New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

X25519 curve produces weird test results #1087

Open
gkroon opened this Issue Jul 15, 2018 · 16 comments

Comments

Projects
None yet
3 participants
@gkroon
Copy link

gkroon commented Jul 15, 2018

Please find below the detailed information regarding my problem, what I expected and how to reproduce.

1. testssl version from the banner (testssl.sh -b 2>/dev/null | head -4 | tail -2)
testssl.sh 2.9dev from https://testssl.sh/dev/

2. what exactly was happening, output is needed
When switching from secp384r1 to X25519, no full TLS handshakes seem to be parsed correctly by the script. I cannot test servers with similar configurations as a result.

###########################################################
    testssl.sh       2.9dev from https://testssl.sh/dev/

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2o  27 Mar 2018" [~125 ciphers]
 on nostromo:/usr/bin/openssl
 (built: "reproducible build, date unspecified", platform: "linux-x86_64")


 Start 2018-07-16 00:18:52        -->> xxx.xxx.xxx.xxx:443 (xxx.xxx) <<--

 further IP addresses:   xxxx 
 rDNS (xxx.xxx.xxx.xxx):   xxxx 

 xxx.xxx.xxx.xxx:443 doesn't seem to be a TLS/SSL enabled server
 The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes
 Service detected:       Couldn't determine what's running on port 443, assuming no HTTP service => skipping all HTTP checks


 Testing protocols via sockets except SPDY+HTTP2 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 SPDY/NPN   (SPDY is an HTTP protocol and thus not tested here)
 HTTP2/ALPN (HTTP/2 is a HTTP protocol and thus not tested here)


 Testing ~standard cipher categories 

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES encryption (w/o export)     not offered (OK)
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    not offered (OK)
 Triple DES Ciphers (Medium)                   not offered (OK)
 High encryption (AES+Camellia, no AEAD)       not offered
 Strong encryption (AEAD ciphers)              offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK)          ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 
 Elliptic curves offered:     X25519 


 Testing server preferences 

 Has server cipher order?     no matching cipher in this list found (pls report this): DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256  . 

 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "extended master secret/#23" "application layer protocol negotiation/#16"
 Session Ticket RFC 5077 hint (no lifetime advertised)
 SSL Session ID support       yes
 Session Resumption           Ticket resumption test failed, pls report / ID resumption test failed, pls report
 TLS clock skew               Random values, no fingerprinting possible 

 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  --   (applicable only for HTTPS)
 Secure Renegotiation (CVE-2009-3555)      handshake didn't succeed
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                test failed (couldn't connect)
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible, TLS 1.2 is the only protocol (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
 BEAST (CVE-2011-3389)                     no SSL3 or TLS1 (OK)
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        

Could not determine which protocol was started, only simulating generic clients.

 Running client simulations via sockets 

 Java 6u45                    No connection
 Java 7u25                    No connection
 Java 8u31                    No connection
 OpenSSL 1.0.1l               No connection
 OpenSSL 1.0.2e               No connection

 Done 2018-07-16 00:19:19 [  27s] -->> xxx.xxx.xxx.xxx:xxx (xxx.xxx) <<--

3. what did you expect instead?
I expected a normal report without warnings/errors like:

 xxx.xxx.xxx.xxx:443 doesn't seem to be a TLS/SSL enabled server
 The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes
 Service detected:       Couldn't determine what's running on port 443, assuming no HTTP service => skipping all HTTP checks

[...]

Has server cipher order? no matching cipher in this list found (pls report this): DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256 .

[...]

Session Resumption Ticket resumption test failed, pls report / ID resumption test failed, pls report

[...]

Secure Renegotiation (CVE-2009-3555) handshake didn't succeed

and

CRIME, TLS (CVE-2012-4929) test failed (couldn't connect)

4. steps to reproduce

  1. testssl.sh command line
    testssl.sh foo.bar (target needs to (only) support X25519.
1. if possible: target IP

I'd like to avoid this

1. openssl version used (testssl.sh -b 2>/dev/null | head -16 | tail -3)
  on nostromo:/usr/bin/openssl
 (built: "reproducible build, date unspecified", platform: "linux-x86_64")
1. your operating system (uname -a)

Linux nostromo 4.17.5-zen #1 ZEN SMP PREEMPT Tue Jul 10 20:13:39 -00 2018 x86_64 Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz GenuineIntel GNU/Linux I'm on Gentoo and I've successfully built net-analyzer/testssl with the bundled-openssl USE flag.

@drwetter

This comment has been minimized.

Copy link
Owner

drwetter commented Jul 16, 2018

Hi @gkroon ,

thx for your report. I am curious, could you DM me (grep SWCONTACT testssl.sh) the server hostname?

While here might be a few constraints left using this curve only: The version of testssl.sh you're using is a bit old. Don't know the repo you're referring to but that should be updated, too.

As a start I'd recommend to use a newer one. Then pls use --assume-http, so that the client simulation will assume HTTP.

Don't know whether this is deliberate: No Safari and no IE browser can't connect to your site, probably other less used browsers too.

@gkroon

This comment has been minimized.

Copy link
Author

gkroon commented Jul 16, 2018

Hi @drwetter ,

Thanks for your reply! I've now updated using the latest testing ebuild (2.9.5-4) from the Gentoo packages (https://packages.gentoo.org/packages/net-analyzer/testssl) and ran another test using --assume-http this time:


###########################################################
    testssl.sh       2.9.5-4 from https://testssl.sh/

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2o  27 Mar 2018" [~125 ciphers]
 on nostromo:/usr/bin/openssl
 (built: "reproducible build, date unspecified", platform: "linux-x86_64")


 Start 2018-07-16 11:29:08        -->> xxx.xxx.xxx.xxx:443 (xxx.xxx) <<--

 further IP addresses:   xxxx 
 rDNS (xxx.xxx.xxx.xxx):   xxxx

 xxx.xxx.xxx.xxx:443 doesn't seem to be a TLS/SSL enabled server
 The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes
 Service detected:       Couldn't determine what's running on port 443 -- ASSUME_HTTP set though


 Testing protocols via sockets except SPDY+HTTP2 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 SPDY/NPN   not offered
 HTTP2/ALPN not offered

 Testing ~standard cipher categories 

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES encryption (w/o export)     not offered (OK)
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    not offered (OK)
 Triple DES Ciphers (Medium)                   not offered (OK)
 High encryption (AES+Camellia, no AEAD)       not offered
 Strong encryption (AEAD ciphers)              offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK)          ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 
 Elliptic curves offered:     X25519 


 Testing server preferences 

 Has server cipher order?     no matching cipher in this list found (pls report this): DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256  . 

 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11"
                              "extended master secret/#23"
                              "application layer protocol negotiation/#16"
 Session Ticket RFC 5077 hint (no lifetime advertised)
 SSL Session ID support       yes
 Session Resumption           Ticket resumption test failed, pls report / ID resumption test failed, pls report
 TLS clock skew               Random values, no fingerprinting possible 

 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing HTTP header response @ "/" 

 HTTP Status Code           No status code
 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK), no session ticket extension
 Secure Renegotiation (CVE-2009-3555)      handshake didn't succeed
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                test failed (couldn't connect)
 BREACH (CVE-2013-3587)                    failed (HTTP header request stalled) 
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible, TLS 1.2 is the only protocol (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
 BEAST (CVE-2011-3389)                     no SSL3 or TLS1 (OK)
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Testing 359 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        


 Running client simulations via sockets 

 Android 2.3.7                No connection
 Android 4.1.1                No connection
 Android 4.3                  No connection
 Android 4.4.2                No connection
 Android 5.0.0                No connection
 Android 6.0                  No connection
 Android 7.0                  TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Chrome 51 Win 7              TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Chrome 57 Win 7              TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 Firefox 49 Win 7             No connection
 Firefox 53 Win 7             TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 IE 6 XP                      No connection
 IE 7 Vista                   No connection
 IE 8 XP                      No connection
 IE 8 Win 7                   No connection
 IE 11 Win 7                  No connection
 IE 11 Win 8.1                No connection
 IE 11 Win Phone 8.1 Update   No connection
 IE 11 Win 10                 No connection
 Edge 13 Win 10               No connection
 Edge 13 Win Phone 10         No connection
 Opera 17 Win 7               No connection
 Safari 5.1.9 OS X 10.6.8     No connection
 Safari 7 iOS 7.1             No connection
 Safari 9 OS X 10.11          No connection
 Safari 10 OS X 10.12         No connection
 Apple ATS 9 iOS 9            No connection
 Tor 17.0.9 Win 7             No connection
 Java 6u45                    No connection
 Java 7u25                    No connection
 Java 8u31                    No connection
 OpenSSL 1.0.1l               No connection
 OpenSSL 1.0.2e               No connection

 Done 2018-07-16 11:29:55 [  47s] -->> xxx.xxx.xxx.xxx:443 (xxx.xxx) <<--


I then also cloned your GitHub repo and ran the the script from the 2.9dev branch:

                                                               
###########################################################
    testssl.sh       3.0beta from https://testssl.sh/dev/
    (c0921c8 2018-07-11 11:03:52 -- )

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
 on nostromo:./bin/openssl.Linux.x86_64
 (built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")


 Start 2018-07-16 11:33:46        -->> xxx.xxx.xxx.xxx:443 (xxx.xxx) <<--

 Further IP addresses:   xxxx 
 rDNS (xxx.xxx.xxx.xxx):   xxxx

 xxx.xxx.xxx.xxx:443 doesn't seem to be a TLS/SSL enabled server
 The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes
 Service detected:       Couldn't determine what's running on port 443 -- ASSUME_HTTP set though


 Testing protocols via sockets except NPN+ALPN 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

 Testing cipher categories 

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES encryption (w/o export)     not offered (OK)
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    not offered (OK)
 Triple DES Ciphers (Medium)                   not offered (OK)
 High encryption (AES+Camellia, no AEAD)       not offered
 Strong encryption (AEAD ciphers)              offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK)          ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 
 Elliptic curves offered:     X25519 


 Testing server preferences 

 Has server cipher order?     no matching cipher in this list found (pls report this): DES-CBC3-SHA:RC4-MD5:DES-CBC-SHA:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:ADH-AES256-GCM-SHA384:AECDH-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256  . 

 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11"
                              "extended master secret/#23"
                              "application layer protocol negotiation/#16"
 Session Ticket RFC 5077 hint (no lifetime advertised)
 SSL Session ID support       yes
 Session Resumption           Ticket resumption test failed, pls report / ID resumption test failed, pls report
 TLS clock skew               Random values, no fingerprinting possible 

 Testing HTTP header response @ "/" 

 HTTP header reply empty
 HTTP header reply empty
 HTTP header reply empty

Fatal error: repeatedly HTTP header was zero, doesn't make sense to continue


Sadly none of them seem to scan my web server properly yet, but yes, my configuration is deliberate as this is my personal web server I experiment with. And sure, I would like to DM you the hostname, but can you confirm 332E315A3ADDAAEE6A113957C9AEECE1D0A74569 is the fingerprint of your GPG key?

Note: I've deleted my previous comment as this showed my hostname so you should already have it in your email. 🤦‍♂️

@drwetter

This comment has been minimized.

Copy link
Owner

drwetter commented Jul 16, 2018

@dcooper16

This comment has been minimized.

Copy link
Contributor

dcooper16 commented Jul 16, 2018

Hi @gkroon,

testssl.sh relies on OpenSSL for some tests that it performs, but not for others. For the tests that rely on OpenSSL, testssl.sh won't be able to produce good results unless the version of OpenSSL being used supports at least one cipher suite that is also supported by the server.

In this case, the server only supports two cipher suites, both of involve an ephemeral ECDH key, and, since the server only supports X25519, they require the client to support X25519. Support for X25519 was added to OpenSSL in version 1.1.0, and the version that you are using with testssl.sh is 1.0.2.

If you want to use testssl.sh to scan a server that only supports cipher suites that require support for X25519 then try using OpenSSL 1.1.0 or the test version of 1.1.1, both of which are available from https://www.openssl.org/source.

We have been working to make testssl.sh more and more independent of OpenSSL, but there are still some places where it is needed.

@gkroon

This comment has been minimized.

Copy link
Author

gkroon commented Jul 16, 2018

Thank you both for explaining! What you said is correct, in so far that I'm aware of my configuration. But I didn't know that this is due to an older OpenSSL version. Which also explains that other scanners are showing similar issues, assuming they also use older an OpenSSL. SSL Labs also can't handle my configuration, and neither can Internet.nl.

It seems I'll have to wait for Gentoo to update their OpenSSL ebuilds to 1.1.x in the future.

@drwetter

This comment has been minimized.

Copy link
Owner

drwetter commented Jul 16, 2018

@dcooper16

This comment has been minimized.

Copy link
Contributor

dcooper16 commented Jul 16, 2018

It seems I'll have to wait for Gentoo to update their OpenSSL ebuilds to 1.1.x in the future.

You don't have to wait. You can just download OpenSSL 1.1.0h or 1.1.1-pre8 from https://www.openssl.org/source, compile it, and then use that version with testssl.sh. You can use the --openssl to specify which OpenSSL binary to use.

@gkroon

This comment has been minimized.

Copy link
Author

gkroon commented Jul 16, 2018

@drwetter That kind of depends, Arch is in some cases more bleeding edge than Gentoo, in my experience. Judging from the current state of dev-libs/openssl, OpenSSL 1.0.2o-r3 is the latest stable ebuild available. It seems that Arch is already on 1.1.0h-1.

I'm willing to compile the available 1.1.0h-r2 testing ebuild, perform a rebuild of all affected packages, and see if that helps. I'll let you guys know. 🙂

@gkroon

This comment has been minimized.

Copy link
Author

gkroon commented Jul 16, 2018

I deemed it too risky to use a testing ebuild, and then recompile all affected packages with the testing ebuild when I can, indeed, just compile a binary myself. I chose to create a simple script (mostly for my own reference) to automatically fetch the source code tarball and compile it.

The only (expected) warning I'm left with is:
Chain of trust Ok (Your /tmp/openssl/apps/openssl <= 1.0.2 might be too unreliable to determine trust)
So this indeed solved my problem and I can continue to scan my web server. Thanks again, guys!

@gkroon gkroon closed this Jul 16, 2018

@drwetter

This comment has been minimized.

Copy link
Owner

drwetter commented Jul 16, 2018

@gkroon no prob. I like to leave this open as there were a couple of minor issues you ran into, at least as long as there no separate issues.

Thanks for your script. I uploaded my compile script for openssl 1.1.1 to ~/utils, it is derived from the script for Peter Mosmans openssl tree.

@drwetter drwetter reopened this Jul 16, 2018

@drwetter drwetter added this to the 3.0 milestone Jul 16, 2018

@gkroon

This comment has been minimized.

Copy link
Author

gkroon commented Jul 17, 2018

@drwetter That's great, can we also expect a new bin/openssl.Linux.x86_64 binary of 1.1.x in the next few coming releases as well then? Of course, I don't mind using my own binaries in the mean time.

@drwetter

This comment has been minimized.

Copy link
Owner

drwetter commented Jul 17, 2018

That is the way to go. Providing the binaries is not the problem. There are some known obstacles which need to be addressed and there might be problems on the other side as yours like deprecated curves.

@drwetter

This comment has been minimized.

Copy link
Owner

drwetter commented Jan 25, 2019

What needs to be fixed for 3.0:

  • header faliure (see below)
  • Ticket resumption test failed, pls report / ID resumption test failed, pls report --> to be skipped if only curve is X25519 and no DHE (and openssl doesn't support this curve)
  • Secure Renegotiation: handshake didn't succeed --> to be skipped if only curve is X25519 and no DHE (and openssl doesn't support this curve)
  • CRIME: see above

 HTTP header reply empty
 Oops: HTTP header zero
 HTTP header reply empty
 Oops: HTTP header zero
 HTTP header reply empty

Fatal error: repeatedly HTTP header was zero, doesn't make sense to continue

@drwetter drwetter added the minor bug label Jan 25, 2019

@drwetter

This comment has been minimized.

Copy link
Owner

drwetter commented Jan 25, 2019

Also the server defaults section stops before Signature Algorithm, without any comment

drwetter added a commit that referenced this issue Jan 26, 2019

Introducing HAS_X448 and HAS_X25519
... to enable checks whether a curve has been detected by sockets
won't be detected and/or makes problems with remaining openssl
s_client + other calls

Related to #1087

drwetter added a commit that referenced this issue Feb 11, 2019

Workarounds for missing curves in OpenSSL
In case where the OpenSSL version used cannot successfully do openssl s_client
connects there are a few problems, see #1087.

This PR partly addresses them by
* changing the logic of HTTP header failure: we don't terminate anymore but
  continue with a warning message
* we try to find out what the reason was: If it is a missing curve we signal
  it back to the user
* we keep track in a global variable KNOWN_OSSL_PROB. It's not being used yet
  on all connects as it has not been decided whether we do a connect despite
  we know if there's a problem or rather not.
* Give hints to the user for resumption tests, secure renegotiation, CRIME and BREACH.
  For the latter --assume-http needs to be supplied for any output.

Also: for finding the OPTIMAL_PROTO now (unless --ssl-native is being used)
sockets are the default which removes in cases where an openssl s_client
connect fails, the initial message 'doesn't seem to be a TLS/SSL enabled server'
and prompt 'Really proceed ? ("yes" to continue)'. For STARTTLS this needs
to be done as well.

Leftover for this workaround is to find out why the number of certificate retrieved is
zero in those cases, despite the fact that there's a valid 'host_certificate.pem' from
tls_socket() calls.  Thus still run_server_defaults() stops after 'TLS clock skew'
as certificate_info() is not being called in run_server_defaults(). For now in
those cases 'Problem: Host certificate found but we can't continue with "server defaults"'
is being printed.

In general for the future it would be great if we could e.g. retrieve the header over
TLS sockets.
@drwetter

This comment has been minimized.

Copy link
Owner

drwetter commented Feb 11, 2019

Open:

  • address the erroneously missing certificate so that run_server_defaults() will continue to run
  • use sockets per default also for STARTTLS in determine_optimal_proto()

drwetter added a commit that referenced this issue Feb 11, 2019

Workarounds for missing curves in OpenSSL
In case where the OpenSSL version used cannot successfully do openssl s_client
connects there are a few problems, see #1087.

This PR partly addresses them by
* changing the logic of HTTP header failure: we don't terminate anymore but
  continue with a warning message
* we try to find out what the reason was: If it is a missing curve we signal
  it back to the user
* we keep track in a global variable KNOWN_OSSL_PROB. It's not being used yet
  on all connects as it has not been decided whether we do a connect despite
  we know if there's a problem or rather not.
* Give hints to the user for resumption tests, secure renegotiation, CRIME and BREACH.
  For the latter --assume-http needs to be supplied for any output.

Also: for finding the OPTIMAL_PROTO now (unless --ssl-native is being used)
sockets are the default which removes in cases where an openssl s_client
connect fails, the initial message 'doesn't seem to be a TLS/SSL enabled server'
and prompt 'Really proceed ? ("yes" to continue)'. For STARTTLS this needs
to be done as well.

Here a minor bug was fixed: when openssl s_client connect in determine_optimal_proto()
succeeded without a protocol supplied, OPTIMAL_PROTO wasn't set. A statement was
added but now it is only being used when --ssl-native was supplied.

Leftover for this workaround is to find out why the number of certificate retrieved is
zero in those cases, despite the fact that there's a valid 'host_certificate.pem' from
tls_socket() calls.  Thus still run_server_defaults() stops after 'TLS clock skew'
as certificate_info() is not being called in run_server_defaults(). For now in
those cases 'Problem: Host certificate found but we can't continue with "server defaults"'
is being printed.

In general for the future it would be great if we could e.g. retrieve the header over
TLS sockets.
@drwetter

This comment has been minimized.

Copy link
Owner

drwetter commented Feb 15, 2019

The missing certificate was addressed by @dcooper16 in 8488b84.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment