GithubHelp home page GithubHelp logo

Comments (14)

drwetter avatar drwetter commented on June 9, 2024

from testssl.sh.

bjmgeek avatar bjmgeek commented on June 9, 2024

It works with the number 389.

from testssl.sh.

bjmgeek avatar bjmgeek commented on June 9, 2024

More precisely, with --ssl-native, it works with the number 389, but then when it gets to the end it still crashes:

 Service set:            STARTTLS via LDAP
 Oops: STARTTLS handshake failed (code: 127)
 Pre-test: 128 cipher limit bug

 Testing protocols via native openssl

 SSLv2      not offered (OK)
 SSLv3      offered (NOT ok)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    Local problem: /home/testssl/bin/openssl.Linux.x86_64 doesn't support "s_client -tls1_3"

 Testing cipher categories 

 NULL ciphers (no encryption)                      not offered (OK)
 Anonymous NULL Ciphers (no authentication)        not offered (OK)
 Export ciphers (w/o ADH+NULL)                     not offered (OK)
 LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      offered (NOT ok)
 Triple DES Ciphers / IDEA                         offered
 Obsoleted CBC ciphers (AES, ARIA etc.)            offered
 Strong encryption (AEAD ciphers) with no FS       offered (OK)
 Forward Secrecy strong encryption (AEAD ciphers)  offered (OK)


 Testing server's cipher preferences 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 - 
SSLv3 (server order)
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA                      
 x05     RC4-SHA                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_SHA                           
 x04     RC4-MD5                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_MD5                           
TLSv1 (server order)
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x39     DHE-RSA-AES256-SHA                DH 1024    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   
 x33     DHE-RSA-AES128-SHA                DH 1024    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA                      
 x05     RC4-SHA                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_SHA                           
 x04     RC4-MD5                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_MD5                           
TLSv1.1 (server order)
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x39     DHE-RSA-AES256-SHA                DH 1024    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   
 x33     DHE-RSA-AES128-SHA                DH 1024    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA                      
 x05     RC4-SHA                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_SHA                           
 x04     RC4-MD5                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_MD5                           
TLSv1.2 (server order)
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 1024    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 1024    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256                
 x39     DHE-RSA-AES256-SHA                DH 1024    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   
 x33     DHE-RSA-AES128-SHA                DH 1024    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384                    
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256                    
 x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256                    
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256                    
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA                      
 x05     RC4-SHA                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_SHA                           
 x04     RC4-MD5                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_MD5                           
TLSv1.3
Local problem: /home/testssl/bin/openssl.Linux.x86_64 does not support -tls1_3

 Has server cipher order?     yes (OK)


 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 


 FS is offered (OK)           DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384
                              ECDHE-RSA-AES256-SHA 
 Elliptic curves offered:     prime256v1 secp384r1 

Fatal error: repeated STARTTLS problems, giving up (127)

from testssl.sh.

bjmgeek avatar bjmgeek commented on June 9, 2024

Without --ssl-native it fails right away

 Oops: STARTTLS handshake failed (code: 127)

Fatal error: repeated STARTTLS problems, giving up (127)

from testssl.sh.

drwetter avatar drwetter commented on June 9, 2024

The necessity of needing a port and not supplying the service name is a UI issue. But that part sounds like a good feature to implement.

The scanning part should work(TM) though. Actually there's a CI run which checks that.

I have the slight suspicion your server is "different" (domain controller?). Could you try to scan db.debian.org:389?

from testssl.sh.

drwetter avatar drwetter commented on June 9, 2024

Fatal error: repeated STARTTLS problems, giving up (127)

That indicates that on the way from your container or host to the target or at the target was at a certain point of time no starttls possible in sockets (see also very beginning of your scan) That could be an implementation problem on our side as I implemented it by just used a reference implementation which also e.g. db.debian.org:389 supplies.

So, when you could answer my previous question we'll get closer.

from testssl.sh.

bjmgeek avatar bjmgeek commented on June 9, 2024

I tried it with db.debian.org:389 and it was successful.

from testssl.sh.

drwetter avatar drwetter commented on June 9, 2024

Thanks. Could you divulge what kind of server that is or send me a mail so that I can get a clue?

grep SWCONTACT testssl.sh

from testssl.sh.

drwetter avatar drwetter commented on June 9, 2024

Could you please return the output of

OPENSSL_CONF='' ./bin//openssl.Linux.x86_64  s_client -debug  -starttls ldap -connect <TARGET>:<PORT> </dev/null | head -10

and maybe

./testssl.sh -q --debug=6 -t  <TARGET>:<PORT>

from testssl.sh.

bjmgeek avatar bjmgeek commented on June 9, 2024

from testssl.sh.

drwetter avatar drwetter commented on June 9, 2024

Thanks, @bjmgeek.

Strange. Looks a bit like there's an offset in the AD reply. As the hexdump of the reply doesn't contain anything sensitive and is exactly the same as ones I found out there:

                  xx
300C02010178070A010004000400 
30840000002802010178840000001F0A0100040004008A16312E332E362E312E342E312E313436362E3230303337

The xx indicate the result code which should be 0. First line is a reply from db.debian.org:389, second is "your's". The last bytes are just echoing the OID '1.3.6.1.4.1.1466.20037` . Seems like for AD the response is 8 bytes shifted.

At the moment I need to understand how to parse this properly. The openssl source code is a bit tough to understand.

from testssl.sh.

drwetter avatar drwetter commented on June 9, 2024

Segmentation fault

odd. But as I have the server type now and there are public servers I have what I was looking for (but doesn't help either)

from testssl.sh.

drwetter avatar drwetter commented on June 9, 2024

@bjmgeek #2297 will fix that. Needs minor cosmetic care before merging

from testssl.sh.

drwetter avatar drwetter commented on June 9, 2024

completed

from testssl.sh.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.