pornin / testsslserver Goto Github PK

Hi Thomas,

Thank you for developing this great tool, it's really helpful to check the security of a SSL server.
But I found an odd thing recently that the info returned in ServerHello might not be correct when server side is using a certificate signed with EC.
At first, I wanted to use this tool to check the security of my Tomcat which was using a certificate signed with RSA:2048, but I got WARN[SK004].
To get rid of that warning, I switched to use a certificate signed with EC:secp256r1, but I still got that warning.
That made me start to look into the codes to identify the issue is in server side or in the tools.
Finally I found if we send ClientHello with the extension including all curves from 1 to 30, the server will tell us it supports 1 ~ 23. But if we send ClientHello with the extension including one curve each time, from 1 to 30, the server will tell us it only supports 23, which's the curve used to sign the certificate. And then I tried a little further, if we send ClientHello with the extension including any other curves its ID less than 23 together with 23, the server will always tell us it supports all of them.
I am not sure if this is a defect of the tool or a defect of the server I am using.
Can you please take a look?

FYI. The info of my server, certificate, and cipher suites:
Web Server: Tomcat 8.0.33
TLSv1.2:
server selection: uses client preferences
3f- (key: EC) ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
3f- (key: EC) ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
3f- (key: EC) ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
key type: EC
key size: 256
key curve: ansix9p256r1 (P-256)
sign hash: SHA-256
Minimum EC size (no extension): 256
Minimum EC size (with extension): 162
Supported curves (size and name) ('*' = selected by server):
162 sect163k1 (K-163)

• 256 secp256r1 (P-256)

Thanks,
Alan

TestSSLServer does not currently report support for the draft spec for TLS1.3.

Creating this issue as a feature request for when the draft is finalized.

Installed on Ubuntu 16.04 LTS. Just trying to run check against an internal web server.
Compiled without errors.
When I run the command ...

./TestSSLServer.exe hostname.domain.local 443, I get a lengthy error message that basically boils down to.. "Could not resolve host..."

I verified my DNS settings.
I can ping the host from the shell, so I'm not sure what else I need to do to help it resolve.

I replaced my actual server name below with 'hostname' and the domain name with 'domain' The rest is exactly as it returned.

System.Net.Sockets.SocketException: Could not resolve host 'hostname.domain.local'
 at System.Net.Dns.Error_11001 (System.String hostName) <0x4150c690 + 0x0006f> in <filename unknown>:0
 at System.Net.Dns.GetHostByName (System.String hostName) <0x414e3500 + 0x0005f> in <filename unknown>:0
 at System.Net.Dns.GetHostEntry (System.String hostNameOrAddress) <0x414e33e0 + 0x00093> in <filename unknown>:0
 at System.Net.Dns.GetHostAddresses (System.String hostNameOrAddress) <0x414e1a60 + 0x000c7> in <filename unknown>:0
 at System.Net.Sockets.TcpClient.Connect (System.String hostname, Int32 port) <0x414e1a10 + 0x0001b> in <filename unknown>:0
 at System.Net.Sockets.TcpClient..ctor (System.String hostname, Int32 port) <0x414e19e0 + 0x00017> in <filename unknown>:0
 at FullTest.OpenConnection () <0x414e1730 + 0x0007b> in <filename unknown>:0
 at FullTest.DoConnectV2 () <0x414e1510 + 0x0002f> in <filename unknown>:0
 at FullTest.Run () <0x414df4e0 + 0x0030f> in <filename unknown>:0
 at TestSSLServer.Process (System.String[] args) <0x414dbf00 + 0x0132f> in <filename unknown>:0
 at TestSSLServer.Main (System.String[] args) <0x414dbd50 + 0x0001f> in <filename unknown>:0

Hi,

I'm noticing that this tool has identified some servers as supporting SSL 3.0, when other tools (e.g ssllabs), run against the same server, report that SSL 3.0 isn't enabled. Is this a known issue?

This domain illustrates the point: d2nnjlsh3usk06.cloudfront.net. I get a "WARN[PV003]: Server supports SSL 3.0." message, however if I attempt to connect via openssl using sslv3, I can't e.g.

openssl s_client -connect d2nnjlsh3usk06.cloudfront.net:443 -servername d2nnjlsh3usk06.cloudfront.net -ssl3

Also, the SSL labs report indicates that SSLv3 is not supported: https://www.ssllabs.com/ssltest/analyze.html?d=d2nnjlsh3usk06.cloudfront.net&s=52.84.213.210&latest

Excellent tool, thank you.

Could this be extended with option flags for SMTP (read line, "STARTTLS\r\n", read line) and FTP (read line, "AUTH TLS\r\n", read line)?

First of all, great tool - thank you!

I am trying to target only the TLSv1.3 protocol however if i set the minimum -min TLSv1.3 the tool does not run and return the helper menu.

I can target all other protocols with the following example -min TLSv1.2 -max TLSv1.2 but it doesn't work if I want to target TLSv1.3

Can we make it work with TLSv1.3 as well please?