Default to SSLv23 (autonegotiate), fixes #5870 #5908

hdm · 2015-08-31T20:40:46Z

This changes the default SSL/TLS version to "SSLv23", which in OpenSSL parlance means "autonegotiate". This is necessary to fix #5870. A small amount of cleanup is included in this patch as well, notably:

Only try a single SSL/TLS version. This is functionally the same as before, since the previous version arrays only included one item. Retrying different SSL/TLS versions on the same socket is unlikely to work in many cases.
Remove commented out dead code related to sync_close

bcook-r7 · 2015-09-01T23:21:09Z

LGTM:

openssl s_server -tls1_2
WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf
Using auto DH parameters
Using default temp ECDH parameters
ACCEPT
bad gethostbyaddr
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDBy7eehsE6G4P0ifBid1eaP6i0iQmffryWQAd7npyxE
xuY49OV1R99QGc+eDKIW0WahBgIEVeYy0aIEAgIcIKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
GET /aspnet_client HTTP/1.1
Host: 192.168.56.1:4433
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

bcook-r7 · 2015-09-01T23:25:51Z

Thanks for the update @hmoore-r7

Default to SSLv23 (autonegotiate), fixes rapid7#5870

92d74ff

hdm added bug library labels Aug 31, 2015

bcook-r7 self-assigned this Aug 31, 2015

bcook-r7 merged commit 92d74ff into rapid7:master Sep 1, 2015

bcook-r7 pushed a commit that referenced this pull request Sep 1, 2015

Land #5908, default to SSL autoneg, add explicit TLS 1.1/1.2 support

27cd059

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Default to SSLv23 (autonegotiate), fixes #5870 #5908

Default to SSLv23 (autonegotiate), fixes #5870 #5908

hdm commented Aug 31, 2015

bcook-r7 commented Sep 1, 2015

bcook-r7 commented Sep 1, 2015

Default to SSLv23 (autonegotiate), fixes #5870 #5908

Default to SSLv23 (autonegotiate), fixes #5870 #5908

Conversation

hdm commented Aug 31, 2015

bcook-r7 commented Sep 1, 2015

bcook-r7 commented Sep 1, 2015