't appear there in archive I'll subscribe and resend it. Will keep you posted.
p.s. I would put you into the CC but I don't know your email address ;)


Reply to this email directly or view it on GitHub:
grwl#42 (comment)

Owner

abbbe commented Jun 26, 2012

Abb at gremwell dot com

Sent from my iPhone

On 26 Jun 2012, at 12:04, Miroslav Stamparreply@reply.github.com wrote:

Sent a question to the OpenSSL ML openssl-users (http://www.mail-archive.com/openssl-users@openssl.org/) without subscribing to it so I hope that it should appear there in a day or two. If it won't appear there in archive I'll subscribe and resend it. Will keep you posted.
p.s. I would put you into the CC but I don't know your email address ;)


Reply to this email directly or view it on GitHub:
grwl#42 (comment)

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Jun 26, 2012

Owner

I've tried to trace library calls for both cases.

abb@e6510:~/dvp/sslcaudit/test/openssl-examples-20020110$ ltrace ./wserver2 -a EXPORT
__libc_start_main(0x401a31, 3, 0x7fff389b0248, 0x402080, 0x402110 <unfinished ...>
getopt(3, 0x7fff389b0248, "cCxna:")                                                    = 97
strdup("EXPORT")                                                                       = 0x01460010
getopt(3, 0x7fff389b0248, "cCxna:")                                                    = -1
SSL_library_init(0x402222, 0x402219, 0x7f2269092258, 0, 0)                             = 1
SSL_load_error_strings(0x7f226944aa40, 0x7f22694a6c50, 0, 16, 0)                       = 0
BIO_new_fp(0x7f2269093180, 0, 0x7f22691fb13d, 408, 3)                                  = 0x1479990
signal(13, 0x00401f63)                                                                 = NULL
SSLv23_method(13, 0x7fff389afe58, 0, -1, 0x7fff389b0040)                               = 0x7f22696b4ea0
SSL_CTX_new(0x7f22696b4ea0, 0x7fff389afe58, 0, -1, 0x7fff389b0040)                     = 0x1479b80
SSL_CTX_use_certificate_chain_file(0x1479b80, 0x402222, 0x402222, 0x7f2269092778, 2)   = 1
SSL_CTX_set_default_passwd_cb(0x1479b80, 0x401ec8, 0, 0x7f2269092758, 0x7f22698b7700)  = 0x1479b80
SSL_CTX_use_PrivateKey_file(0x1479b80, 0x402222, 1, 0x402222, 0x7f22698b7700 <unfinished ...>
strcpy(0x7fff389af670, "password")                                                     = 0x7fff389af670
<... SSL_CTX_use_PrivateKey_file resumed> )                                            = 1
SSL_CTX_load_verify_locations(0x1479b80, 0x4022fa, 0, 0x7f2269092758, 0x7f22698b7700)  = 1
BIO_new_file(0x40222d, 0x40227e, 0x147cf30, 0x7f2269092730, 117)                       = 0x147ad30
PEM_read_bio_DHparams(0x147ad30, 0, 0, 0, 0)                                           = 0x147d480
BIO_free(0x147ad30, 1, 0x7f2269092778, 0, 2)                                           = 1
SSL_CTX_ctrl(0x1479b80, 3, 0, 0x147d480, 0x7f22698b7700)                               = 1
SSL_CTX_set_session_id_context(0x1479b80, 0x6031d4, 4, 0x7f2269092740, 0xcac6d624268385b8) = 1
SSL_CTX_set_cipher_list(0x1479b80, 0x1460010, 0x1460010, 0x7f2269092740, 0xcac6d624268385b8) = 1
socket(2, 1, 0)                                                                        = 3
htons(4433, 1, 0, -1, 0x7f22696b7348)                                                  = 20753
setsockopt(3, 1, 2, 0x7fff389b00e8, 4)                                                 = 0
bind(3, 0x7fff389b00f0, 16, 0x7fff389b00f0, 4)                                         = 0
listen(3, 5, 16, -1, 4)                                                                = 0
accept(3, 0, 0, -1, 4^C <unfinished ...>
abb@e6510:~/dvp/sslcaudit/test/openssl-examples-20020110$ ltrace ./wserver2 -a EXPORT
__libc_start_main(0x401a31, 3, 0x7fff389b0248, 0x402080, 0x402110 <unfinished ...>
getopt(3, 0x7fff389b0248, "cCxna:")                                                    = 97
strdup("EXPORT")                                                                       = 0x01460010
getopt(3, 0x7fff389b0248, "cCxna:")                                                    = -1
SSL_library_init(0x402222, 0x402219, 0x7f2269092258, 0, 0)                             = 1
SSL_load_error_strings(0x7f226944aa40, 0x7f22694a6c50, 0, 16, 0)                       = 0
BIO_new_fp(0x7f2269093180, 0, 0x7f22691fb13d, 408, 3)                                  = 0x1479990
signal(13, 0x00401f63)                                                                 = NULL
SSLv23_method(13, 0x7fff389afe58, 0, -1, 0x7fff389b0040)                               = 0x7f22696b4ea0
SSL_CTX_new(0x7f22696b4ea0, 0x7fff389afe58, 0, -1, 0x7fff389b0040)                     = 0x1479b80
SSL_CTX_use_certificate_chain_file(0x1479b80, 0x402222, 0x402222, 0x7f2269092778, 2)   = 1
SSL_CTX_set_default_passwd_cb(0x1479b80, 0x401ec8, 0, 0x7f2269092758, 0x7f22698b7700)  = 0x1479b80
SSL_CTX_use_PrivateKey_file(0x1479b80, 0x402222, 1, 0x402222, 0x7f22698b7700 <unfinished ...>
strcpy(0x7fff389af670, "password")                                                     = 0x7fff389af670
<... SSL_CTX_use_PrivateKey_file resumed> )                                            = 1
SSL_CTX_load_verify_locations(0x1479b80, 0x4022fa, 0, 0x7f2269092758, 0x7f22698b7700)  = 1
BIO_new_file(0x40222d, 0x40227e, 0x147cf30, 0x7f2269092730, 117)                       = 0x147ad30
PEM_read_bio_DHparams(0x147ad30, 0, 0, 0, 0)                                           = 0x147d480
BIO_free(0x147ad30, 1, 0x7f2269092778, 0, 2)                                           = 1
SSL_CTX_ctrl(0x1479b80, 3, 0, 0x147d480, 0x7f22698b7700)                               = 1
SSL_CTX_set_session_id_context(0x1479b80, 0x6031d4, 4, 0x7f2269092740, 0xcac6d624268385b8) = 1
SSL_CTX_set_cipher_list(0x1479b80, 0x1460010, 0x1460010, 0x7f2269092740, 0xcac6d624268385b8) = 1
socket(2, 1, 0)                                                                        = 3
htons(4433, 1, 0, -1, 0x7f22696b7348)                                                  = 20753
setsockopt(3, 1, 2, 0x7fff389b00e8, 4)                                                 = 0
bind(3, 0x7fff389b00f0, 16, 0x7fff389b00f0, 4)                                         = 0
listen(3, 5, 16, -1, 4)                                                                = 0
accept(3, 0, 0, -1, 4^C <unfinished ...>

Both invoke SSL_CTX_set_cipher_list() with proper parameter (I've checked that with gdb, not shown here). There must be some other subtle difference.

Owner

abbbe commented Jun 26, 2012

I've tried to trace library calls for both cases.

abb@e6510:~/dvp/sslcaudit/test/openssl-examples-20020110$ ltrace ./wserver2 -a EXPORT
__libc_start_main(0x401a31, 3, 0x7fff389b0248, 0x402080, 0x402110 <unfinished ...>
getopt(3, 0x7fff389b0248, "cCxna:")                                                    = 97
strdup("EXPORT")                                                                       = 0x01460010
getopt(3, 0x7fff389b0248, "cCxna:")                                                    = -1
SSL_library_init(0x402222, 0x402219, 0x7f2269092258, 0, 0)                             = 1
SSL_load_error_strings(0x7f226944aa40, 0x7f22694a6c50, 0, 16, 0)                       = 0
BIO_new_fp(0x7f2269093180, 0, 0x7f22691fb13d, 408, 3)                                  = 0x1479990
signal(13, 0x00401f63)                                                                 = NULL
SSLv23_method(13, 0x7fff389afe58, 0, -1, 0x7fff389b0040)                               = 0x7f22696b4ea0
SSL_CTX_new(0x7f22696b4ea0, 0x7fff389afe58, 0, -1, 0x7fff389b0040)                     = 0x1479b80
SSL_CTX_use_certificate_chain_file(0x1479b80, 0x402222, 0x402222, 0x7f2269092778, 2)   = 1
SSL_CTX_set_default_passwd_cb(0x1479b80, 0x401ec8, 0, 0x7f2269092758, 0x7f22698b7700)  = 0x1479b80
SSL_CTX_use_PrivateKey_file(0x1479b80, 0x402222, 1, 0x402222, 0x7f22698b7700 <unfinished ...>
strcpy(0x7fff389af670, "password")                                                     = 0x7fff389af670
<... SSL_CTX_use_PrivateKey_file resumed> )                                            = 1
SSL_CTX_load_verify_locations(0x1479b80, 0x4022fa, 0, 0x7f2269092758, 0x7f22698b7700)  = 1
BIO_new_file(0x40222d, 0x40227e, 0x147cf30, 0x7f2269092730, 117)                       = 0x147ad30
PEM_read_bio_DHparams(0x147ad30, 0, 0, 0, 0)                                           = 0x147d480
BIO_free(0x147ad30, 1, 0x7f2269092778, 0, 2)                                           = 1
SSL_CTX_ctrl(0x1479b80, 3, 0, 0x147d480, 0x7f22698b7700)                               = 1
SSL_CTX_set_session_id_context(0x1479b80, 0x6031d4, 4, 0x7f2269092740, 0xcac6d624268385b8) = 1
SSL_CTX_set_cipher_list(0x1479b80, 0x1460010, 0x1460010, 0x7f2269092740, 0xcac6d624268385b8) = 1
socket(2, 1, 0)                                                                        = 3
htons(4433, 1, 0, -1, 0x7f22696b7348)                                                  = 20753
setsockopt(3, 1, 2, 0x7fff389b00e8, 4)                                                 = 0
bind(3, 0x7fff389b00f0, 16, 0x7fff389b00f0, 4)                                         = 0
listen(3, 5, 16, -1, 4)                                                                = 0
accept(3, 0, 0, -1, 4^C <unfinished ...>
abb@e6510:~/dvp/sslcaudit/test/openssl-examples-20020110$ ltrace ./wserver2 -a EXPORT
__libc_start_main(0x401a31, 3, 0x7fff389b0248, 0x402080, 0x402110 <unfinished ...>
getopt(3, 0x7fff389b0248, "cCxna:")                                                    = 97
strdup("EXPORT")                                                                       = 0x01460010
getopt(3, 0x7fff389b0248, "cCxna:")                                                    = -1
SSL_library_init(0x402222, 0x402219, 0x7f2269092258, 0, 0)                             = 1
SSL_load_error_strings(0x7f226944aa40, 0x7f22694a6c50, 0, 16, 0)                       = 0
BIO_new_fp(0x7f2269093180, 0, 0x7f22691fb13d, 408, 3)                                  = 0x1479990
signal(13, 0x00401f63)                                                                 = NULL
SSLv23_method(13, 0x7fff389afe58, 0, -1, 0x7fff389b0040)                               = 0x7f22696b4ea0
SSL_CTX_new(0x7f22696b4ea0, 0x7fff389afe58, 0, -1, 0x7fff389b0040)                     = 0x1479b80
SSL_CTX_use_certificate_chain_file(0x1479b80, 0x402222, 0x402222, 0x7f2269092778, 2)   = 1
SSL_CTX_set_default_passwd_cb(0x1479b80, 0x401ec8, 0, 0x7f2269092758, 0x7f22698b7700)  = 0x1479b80
SSL_CTX_use_PrivateKey_file(0x1479b80, 0x402222, 1, 0x402222, 0x7f22698b7700 <unfinished ...>
strcpy(0x7fff389af670, "password")                                                     = 0x7fff389af670
<... SSL_CTX_use_PrivateKey_file resumed> )                                            = 1
SSL_CTX_load_verify_locations(0x1479b80, 0x4022fa, 0, 0x7f2269092758, 0x7f22698b7700)  = 1
BIO_new_file(0x40222d, 0x40227e, 0x147cf30, 0x7f2269092730, 117)                       = 0x147ad30
PEM_read_bio_DHparams(0x147ad30, 0, 0, 0, 0)                                           = 0x147d480
BIO_free(0x147ad30, 1, 0x7f2269092778, 0, 2)                                           = 1
SSL_CTX_ctrl(0x1479b80, 3, 0, 0x147d480, 0x7f22698b7700)                               = 1
SSL_CTX_set_session_id_context(0x1479b80, 0x6031d4, 4, 0x7f2269092740, 0xcac6d624268385b8) = 1
SSL_CTX_set_cipher_list(0x1479b80, 0x1460010, 0x1460010, 0x7f2269092740, 0xcac6d624268385b8) = 1
socket(2, 1, 0)                                                                        = 3
htons(4433, 1, 0, -1, 0x7f22696b7348)                                                  = 20753
setsockopt(3, 1, 2, 0x7fff389b00e8, 4)                                                 = 0
bind(3, 0x7fff389b00f0, 16, 0x7fff389b00f0, 4)                                         = 0
listen(3, 5, 16, -1, 4)                                                                = 0
accept(3, 0, 0, -1, 4^C <unfinished ...>

Both invoke SSL_CTX_set_cipher_list() with proper parameter (I've checked that with gdb, not shown here). There must be some other subtle difference.

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Jun 26, 2012

Owner

Looks like we have a good candidate for a proper answer on stackoverflow.

Owner

abbbe commented Jun 26, 2012

Looks like we have a good candidate for a proper answer on stackoverflow.

@stamparm

This comment has been minimized.

Show comment
Hide comment
@stamparm

stamparm Jun 26, 2012

Collaborator

omg :)

will check thoroughly after i finish some other work

On Tue, Jun 26, 2012 at 2:28 PM, grwl <
reply@reply.github.com

wrote:

Looks like we have a good candidate for a proper answer on stackoverflow.


Reply to this email directly or view it on GitHub:
grwl#42 (comment)

Collaborator

stamparm commented Jun 26, 2012

omg :)

will check thoroughly after i finish some other work

On Tue, Jun 26, 2012 at 2:28 PM, grwl <
reply@reply.github.com

wrote:

Looks like we have a good candidate for a proper answer on stackoverflow.


Reply to this email directly or view it on GitHub:
grwl#42 (comment)

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Jun 26, 2012

Owner

The guy who has answered is an author of sslsplit, in some sense a competing tool for sslcaudit.
Before you accept his answer, we need to write enough test scripts. Let's get the most of this bounty J.

Owner

abbbe commented Jun 26, 2012

The guy who has answered is an author of sslsplit, in some sense a competing tool for sslcaudit.
Before you accept his answer, we need to write enough test scripts. Let's get the most of this bounty J.

stamparm added a commit that referenced this issue Jun 26, 2012

stamparm added a commit that referenced this issue Jun 28, 2012

stamparm added a commit that referenced this issue Jun 28, 2012

@stamparm

This comment has been minimized.

Show comment
Hide comment
@stamparm

stamparm Jun 28, 2012

Collaborator

Now test/ssl-server-export.py works for DSA case too (EXP-EDH-DSS-DES-CBC-SHA). Only thing is that now we have to discuss how to deal with the need for both RSA and DSA certificates in production (non-test) mode.

Collaborator

stamparm commented Jun 28, 2012

Now test/ssl-server-export.py works for DSA case too (EXP-EDH-DSS-DES-CBC-SHA). Only thing is that now we have to discuss how to deal with the need for both RSA and DSA certificates in production (non-test) mode.

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Jun 28, 2012

Owner

Let's try gmail chat

On 06/29/2012 12:25 AM, Miroslav Stampar wrote:

Now test/ssl-server-export.py works for DSA case too (EXP-EDH-DSS-DES-CBC-SHA). Only thing is that now we have to discuss how to deal with the need for both RSA and DSA certificates in production (non-test) mode.


Reply to this email directly or view it on GitHub:
grwl#42 (comment)

Alexandre Bezroutchko
Gremwell bvba
+32.479.72.65.27

Owner

abbbe commented Jun 28, 2012

Let's try gmail chat

On 06/29/2012 12:25 AM, Miroslav Stampar wrote:

Now test/ssl-server-export.py works for DSA case too (EXP-EDH-DSS-DES-CBC-SHA). Only thing is that now we have to discuss how to deal with the need for both RSA and DSA certificates in production (non-test) mode.


Reply to this email directly or view it on GitHub:
grwl#42 (comment)

Alexandre Bezroutchko
Gremwell bvba
+32.479.72.65.27

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Jul 2, 2012

Owner

closed

Owner

abbbe commented Jul 2, 2012

closed

@abbbe abbbe closed this Jul 2, 2012

@abbbe

This comment has been minimized.

Show comment
Hide comment
@abbbe

abbbe Oct 1, 2012

Owner

Hi,

Can you please make a small charge to keep the contract open? I hope I will find time soon enough. Sorry. Regards, Alex

Sent from my iPhone

Begin forwarded message:

From: oDesk Notification donotreply@odesk.com
Date: 1 Oct 2012 05:35:48 GMT+02:00
To: "Alexandre Bezrouthcko" alex_bezroutchko@odesk.com
Subject: Idle contract notification

oDesk

Hi Alexandre,

It has been 91 days since Miroslav Stampar has worked on the job "python programming".
For your security, we will close the contract in 3 days.

To end the contract now, visit the contract detail page.

If you want to keep the contract active, even if there is no activity, click here.

Thanks,
oDesk Support

View online help about this
Change email preferences - oDesk Home - Contact Support
You (alex_bezroutchko@odesk.com) are receiving this email as part of your oDesk membership. To change your email preferences go to Message Center Preferences. This is an automated message from oDesk, Inc. - 901 Marshall Street, 2nd Floor, Redwood City, CA 94063

Owner

abbbe commented Oct 1, 2012

Hi,

Can you please make a small charge to keep the contract open? I hope I will find time soon enough. Sorry. Regards, Alex

Sent from my iPhone

Begin forwarded message:

From: oDesk Notification donotreply@odesk.com
Date: 1 Oct 2012 05:35:48 GMT+02:00
To: "Alexandre Bezrouthcko" alex_bezroutchko@odesk.com
Subject: Idle contract notification

oDesk

Hi Alexandre,

It has been 91 days since Miroslav Stampar has worked on the job "python programming".
For your security, we will close the contract in 3 days.

To end the contract now, visit the contract detail page.

If you want to keep the contract active, even if there is no activity, click here.

Thanks,
oDesk Support

View online help about this
Change email preferences - oDesk Home - Contact Support
You (alex_bezroutchko@odesk.com) are receiving this email as part of your oDesk membership. To change your email preferences go to Message Center Preferences. This is an automated message from oDesk, Inc. - 901 Marshall Street, 2nd Floor, Redwood City, CA 94063

@stamparm

This comment has been minimized.

Show comment
Hide comment
@stamparm

stamparm Oct 1, 2012

Collaborator

Done.

Bye

On Mon, Oct 1, 2012 at 8:22 AM, grwl notifications@github.com wrote:

Hi,

Can you please make a small charge to keep the contract open? I hope I
will find time soon enough. Sorry. Regards, Alex

Sent from my iPhone

Begin forwarded message:

From: oDesk Notification donotreply@odesk.com
Date: 1 Oct 2012 05:35:48 GMT+02:00
To: "Alexandre Bezrouthcko" alex_bezroutchko@odesk.com
Subject: Idle contract notification

oDesk

Hi Alexandre,

It has been 91 days since Miroslav Stampar has worked on the job "python
programming".
For your security, we will close the contract in 3 days.

To end the contract now, visit the contract detail page.

If you want to keep the contract active, even if there is no activity,
click here.

Thanks,
oDesk Support

View online help about this
Change email preferences - oDesk Home - Contact Support
You (alex_bezroutchko@odesk.com) are receiving this email as part of
your oDesk membership. To change your email preferences go to Message
Center Preferences. This is an automated message from oDesk, Inc. - 901
Marshall Street, 2nd Floor, Redwood City, CA 94063


Reply to this email directly or view it on GitHubhttps://github.com/grwl/sslcaudit/issues/42#issuecomment-9022722.

Miroslav Stampar
http://about.me/stamparm

Collaborator

stamparm commented Oct 1, 2012

Done.

Bye

On Mon, Oct 1, 2012 at 8:22 AM, grwl notifications@github.com wrote:

Hi,

Can you please make a small charge to keep the contract open? I hope I
will find time soon enough. Sorry. Regards, Alex

Sent from my iPhone

Begin forwarded message:

From: oDesk Notification donotreply@odesk.com
Date: 1 Oct 2012 05:35:48 GMT+02:00
To: "Alexandre Bezrouthcko" alex_bezroutchko@odesk.com
Subject: Idle contract notification

oDesk

Hi Alexandre,

It has been 91 days since Miroslav Stampar has worked on the job "python
programming".
For your security, we will close the contract in 3 days.

To end the contract now, visit the contract detail page.

If you want to keep the contract active, even if there is no activity,
click here.

Thanks,
oDesk Support

View online help about this
Change email preferences - oDesk Home - Contact Support
You (alex_bezroutchko@odesk.com) are receiving this email as part of
your oDesk membership. To change your email preferences go to Message
Center Preferences. This is an automated message from oDesk, Inc. - 901
Marshall Street, 2nd Floor, Redwood City, CA 94063


Reply to this email directly or view it on GitHubhttps://github.com/grwl/sslcaudit/issues/42#issuecomment-9022722.

Miroslav Stampar
http://about.me/stamparm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment