Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

the ./o-saft.pl my.tld +cipher --ciphermode=intern --cipher-range=full command on a local serveur #149

Open
kylak opened this issue Aug 5, 2024 · 6 comments
Open

the ./o-saft.pl my.tld +cipher --ciphermode=intern --cipher-range=full command on a local serveur #149

kylak opened this issue Aug 5, 2024 · 6 comments
Labels
question

Comments

@kylak
Copy link

kylak commented Aug 5, 2024
edited
Loading

Hi.

I executed the ./o-saft.pl my.tld +cipher --ciphermode=intern --cipher-range=full command on a local server, but the execution is not yet finished after nearly 1 hour, is it normal ? if yes, how long it takes usually on a local server please ?

Also, here is the result given by the command :

**WARNING: 058: given path '/etc/ssl/certs/' does not contain a CA file
**WARNING: 409: SSLv2 does not support SNI; cipher checks are done without SNI
**WARNING: 409: SSLv3 does not support SNI; cipher checks are done without SNI
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0xFFF3 ... 0x03010012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03010013 ... 0x03010032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03010033 ... 0x03010052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03010073 ... 0x03010092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03010093 ... 0x030100B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0301BFF3 ... 0x0301C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0301C013 ... 0x0301C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0301FFF3 ... 0x03020012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03020013 ... 0x03020032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03020033 ... 0x03020052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03020073 ... 0x03020092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03020093 ... 0x030200B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0302BFF3 ... 0x0302C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0302C013 ... 0x0302C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0302FFF3 ... 0x03030012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03030013 ... 0x03030032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03030033 ... 0x03030052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03030073 ... 0x03030092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03030093 ... 0x030300B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0303BFF3 ... 0x0303C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0303C013 ... 0x0303C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0303FFF3 ... 0x03040012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03040013 ... 0x03040032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03040033 ... 0x03040052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03040073 ... 0x03040092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03040093 ... 0x030400B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0304BFF3 ... 0x0304C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0304C013 ... 0x0304C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0304FFF3 ... 0x03050012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03050013 ... 0x03050032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03050033 ... 0x03050052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03050073 ... 0x03050092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03050093 ... 0x030500B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0305BFF3 ... 0x0305C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0305C013 ... 0x0305C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0305FFF3 ... 0x03060012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03060013 ... 0x03060032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03060033 ... 0x03060052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03060073 ... 0x03060092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03060093 ... 0x030600B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0306BFF3 ... 0x0306C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0306C013 ... 0x0306C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0306FFF3 ... 0x03070012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03070013 ... 0x03070032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03070033 ... 0x03070052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03070073 ... 0x03070092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03070093 ... 0x030700B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0307BFF3 ... 0x0307C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0307C013 ... 0x0307C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0307FFF3 ... 0x03080012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03080013 ... 0x03080032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03080033 ... 0x03080052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03080073 ... 0x03080092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03080093 ... 0x030800B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0308BFF3 ... 0x0308C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0308C013 ... 0x0308C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0308FFF3 ... 0x03090012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x03090013 ... 0x03090032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x03090033 ... 0x03090052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x03090073 ... 0x03090092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x03090093 ... 0x030900B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x0309BFF3 ... 0x0309C012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x0309C013 ... 0x0309C032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0004' that has not been requested this time (1): ('0x0309FFF3 ... 0x030A0012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0016' that has not been requested this time (1): ('0x030A0013 ... 0x030A0032'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0033' that has not been requested this time (1): ('0x030A0033 ... 0x030A0052'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0084' that has not been requested this time (1): ('0x030A0073 ... 0x030A0092'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0x0096' that has not been requested this time (1): ('0x030A0093 ... 0x030A00B2'. at ./o-saft.pl line 3104.
**WARNING:  parseHandshakeRecord: Server ' my.tld:443' (TLSv1): received fatal SSL/TLS error (2c): Description: inappropriate_fallback [RFC5246_update-Draft-2014-05-31] (86)
 at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC011' that has not been requested this time (1): ('0x030ABFF3 ... 0x030AC012'. at ./o-saft.pl line 3104.
**WARNING:  Server replied (again) with cipher '0xC013' that has not been requested this time (1): ('0x030AC013 ... 0x030AC032'. at ./o-saft.pl line 3104.

Is this result normal ? How to interpret it ? because I didn't find any documentation on this.

Regards.
@EnDe
Copy link
Member

EnDe commented Aug 5, 2024

How to interpret it ?

Good question ;-)

As you see in the warning (last line in you example), 0xC013from the range 0x030AC013 ... 0x030AC032 caused the message. This is a unknown cipher, hence we don't know what the server is doing with it. In this case it return some error in the server-hello.
Finally these ciphers are not listed as accepted, do they? That's intended behaviour, IMHO.

If you're really interested what's going on with undefined ciphers, you may use the options --trace=4 and/or any of the --ssl-* options. See ./o-saft.pl --help=options.
If this in't sufficient, feel free to dig deeper into the sources of SSLhello.pm.

@EnDe EnDe added the question label Aug 5, 2024
@kylak
Copy link
Author

kylak commented Aug 5, 2024

Ok I got it thanks. And what's about the execution time please ?

@EnDe
Copy link
Member

EnDe commented Aug 5, 2024
edited
Loading

.. the execution is not yet finished after nearly 1 hour, is it normal?

Yes if so many warnings occur.
--range=full is fuzzing, or in this case brute force 1.6G ciphers. Which time do you expect?
Reason is that we try to tweak the server with other client-hello messages if such errors are detected. This behaviour can be controlled slightly with the --ssl-* options.

For what it's worth: on my server (cpu 3GHz, 3GB free RAM) localhost, this test completes in less than 5 minutes (but no warnings there), not bad, is it?
I'd like to engage you to think about what you're doing, checking the docs, and then ask if something is wrong, missing, unexpected.
Also the options --v --trace --trace=[234] --traceme may give hints what's going on.
Wait: we can setup a training ...
:-)

@kylak
Copy link
Author

kylak commented Aug 6, 2024

Could you explain what you mean by "tweak" in "we try to tweak the server with other client-hello messages" ?

Thanks.

@EnDe
Copy link
Member

EnDe commented Aug 7, 2024

Short answer: fiddling around with various client-hello messages.
Feel free to follow my comment (last paragraph).
Additionally the --trace=4 and --trace=5 option will flood you with information.
You may also try usr/checkAllCiphers.pl --trace=5 your-server

@kylak
Copy link
Author

kylak commented Aug 7, 2024

Ok, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@EnDe @kylak