-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: dh key too small #6783
Comments
It looks like it's not specific to GlassFish. Here's me testing https://metasploit.com w/ curl:
And then the same using auxiliary/scanner/http/ssl:
|
@wchen-r7 https://bugzilla.redhat.com/show_bug.cgi?id=1232110 and https://bugzilla.redhat.com/show_bug.cgi?id=1255417 looks like your openssl version is too new :) It looks like they dropped support for small DH keys which does not really help on pentesting machines :( |
ahhhh, so annoying. Thanks @firefart |
Sort of feels like we need to create an alternate ruby SSL wrapper to deal with old stuff. We can't really rely on the system ruby for any particular feature, especially old and insecure ones. |
@busterb right but reimplementing the SSL stack is kinda over the top :) I think the small DH keys can only be enabled on openssl compile time. The same problem exists with browsers refusing connections to old, insecure SSL protocols. Is it possible to ship a custom compiled openssl version with metasploit? where all the old stuff like SSLv2, export ciphers and small diffie helman keys are enabled? |
That's more like what I meant; an alternate linked implementation. We do ship a local version with the Omnibus installers, but Kali currently ships whatever happens to come with Debian upstream. We need a solution more like sslscan, which statically links a 'kitchen sink' openssl build: https://github.com/rbsec/sslscan#openssl-issues |
@busterb so would it be possible to ship openssl as a rubygem / precompiled in a special folder, manipulate the PATH variable on start of msf* to include the path in the first position and trick ruby into using our own openssl version? |
Do you guys want me to reopen this ticket? It feels many people can run into this problem. |
Yeah, we should address it somehow, since only more people will begin seeing it. |
Bump. |
perhaps this broken-out version of the ruby openssl extension could be repurposed for use internally by metasploit: https://github.com/rubysl/rubysl-openssl |
Anyone find a way to resolve this error? Got the same error while attempting a different metasploit exploit recently. |
One possible bypass is to set the Net::HTTP ciphers option, excluding Diffie Hellman ciphers as described here ( https://zackhobson.com/2014/02/10/ssl_and_ruby_part_2/ ). I used http.ciphers = ['AES128-SHA']. |
Not a fix, but you could proxy your traffic through something like Burp which wouldn't have the issue. |
hi did anyone solve this please?? [-] Auxiliary failed: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed |
Issue still exists on recent Kali. A coworker hit it with ibm_websphere_java_deserialize. |
Hit this issue on scanner/http/http_login Edit: For anyone looking for a workaround, proxy the traffic through Burp, which will ignore the certificates, e.g. |
have anybody was solve this problem |
Bump!
|
Same here with an old server that only supports RC4 and DES which aren't supported anymore since OpenSSL 1.1.0... |
I'm getting... I'm working around it using Burp with... |
workaround
|
Hi! This issue has been left open with no activity for a while now. We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. |
As far as I know, this issue still exists and the report should probably be left open. |
set SSL false before running the exploit |
But what if target uses SSL? Will it still works if I will disable SSL option? |
No, I'm pretty sure Z3d6d is misunderstanding what the issue is here. |
This is still an issue. I'm getting this error with the f5_icontrol_rce module. I've tried changing the settings in the /etc/ssl/openssl.cnf to no avail. Looks like metasploit has it's own version at /usr/share/metasploit-framework/config/openssl.conf however this doesn't appear to be configured correctly. Nessus ships with it's own version of openssl binary. I think metasploit should do the same. |
@bmilliron67 When this issue was created, Metasploit didn't have its own openssl conf file - it's only been added recently for openssl 3 support. If there's additional changes to make to the config file now - pull requests are more than welcome 👍
If you install Metasploit via the Rapid7 nightly installer, it should come bundled with openssl 1.1.1 - https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html |
As far as I can tell, this is still an issue It's not an issue with openssl.cnf nor does bundling openssl 1.1.1 address it. The DH key size check has been in place since before 1.1.0 (I'm not sure which exact version added it, but probably somewhere in 1.0.x) If I remember correctly, it's hard-coded into the openssl SSL/TLS code and can not be turned off- except (maybe) by using a low level custom callback As another on this thread mentioned, one approach to a workaround would be instructing metasploit to not choose a DH-enabled cipher-suite (as long as some are available on the server) ... however, I can't get this to work. metasploit seems to ignore it without throwing any error as to why (which should perhaps be a new GH issue) After confirming a specific remote host has a non-DH kex cipher-suite using
In
I still end up with:
I also tried using the IANA/RFC name for the cipher ( I ran into this years ago with an old Python interpreter build I had to maintain- the only way I was able to address it was by hand-patching the check in the openssl source Should the issue I'm having with EDIT: Oops, forgot to mention the version- from nightly-installers as of 2/16/2023, msfconsole -v reporting |
@mzpqnxow Thanks for taking a closer look; Do you have exact replication steps I could follow? |
I can give you commands or a script but I'm away at the moment (on mobile) but some notes for reference if you want to take a stab at it (or to remind me later) All you should need is a 512 bit dhparams file and a TLS listener to reproduce the DH size issue ("openssl dhparams help" for the first, "openssl s_server help" for the second) Coincidental timing on this post which is somewhat related Anyway, to reproduce the issue of DH params too small, generate weak DH params file, generate any self-signed RSA key, run a listener that offers at least one DH Kex cipher-suite and one non-DH kex (you can explicitly specify these using -cipher but the default set should have this) and connect to it with (I assume) any msf exploit/tool (or at least the one from my example) and specify to msf the non-DH cipher-suite and you should still get the DH size error To reproduce the issue of small RSA keys, generate a certificate with a 512bit RSA keypair. Then generate a proper ECDSA certificate and keypair. Then specify both to s_server and do roughly the same as in the previous example- first specify a cipher-suite in msf that is RSA-based to get the error. Then specify an available EC-based cipher-suite to see that it doesn't actually choose it like it should, and will still throw an RSA key length error openssl cli is one of the least user-friendly tools I'm aware of if you don't use it often so I can attach commands or a script when I'm back at my desk to save you any hassle If you have any issues with the cli refusing to generate weak keys, you can use the patched openssl binary from the testssl.sh project on github (in bin/) Incidentally, I recommend using that patched openssl (which they maintain) for the openssl embedded in metasploit. It's forward and backward compatible; it can do TLS1.3 + ESNI for example, while also maintaining compatibility with SSLv2 (!) and small DH params and RSA keys. It will save you a lot of hassle as they do a great job at maintaining it. It's the best long term solution for your project IMO EDIT: I may be conflating the RSA key length issue with the DH issue- one may not require any patch, but I'm certain one does. Regardless, the solution is going to require a (deliberately insecure) portable openssl build, and we can work out which is true with testing |
OK, as much as I would rather not pick a random host from Shodan with a wacky configuration, I'm not sure I have the patience (or really, the time, at the moment) to create a self-contained reproduction. So please bear with me as the innocent host 112.95.225.18 experiences an unsolicited TLS connection (joking of course, I don't think this crosses any ethical boundaries)
OK, it doesn't like the DH key. Let's see what protocols and cipher-suites that endpoint is offering, using testssl.sh
Plenty of cipher-suites to choose, though limited to only TLSv1.0 and SSLv3 If the issue is with the DH key size, let's choose a cipher-suite that has a non-DH kex (how about
Strange, it still seems to have use a DH kex... we can try to also specify the protocol:
No dice. Trying TLS1.0:
For good measure, making sure that msf doesn't want the IANA name for the cipher-suite instead (
Nope So the issue here is (at least, I think) that msf isn't honoring the Control - openssl.Linux.x86_64 binary from testssl.shThis works OK, it establishes the session and hangs until I either send an HTTP request or control-c
Control - using the openssl binary embedded into metasploitThe
When the cipher isn't explicitly set to a non-DH kex, it fails with the dh key too small message, which (I think) is suggestive of the original issue (that the embedded OpenSSL does not support short DH keys and may be needing a patch). Here's the output when the embedded openssl is permitted to choose a DH-kex cipher-suite:
Sorry, I know this is a lot of info, and it's not an ideal "environment" for you to reproduce against. If I have time to rig up the |
I want to add what may be a very important detail here, about this specific endpoint- the certificate is a bit unusual in that it has:
This may be an edge-case within the edge-case for the small DH key issue, I'm not sure having not looked at the code in long time |
I run into the following error while attempting to run glassfish_login or glassfish_deployer against a Glassfish 3.1.2.2 (Win Server 2003) test box:
Note that this used to work (#3716), so the bug came in after that.
The text was updated successfully, but these errors were encountered: