Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Uses insecure SSLv3 #8842

Closed
cyberduck opened this issue May 21, 2015 · 9 comments
Closed

Uses insecure SSLv3 #8842

cyberduck opened this issue May 21, 2015 · 9 comments
Assignees
Labels
bug thirdparty Issue caused by third party webdav WebDAV Protocol Implementation
Milestone

Comments

@cyberduck
Copy link
Collaborator

31baaf7 created the issue

Would it possible to replace insecure SSLv3 with TLS1.1 or higher for the encryption ?

This is because our webdav server refuses (Heartbeat attack) any negotiation with SSLv3.

The SSL dump for Hello phase:

1 1  0.3343 (0.3343)  C>SV3.3(275)  Handshake
      ClientHello
        Version 3.3 
        random[32]=
          55 5d bd 6e f9 a4 b6 9e 2d c5 3d a9 d7 60 15 81 
          36 a6 3a e9 05 86 e5 e6 5f a7 1d 99 a9 4b 6c f8 
        cipher suites
        Unknown value 0xc024
        Unknown value 0xc028
        Unknown value 0x3d
        Unknown value 0xc026
        Unknown value 0xc02a
        Unknown value 0x6b
        Unknown value 0x6a
        Unknown value 0xc00a
        Unknown value 0xc014
        Unknown value 0x35
        Unknown value 0xc005
        Unknown value 0xc00f
        Unknown value 0x39
        Unknown value 0x38
        Unknown value 0xc023
        Unknown value 0xc027
        Unknown value 0x3c
        Unknown value 0xc025
        Unknown value 0xc029
        TLS_DHE_DSS_WITH_NULL_SHA
        Unknown value 0x40
        Unknown value 0xc009
        Unknown value 0xc013
        Unknown value 0x2f
        Unknown value 0xc004
        Unknown value 0xc00e
        Unknown value 0x33
        Unknown value 0x32
        Unknown value 0xc02c
        Unknown value 0xc02b
        Unknown value 0xc030
        Unknown value 0x9d
        Unknown value 0xc02e
        Unknown value 0xc032
        Unknown value 0x9f
        Unknown value 0xa3
        Unknown value 0xc02f
        Unknown value 0x9c
        Unknown value 0xc02d
        Unknown value 0xc031
        Unknown value 0x9e
        Unknown value 0xa2
        Unknown value 0xc008
        Unknown value 0xc012
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc003
        Unknown value 0xc00d
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc007
        Unknown value 0xc011
        TLS_RSA_WITH_RC4_128_SHA
        Unknown value 0xc002
        Unknown value 0xc00c
        TLS_RSA_WITH_RC4_128_MD5
        Unknown value 0xff
        compression methods
                  NULL
1 2  0.3345 (0.0002)  S>CV3.0(2)  Alert
    level           fatal
    value           protocol_version
1    0.3345 (0.0000)  S>C  TCP FIN
1    0.3351 (0.0005)  C>S  TCP FIN
@cyberduck
Copy link
Collaborator Author

@dkocher commented

We have disabled SSLv2 in edcf6ec.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

We have disabled SSLv3 in 935e36c.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Can you let me know the IP address of the server to reproduce the issue.

@cyberduck
Copy link
Collaborator Author

31baaf7 commented

The webdav server is documents.epfl.ch.

Replying to [comment:5 dkocher]:

Can you let me know the IP address of the server to reproduce the issue.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Attached debug output with SSL trace shows that ClientHello, TLSv1.2 is sent.

876 [main] DEBUG ch.cyberduck.core.http.HttpSession$2  - Connecting socket to documents.epfl.ch/128.178.222.31:443 with timeout 30000
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
1456 [main] DEBUG ch.cyberduck.core.ssl.CustomTrustSSLProtocolSocketFactory  - Configure SSL parameters with protocols [TLSv1.2, TLSv1.1, TLSv1]
1458 [main] INFO ch.cyberduck.core.ssl.CustomTrustSSLProtocolSocketFactory  - Enabled cipher suites [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
1463 [main] DEBUG ch.cyberduck.core.ssl.CustomTrustSSLProtocolSocketFactory  - Handshake for socket 4690f583[SSL_NULL_WITH_NULL_NULL: Socket[addr=documents.epfl.ch/128.178.222.31,port=443,localport=54146]]
1463 [main] DEBUG ch.cyberduck.core.http.HttpSession$2  - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
1464 [main] DEBUG ch.cyberduck.core.http.HttpSession$2  - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
1466 [main] DEBUG ch.cyberduck.core.http.HttpSession$2  - Starting handshake
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1432146848 bytes = { 165, 121, 174, 209, 224, 211, 116, 89, 245, 3, 162, 38, 177, 33, 46, 38, 89, 251, 25, 53, 209, 163, 129, 23, 234, 199, 62, 119 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=documents.epfl.ch]
***
[write] MD5 and SHA1 hashes:  len = 233
0000: 01 00 00 E5 03 03 55 5D   D4 A0 A5 79 AE D1 E0 D3  ......U]...y....
0010: 74 59 F5 03 A2 26 B1 21   2E 26 59 FB 19 35 D1 A3  tY...&.!.&Y..5..
0020: 81 17 EA C7 3E 77 00 00   46 C0 23 C0 27 00 3C C0  ....>w..F.#.'.<.
0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.).g.@...../...
0040: 0E 00 33 00 32 C0 07 C0   11 00 05 C0 02 C0 0C C0  ..3.2...........
0050: 2B C0 2F 00 9C C0 2D C0   31 00 9E 00 A2 C0 08 C0  +./...-.1.......
0060: 12 00 0A C0 03 C0 0D 00   16 00 13 00 04 00 FF 01  ................
0070: 00 00 76 00 0A 00 34 00   32 00 17 00 01 00 03 00  ..v...4.2.......
0080: 13 00 15 00 06 00 07 00   09 00 0A 00 18 00 0B 00  ................
0090: 0C 00 19 00 0D 00 0E 00   0F 00 10 00 11 00 02 00  ................
00A0: 12 00 04 00 05 00 14 00   08 00 16 00 0B 00 02 01  ................
00B0: 00 00 0D 00 1A 00 18 06   03 06 01 05 03 05 01 04  ................
00C0: 03 04 01 03 03 03 01 02   03 02 01 02 02 01 01 00  ................
00D0: 00 00 16 00 14 00 00 11   64 6F 63 75 6D 65 6E 74  ........document
00E0: 73 2E 65 70 66 6C 2E 63   68                       s.epfl.ch
main, WRITE: TLSv1.2 Handshake, length = 233
[Raw write]: length = 238
0000: 16 03 03 00 E9 01 00 00   E5 03 03 55 5D D4 A0 A5  ...........U]...
0010: 79 AE D1 E0 D3 74 59 F5   03 A2 26 B1 21 2E 26 59  y....tY...&.!.&Y
0020: FB 19 35 D1 A3 81 17 EA   C7 3E 77 00 00 46 C0 23  ..5......>w..F.#
0030: C0 27 00 3C C0 25 C0 29   00 67 00 40 C0 09 C0 13  .'.<.%.).g.@....
0040: 00 2F C0 04 C0 0E 00 33   00 32 C0 07 C0 11 00 05  ./.....3.2......
0050: C0 02 C0 0C C0 2B C0 2F   00 9C C0 2D C0 31 00 9E  .....+./...-.1..
0060: 00 A2 C0 08 C0 12 00 0A   C0 03 C0 0D 00 16 00 13  ................
0070: 00 04 00 FF 01 00 00 76   00 0A 00 34 00 32 00 17  .......v...4.2..
0080: 00 01 00 03 00 13 00 15   00 06 00 07 00 09 00 0A  ................
0090: 00 18 00 0B 00 0C 00 19   00 0D 00 0E 00 0F 00 10  ................
00A0: 00 11 00 02 00 12 00 04   00 05 00 14 00 08 00 16  ................
00B0: 00 0B 00 02 01 00 00 0D   00 1A 00 18 06 03 06 01  ................
00C0: 05 03 05 01 04 03 04 01   03 03 03 01 02 03 02 01  ................
00D0: 02 02 01 01 00 00 00 16   00 14 00 00 11 64 6F 63  .............doc
00E0: 75 6D 65 6E 74 73 2E 65   70 66 6C 2E 63 68        uments.epfl.ch
[Raw read]: length = 5
0000: 15 03 00 00 02                                     .....
[Raw read]: length = 2
0000: 02 46                                              .F
main, READ: SSLv3 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, protocol_version
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Also the trace shows that a TLSv1.2 Handshake is initiated. Chrome.app will print

Your connection to documents.epfl.ch is encrypted with obsolete cryptography.

The connection uses TLS 1.0.

openssl also negogiates a TLSv1 connection that is no longer supported with Cyberduck.

osaka:~ dkocher$ openssl s_client -connect documents.epfl.ch:443 
CONNECTED(00000003)
depth=3 /C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=CH/ST=Vaud/L=Lausanne/O=Ecole polytechnique federale de Lausanne (EPFL)/CN=documents.epfl.ch
   i:/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global SSL ICA
 1 s:/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global SSL ICA
   i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
 2 s:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
   i:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
 3 s:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
   i:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFNjCCBB6gAwIBAgIUb2pZZYdnGYcOOtccFjMgw2xxjL4wDQYJKoZIhvcNAQEF
BQAwazELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHzAd
BgNVBAsTFnd3dy5xdW92YWRpc2dsb2JhbC5jb20xIDAeBgNVBAMTF1F1b1ZhZGlz
IEdsb2JhbCBTU0wgSUNBMB4XDTEyMTExNjEzMjYxM1oXDTE1MTExNjEzMjYxMlow
gYUxCzAJBgNVBAYTAkNIMQ0wCwYDVQQIEwRWYXVkMREwDwYDVQQHEwhMYXVzYW5u
ZTE4MDYGA1UEChMvRWNvbGUgcG9seXRlY2huaXF1ZSBmZWRlcmFsZSBkZSBMYXVz
YW5uZSAoRVBGTCkxGjAYBgNVBAMTEWRvY3VtZW50cy5lcGZsLmNoMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxLEDw3F0q/OICREzbHBbaoAkHxov4VMI
I2I5Pqy1V9H+1FVJdyHTvH+Lumk85XXqdUY3ZQccvSl5PIceerAnVVoGhn/UXWiT
IWRbzxGin9WQock99EeI42BK2D7WZvH1EL+1CxB433vJbYvbLhSphQsiMoNKOWo8
W+BPSlCmTcSrHskF9MpQK75ssyrTd9R3E+JnsCVOAyRPliH6fpQVqgA6V+bjNP0R
SK4X2rLs9XmLFAEbNxIKt1liNMG/x3VzP4Jh0Tyrqu2NTZnBtAcNWdUQ7xIbhI3q
XX0ki9Hf/+Cb/kr71A+I/gB76XziF/5LVW1ikbk1tOS1uBZETvZLjQIDAQABo4IB
tTCCAbEwdAYIKwYBBQUHAQEEaDBmMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5x
dW92YWRpc2dsb2JhbC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly90cnVzdC5xdW92
YWRpc2dsb2JhbC5jb20vcXZzc2xpY2EuY3J0MDoGA1UdEQQzMDGCEWRvY3VtZW50
cy5lcGZsLmNogRxESVQtVEktQ2VydHNAZ3JvdXBlcy5lcGZsLmNoMFEGA1UdIARK
MEgwRgYMKwYBBAG+WAACZAEBMDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cucXVv
dmFkaXNnbG9iYWwuY29tL3JlcG9zaXRvcnkwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQyTaFP6vCumbbu
mwcshAgRUIvifjA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnF1b3ZhZGlz
Z2xvYmFsLmNvbS9xdnNzbGljYS5jcmwwHQYDVR0OBBYEFIdHlH5aJ7QD/nA9iWre
Y8RZfdQ5MA0GCSqGSIb3DQEBBQUAA4IBAQBuz1MgRmtVAmn1bs5hjNCvVU4CTYta
KkZL7AmmPwBuEp8c2/7puK7sjYW3TufXfjxE8/uRYxzQBJHu/ZEKa9djc2j+m8A3
EpQgtpUS/p8qZtjNIRffGOlR0IsDVnf7Xpdp36xKWvr0VdG9LbIlE8QPxPTUWvGl
JR4zhmmFwpsJJBVL8fp2w0rZ3yK0a0HIL4EE8ZgA3Tf7d/FKS3P0UlRACRrm1S5I
Xoi61Ps0ETLwGIznDXuQMAjmqzR21jw/bsV2yfu/wRx+OhHfsPYl03Vgf0LqHiin
OycU6LojV18IDkUm6uhiqTkxwchYhp3Gqv08w0tLPSzvcQwt8YsPIhLK
-----END CERTIFICATE-----
subject=/C=CH/ST=Vaud/L=Lausanne/O=Ecole polytechnique federale de Lausanne (EPFL)/CN=documents.epfl.ch
issuer=/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global SSL ICA
---
No client certificate CA names sent
---
SSL handshake has read 5671 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 924754251AA57F9F73EB1F39133FA62DFF841E6D32C37456FB714C1114E11091D8037B16DEDD8E103EDE9F18F8952A30
    Key-Arg   : None
    Start Time: 1432213187
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

It looks to me that this server is configured to only accept TLSv1 but not later versions.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

osaka:~ dkocher$ nmap --script ssl-enum-ciphers documents.epfl.ch

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-21 15:07 CEST
Nmap scan report for documents.epfl.ch (128.178.222.31)
Host is up (0.041s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 13.36 seconds

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Add tests in 47da158 that shows handshake with TLSv1 but failure with TLSv1.2.

@cyberduck
Copy link
Collaborator Author

31baaf7 commented

oups, thanks a lot for your help. I haven't read correctly all the ssl dump file. Cyberduck supports TLS 1.2 and TLS 1.1.

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug thirdparty Issue caused by third party webdav WebDAV Protocol Implementation
Projects
None yet
Development

No branches or pull requests

2 participants