Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS 1.3 only host issues #1312

Open
gkroon opened this issue Sep 7, 2019 · 7 comments

Comments

@gkroon
Copy link

commented Sep 7, 2019

Please make sure that you provide enough information so that we understand what your issue is about.

  1. uname -a
$ uname -a
Linux pentoo 5.2.11-pentoo #1 SMP Thu Sep 5 10:59:13 CEST 2019 x86_64 Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz GenuineIntel GNU/Linux
  1. testssl version from the banner: testssl.sh -b 2>/dev/null | head -4 | tail -2
$ testssl.sh -b 2>/dev/null | head -4 | tail -2
    testssl.sh       3.0rc5 from https://testssl.sh/dev/


  1. git log | head -1 (if running from git repo)

N/A

  1. openssl version used by testssl.sh: testssl.sh -b 2>/dev/null | awk -F':' '/openssl/ { print $2}'
$ testssl.sh -b 2>/dev/null | awk -F':' '/openssl/ { print $2}'
/usr/bin/openssl-bad 
  1. steps to reproduce: testssl.sh or docker command line, if possible incl. host

Scan a TLS 1.3 (final) only host. Im this case:

nginx-full-1.14.2-2+deb10u1
openssl-1.1.1c-1

  1. what exactly was happening, output is needed
$ testssl.sh foo.bar

###########################################################
    testssl.sh       3.0rc5 from https://testssl.sh/dev/

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~197 ciphers]
 on pentoo:/usr/bin/openssl-bad
 (built: "May  2 21:19:52 2019", platform: "linux-x86_64")


 Start 2019-09-07 21:42:26        -->> 123.123.123.123:443 (foo.bar) <<--

 Further IP addresses:   123:123:123:123::123 
 rDNS (123.123.123.123):  foo.bar.
 Service detected:       Couldn't determine what's running on port 443, assuming no HTTP service => skipping all HTTP checks


 Testing protocols via sockets except NPN+ALPN 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    not offered
 TLS 1.3    offered (OK): final
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

 Testing cipher categories 

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
 Triple DES Ciphers / IDEA                     not offered (OK)
 Average: SEED + 128+256 Bit CBC ciphers       not offered
 Strong encryption (AEAD ciphers)              offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK)          TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256
                              TLS_AES_128_GCM_SHA256 
 Elliptic curves offered:     secp384r1 X25519 


 Testing server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Cipher order
    TLSv1.3:   TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 

 Oops: openssl s_client connect problem

 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "supported versions/#43" "key share/#51"
                              "supported_groups/#10" "status request/#5"
 Session Ticket RFC 5077 hint no -- no lifetime advertised
 SSL Session ID support       yes
 Session Resumption           Tickets no, ID resumption test failed
 TLS clock skew               Random values, no fingerprinting possible 
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 4096 bits
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial / Fingerprints        04E5B544A566B6EF08FB2DD9D43CC37F4F61 / SHA1 00741D550E9F9D4AF343DD9FADD0CF7F74B1E75B
                              SHA256 755FB494A5120A10A65C79736FF466DFB1417409DEC924C2AF31423A2585E48E
 Common Name (CN)             foo.bar
 subjectAltName (SAN)         foo.bar www.foo.bar
 Issuer                       Let's Encrypt Authority X3 (Let's Encrypt from US)
 Trust (hostname)             Ok via SAN and CN (same w/o SNI)
 Chain of trust               Ok   
 EV cert (experimental)       no 
 "eTLS" (visibility info)     not present
 Certificate Validity (UTC)   73 >= 30 days (2019-08-12 10:00 --> 2019-11-10 09:00)
 # of certificates provided   2
 Certificate Revocation List  --
 OCSP URI                     http://ocsp.int-x3.letsencrypt.org
 OCSP stapling                offered, not revoked
 OCSP must staple extension   --
 DNS CAA RR (experimental)    available - please check for match with "Issuer" above: issue=letsencrypt.org
 Certificate Transparency     yes (certificate extension)


 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  --   (applicable only for HTTPS)
 ROBOT                                     Server does not support any cipher suites that use RSA key transport
 Secure Renegotiation (CVE-2009-3555)      
Fatal error: repeated openssl s_client connect problem, doesn't make sense to continue
Consider increasing MAX_OSSL_FAIL (currently: 2)


  1. what did you expect instead?

I expected testssl.sh to not have the above problems, such as detecting the server is running an HTTP server, and not have the ambiguous "openssl s_client connect problem" errors

@drwetter

This comment has been minimized.

Copy link
Owner

commented Sep 8, 2019

@drwetter drwetter added this to the 3.0 milestone Sep 10, 2019
drwetter added a commit that referenced this issue Sep 12, 2019
In cases where TLS 1.3 is the only protocol supported on the
server side (as in #1312, testssl.sh has some limits with the
supplied binary).

For now there's no perfect technical solution. This PR however
improves the verbosity what's going on and recommends to use
a openssl binary supporting TLS 1.3. And if the "secret" variable
OSSL_SHORTCUT is set to true, it automatically choses that if
available (it's a hack to do so and not recommended. I just
did it as a PoC).

In the next development we should consider probing this upfront!

Furthermore this PR removes some unneccessary quotes in
double square brackets.
drwetter added a commit that referenced this issue Sep 12, 2019
In cases where TLS 1.3 is the only protocol supported by the server (as e.g.
in #1312), testssl.sh has some limits with the supplied binary.

For now (3.0) there's no perfect technical solution. This PR however improves
the verbosity what's going on and recommends to use an openssl binary
supporting TLS 1.3. And if the "secret" variable OSSL_SHORTCUT is set to true,
it automatically chooses that if available (it's a hack to do so and not
recommended. I just did it as a PoC).

In the next development we should consider probing this upfront!

Furthermore this PR removes some unnecessary quotes in double square brackets.
@drwetter drwetter modified the milestones: 3.0, 3.1dev Sep 12, 2019
@drwetter

This comment has been minimized.

Copy link
Owner

commented Sep 12, 2019

Hi @gkroon ,

the output should be better now. As said in cases where the system has a better matching OpenSSL to the server side like yours you're better off running it with e.g. --openssl /usr/bin/openssl. A hackish shortcut with the PR merged is using OSSL_SHORTCUT=true ./testssl.sh <CMDLINE>. That tries to use after all protocols tested to use /usr/bin/openssl.

For 3.0 this is what I can do. More to follow in 3.1.

Thx, Dirk

@gkroon

This comment has been minimized.

Copy link
Author

commented Sep 14, 2019

Thanks, @drwetter! Sadly my system's openssl is still using the 1.0.2 branch, without TLS 1.3. But perhaps other people are reading this and are using the 1.1.0 branch that do have the option to use TLS 1.3.

@drwetter

This comment has been minimized.

Copy link
Owner

commented Sep 18, 2019

Looking at the system name and kernel revision it pretty much looks like your system has openssl 1.1.1 in /usr/bin/openssl, so

OSSL_SHORTCUT=true ./testssl.sh <CMDLINE> or (better) testssl.sh --openssl /usr/bin/openssl. <CMDLINE>

should work for you.

If not you'll see at least clearer messages what the problem is. Then: bear with us for next version

@bknowles

This comment has been minimized.

Copy link

commented Sep 19, 2019

The version of OpenSSL that is pre-built and distributed with testssl.sh should be capable of handling TLS 1.3, I believe.

So, I would think that would be the version you would want to use by default in your testing, instead of the system provided version of OpenSSL.

@drwetter

This comment has been minimized.

Copy link
Owner

commented Sep 20, 2019

@drwetter

This comment has been minimized.

Copy link
Owner

commented Sep 20, 2019

@drwetter drwetter changed the title Bug report: TLS 1.3 only host issues TLS 1.3 only host issues Sep 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.