Hydra fails to create an SSL session when server requires Server Name Indication (SNI)

[fabacab]

The relevant line of output is the following:

[VERBOSE] Could not create an SSL session: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

This is the exact error I get when I use openssl s_client -connect myserver:443

openssl s_client -connect myserver:443
CONNECTED(00000003)
140691378247312:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:

---
no peer certificate available

---
No client certificate CA names sent

---
SSL handshake has read 7 bytes and written 289 bytes

---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

---

However, I know that my server requires TLS Server Name Indication for a successful connection, so openssl s_client -connect myserver:443 -servername myserver fixes the issue and allows s_client to connect.

I then performed a Wireshark packet capture and confirmed that Hydra does not use the SNI extension when using the https-post-form service module. This would explain the failure to connect and the OpenSSL error raised. The packet capture file is attached as hydra-issue-129.pcapng.gz, and is annotated. (Use the display filter pkt_comment to see the packets of interest.)

I tested this with Hydra 8.1 and OpenSSL 1.0.1k (on Linux).

It's possible this is also related to #114. Please let me know if you need any more information from me. I'm not confident with my C programming, so I apologize for the lack of a patch.

[vanhauser-thc]

sounds very likely. I will try to produce a patch.

[vanhauser-thc]

I pushed a patch, please test

[fabacab]

Thanks for the quick patch. Unfortunately, after recompiling 4c25bdd and testing again, I get a similar (but somewhat different) error:

[VERBOSE] Could not create an SSL session: error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error

Packet capture is almost identical, except TLS ClientHello packet now contains SNI with server_name of localhost. The error above is similar to the error I get when I use s_client to make a similar request:

openssl s_client -connect myserver:443 -servername localhost
CONNECTED(00000003)
140158064494224:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

I believe this is because your patch hardcodes localhost as the SNI value. This is expected to fail because, again, my server requires the correct SNI value to proceed with an HTTPS connection. Hardcoding a value is by definition not going to work.

Perhaps modifying the patch so that when hydra's target is a domain name, this value is passed to the SNI field would be more successful? That is, with a command line like this:

hydra -l admin -p password www.myserver.com https-post-form "/login.php:user=^USER^&password=^PASSWORD^:incorrect"

then I would expect the TLS SNI field value to be www.myserver.com.

[vanhauser-thc]

damnit. I was hopeing I could use the easy way. this will require a larger code change. sigh. but I have the time today and tomorrow ...

[vanhauser-thc]

OK, just checked in a LARGE patch. because to have this functionality I had to change nearly every single .c file in hydra.

please try again.

[fabacab]

Thank you, this patch does fix the connection issue. The TLS SNI field value is correct and Hydra is able to connect. I consider this issue fixed.

I'm having another problem with the HTTP modules but I'll create a new issue for that, since I think it's distinct from this TLS problem.

Again, thank you for the quick patch!

[SalamiSimon]

how do you install the patch, I get the "Could not create an SSL session" error