Cyberduck Mountain Duck CLI

#8842 closed defect (thirdparty)

Uses insecure SSLv3

Reported by: mellier Owned by: dkocher
Priority: normal Milestone: 4.7.1
Component: webdav Version: 4.7
Severity: normal Keywords: webdavs SSL
Cc: Architecture:
Platform: Mac OS X 10.10

Description (last modified by dkocher)

Would it possible to replace insecure SSLv3 with TLS1.1 or higher for the encryption ?

This is because our webdav server refuses (Heartbeat attack) any negotiation with SSLv3.

The SSL dump for Hello phase:

1 1  0.3343 (0.3343)  C>SV3.3(275)  Handshake
      ClientHello
        Version 3.3 
        random[32]=
          55 5d bd 6e f9 a4 b6 9e 2d c5 3d a9 d7 60 15 81 
          36 a6 3a e9 05 86 e5 e6 5f a7 1d 99 a9 4b 6c f8 
        cipher suites
        Unknown value 0xc024
        Unknown value 0xc028
        Unknown value 0x3d
        Unknown value 0xc026
        Unknown value 0xc02a
        Unknown value 0x6b
        Unknown value 0x6a
        Unknown value 0xc00a
        Unknown value 0xc014
        Unknown value 0x35
        Unknown value 0xc005
        Unknown value 0xc00f
        Unknown value 0x39
        Unknown value 0x38
        Unknown value 0xc023
        Unknown value 0xc027
        Unknown value 0x3c
        Unknown value 0xc025
        Unknown value 0xc029
        TLS_DHE_DSS_WITH_NULL_SHA
        Unknown value 0x40
        Unknown value 0xc009
        Unknown value 0xc013
        Unknown value 0x2f
        Unknown value 0xc004
        Unknown value 0xc00e
        Unknown value 0x33
        Unknown value 0x32
        Unknown value 0xc02c
        Unknown value 0xc02b
        Unknown value 0xc030
        Unknown value 0x9d
        Unknown value 0xc02e
        Unknown value 0xc032
        Unknown value 0x9f
        Unknown value 0xa3
        Unknown value 0xc02f
        Unknown value 0x9c
        Unknown value 0xc02d
        Unknown value 0xc031
        Unknown value 0x9e
        Unknown value 0xa2
        Unknown value 0xc008
        Unknown value 0xc012
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc003
        Unknown value 0xc00d
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc007
        Unknown value 0xc011
        TLS_RSA_WITH_RC4_128_SHA
        Unknown value 0xc002
        Unknown value 0xc00c
        TLS_RSA_WITH_RC4_128_MD5
        Unknown value 0xff
        compression methods
                  NULL
1 2  0.3345 (0.0002)  S>CV3.0(2)  Alert
    level           fatal
    value           protocol_version
1    0.3345 (0.0000)  S>C  TCP FIN
1    0.3351 (0.0005)  C>S  TCP FIN

Change History (12)

comment:1 Changed on May 21, 2015 at 12:00:36 PM by dkocher

  • Component changed from core to webdav
  • Description modified (diff)
  • Milestone set to 4.8
  • Owner set to dkocher
  • Summary changed from webdavs use unsecure SSLv3 to Uses insecure SSLv3

comment:2 Changed on May 21, 2015 at 12:01:51 PM by dkocher

We have disabled SSLv2 in r7717.

comment:3 Changed on May 21, 2015 at 12:03:00 PM by dkocher

We have disabled SSLv3 in r15704.

comment:4 Changed on May 21, 2015 at 12:03:34 PM by dkocher

  • Description modified (diff)
  • Status changed from new to assigned

comment:5 follow-up: Changed on May 21, 2015 at 12:15:28 PM by dkocher

Can you let me know the IP address of the server to reproduce the issue.

comment:6 in reply to: ↑ 5 Changed on May 21, 2015 at 12:43:06 PM by mellier

The webdav server is documents.epfl.ch.

Replying to dkocher:

Can you let me know the IP address of the server to reproduce the issue.

Last edited on May 21, 2015 at 12:56:44 PM by dkocher (previous) (diff)

comment:7 Changed on May 21, 2015 at 12:52:36 PM by dkocher

Attached debug output with SSL trace shows that ClientHello, TLSv1.2 is sent.

876 [main] DEBUG ch.cyberduck.core.http.HttpSession$2  - Connecting socket to documents.epfl.ch/128.178.222.31:443 with timeout 30000
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
1456 [main] DEBUG ch.cyberduck.core.ssl.CustomTrustSSLProtocolSocketFactory  - Configure SSL parameters with protocols [TLSv1.2, TLSv1.1, TLSv1]
1458 [main] INFO ch.cyberduck.core.ssl.CustomTrustSSLProtocolSocketFactory  - Enabled cipher suites [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
1463 [main] DEBUG ch.cyberduck.core.ssl.CustomTrustSSLProtocolSocketFactory  - Handshake for socket 4690f583[SSL_NULL_WITH_NULL_NULL: Socket[addr=documents.epfl.ch/128.178.222.31,port=443,localport=54146]]
1463 [main] DEBUG ch.cyberduck.core.http.HttpSession$2  - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
1464 [main] DEBUG ch.cyberduck.core.http.HttpSession$2  - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
1466 [main] DEBUG ch.cyberduck.core.http.HttpSession$2  - Starting handshake
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1432146848 bytes = { 165, 121, 174, 209, 224, 211, 116, 89, 245, 3, 162, 38, 177, 33, 46, 38, 89, 251, 25, 53, 209, 163, 129, 23, 234, 199, 62, 119 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=documents.epfl.ch]
***
[write] MD5 and SHA1 hashes:  len = 233
0000: 01 00 00 E5 03 03 55 5D   D4 A0 A5 79 AE D1 E0 D3  ......U]...y....
0010: 74 59 F5 03 A2 26 B1 21   2E 26 59 FB 19 35 D1 A3  tY...&.!.&Y..5..
0020: 81 17 EA C7 3E 77 00 00   46 C0 23 C0 27 00 3C C0  ....>w..F.#.'.<.
0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.).g.@...../...
0040: 0E 00 33 00 32 C0 07 C0   11 00 05 C0 02 C0 0C C0  ..3.2...........
0050: 2B C0 2F 00 9C C0 2D C0   31 00 9E 00 A2 C0 08 C0  +./...-.1.......
0060: 12 00 0A C0 03 C0 0D 00   16 00 13 00 04 00 FF 01  ................
0070: 00 00 76 00 0A 00 34 00   32 00 17 00 01 00 03 00  ..v...4.2.......
0080: 13 00 15 00 06 00 07 00   09 00 0A 00 18 00 0B 00  ................
0090: 0C 00 19 00 0D 00 0E 00   0F 00 10 00 11 00 02 00  ................
00A0: 12 00 04 00 05 00 14 00   08 00 16 00 0B 00 02 01  ................
00B0: 00 00 0D 00 1A 00 18 06   03 06 01 05 03 05 01 04  ................
00C0: 03 04 01 03 03 03 01 02   03 02 01 02 02 01 01 00  ................
00D0: 00 00 16 00 14 00 00 11   64 6F 63 75 6D 65 6E 74  ........document
00E0: 73 2E 65 70 66 6C 2E 63   68                       s.epfl.ch
main, WRITE: TLSv1.2 Handshake, length = 233
[Raw write]: length = 238
0000: 16 03 03 00 E9 01 00 00   E5 03 03 55 5D D4 A0 A5  ...........U]...
0010: 79 AE D1 E0 D3 74 59 F5   03 A2 26 B1 21 2E 26 59  y....tY...&.!.&Y
0020: FB 19 35 D1 A3 81 17 EA   C7 3E 77 00 00 46 C0 23  ..5......>w..F.#
0030: C0 27 00 3C C0 25 C0 29   00 67 00 40 C0 09 C0 13  .'.<.%.).g.@....
0040: 00 2F C0 04 C0 0E 00 33   00 32 C0 07 C0 11 00 05  ./.....3.2......
0050: C0 02 C0 0C C0 2B C0 2F   00 9C C0 2D C0 31 00 9E  .....+./...-.1..
0060: 00 A2 C0 08 C0 12 00 0A   C0 03 C0 0D 00 16 00 13  ................
0070: 00 04 00 FF 01 00 00 76   00 0A 00 34 00 32 00 17  .......v...4.2..
0080: 00 01 00 03 00 13 00 15   00 06 00 07 00 09 00 0A  ................
0090: 00 18 00 0B 00 0C 00 19   00 0D 00 0E 00 0F 00 10  ................
00A0: 00 11 00 02 00 12 00 04   00 05 00 14 00 08 00 16  ................
00B0: 00 0B 00 02 01 00 00 0D   00 1A 00 18 06 03 06 01  ................
00C0: 05 03 05 01 04 03 04 01   03 03 03 01 02 03 02 01  ................
00D0: 02 02 01 01 00 00 00 16   00 14 00 00 11 64 6F 63  .............doc
00E0: 75 6D 65 6E 74 73 2E 65   70 66 6C 2E 63 68        uments.epfl.ch
[Raw read]: length = 5
0000: 15 03 00 00 02                                     .....
[Raw read]: length = 2
0000: 02 46                                              .F
main, READ: SSLv3 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, protocol_version
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version

comment:8 Changed on May 21, 2015 at 1:04:29 PM by dkocher

Also the trace shows that a TLSv1.2 Handshake is initiated. Chrome.app will print

Your connection to documents.epfl.ch is encrypted with obsolete cryptography.

The connection uses TLS 1.0.

openssl also negogiates a TLSv1 connection that is no longer supported with Cyberduck.

osaka:~ dkocher$ openssl s_client -connect documents.epfl.ch:443 
CONNECTED(00000003)
depth=3 /C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=CH/ST=Vaud/L=Lausanne/O=Ecole polytechnique federale de Lausanne (EPFL)/CN=documents.epfl.ch
   i:/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global SSL ICA
 1 s:/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global SSL ICA
   i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
 2 s:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
   i:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
 3 s:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
   i:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFNjCCBB6gAwIBAgIUb2pZZYdnGYcOOtccFjMgw2xxjL4wDQYJKoZIhvcNAQEF
BQAwazELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHzAd
BgNVBAsTFnd3dy5xdW92YWRpc2dsb2JhbC5jb20xIDAeBgNVBAMTF1F1b1ZhZGlz
IEdsb2JhbCBTU0wgSUNBMB4XDTEyMTExNjEzMjYxM1oXDTE1MTExNjEzMjYxMlow
gYUxCzAJBgNVBAYTAkNIMQ0wCwYDVQQIEwRWYXVkMREwDwYDVQQHEwhMYXVzYW5u
ZTE4MDYGA1UEChMvRWNvbGUgcG9seXRlY2huaXF1ZSBmZWRlcmFsZSBkZSBMYXVz
YW5uZSAoRVBGTCkxGjAYBgNVBAMTEWRvY3VtZW50cy5lcGZsLmNoMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxLEDw3F0q/OICREzbHBbaoAkHxov4VMI
I2I5Pqy1V9H+1FVJdyHTvH+Lumk85XXqdUY3ZQccvSl5PIceerAnVVoGhn/UXWiT
IWRbzxGin9WQock99EeI42BK2D7WZvH1EL+1CxB433vJbYvbLhSphQsiMoNKOWo8
W+BPSlCmTcSrHskF9MpQK75ssyrTd9R3E+JnsCVOAyRPliH6fpQVqgA6V+bjNP0R
SK4X2rLs9XmLFAEbNxIKt1liNMG/x3VzP4Jh0Tyrqu2NTZnBtAcNWdUQ7xIbhI3q
XX0ki9Hf/+Cb/kr71A+I/gB76XziF/5LVW1ikbk1tOS1uBZETvZLjQIDAQABo4IB
tTCCAbEwdAYIKwYBBQUHAQEEaDBmMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5x
dW92YWRpc2dsb2JhbC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly90cnVzdC5xdW92
YWRpc2dsb2JhbC5jb20vcXZzc2xpY2EuY3J0MDoGA1UdEQQzMDGCEWRvY3VtZW50
cy5lcGZsLmNogRxESVQtVEktQ2VydHNAZ3JvdXBlcy5lcGZsLmNoMFEGA1UdIARK
MEgwRgYMKwYBBAG+WAACZAEBMDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cucXVv
dmFkaXNnbG9iYWwuY29tL3JlcG9zaXRvcnkwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQyTaFP6vCumbbu
mwcshAgRUIvifjA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnF1b3ZhZGlz
Z2xvYmFsLmNvbS9xdnNzbGljYS5jcmwwHQYDVR0OBBYEFIdHlH5aJ7QD/nA9iWre
Y8RZfdQ5MA0GCSqGSIb3DQEBBQUAA4IBAQBuz1MgRmtVAmn1bs5hjNCvVU4CTYta
KkZL7AmmPwBuEp8c2/7puK7sjYW3TufXfjxE8/uRYxzQBJHu/ZEKa9djc2j+m8A3
EpQgtpUS/p8qZtjNIRffGOlR0IsDVnf7Xpdp36xKWvr0VdG9LbIlE8QPxPTUWvGl
JR4zhmmFwpsJJBVL8fp2w0rZ3yK0a0HIL4EE8ZgA3Tf7d/FKS3P0UlRACRrm1S5I
Xoi61Ps0ETLwGIznDXuQMAjmqzR21jw/bsV2yfu/wRx+OhHfsPYl03Vgf0LqHiin
OycU6LojV18IDkUm6uhiqTkxwchYhp3Gqv08w0tLPSzvcQwt8YsPIhLK
-----END CERTIFICATE-----
subject=/C=CH/ST=Vaud/L=Lausanne/O=Ecole polytechnique federale de Lausanne (EPFL)/CN=documents.epfl.ch
issuer=/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global SSL ICA
---
No client certificate CA names sent
---
SSL handshake has read 5671 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 924754251AA57F9F73EB1F39133FA62DFF841E6D32C37456FB714C1114E11091D8037B16DEDD8E103EDE9F18F8952A30
    Key-Arg   : None
    Start Time: 1432213187
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

It looks to me that this server is configured to only accept TLSv1 but not later versions.

comment:9 Changed on May 21, 2015 at 1:08:36 PM by dkocher

osaka:~ dkocher$ nmap --script ssl-enum-ciphers documents.epfl.ch

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-21 15:07 CEST
Nmap scan report for documents.epfl.ch (128.178.222.31)
Host is up (0.041s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 13.36 seconds

comment:10 Changed on May 21, 2015 at 1:08:54 PM by dkocher

  • Resolution set to thirdparty
  • Status changed from assigned to closed

comment:11 Changed on May 21, 2015 at 1:17:49 PM by dkocher

Add tests in r17588 that shows handshake with TLSv1 but failure with TLSv1.2.

comment:12 Changed on May 21, 2015 at 2:59:36 PM by mellier

oups, thanks a lot for your help. I haven't read correctly all the ssl dump file. Cyberduck supports TLS 1.2 and TLS 1.1.

Note: See TracTickets for help on using tickets.
swiss made software