sslscan
sslscan copied to clipboard
rbsec
SSL_get_error in Supported Server Cipher(s) list
When scanning a host without --verbose, I get an empty list of Supported Server Cipher(s). When I add the --verbose option, I get three "SSL_get_error(ssl, cipherStatus) said: 1" errors in the Supported Server Cipher(s) list.
root@kali:~/# sslscan --verbose host Version: 1.11.10-static OpenSSL 1.0.2-chacha (1.0.2g-dev)
Some servers will fail to response to SSLv3 ciphers over STARTTLS If your scan hangs, try using the --tlsall option
Testing SSL server host on port 443 using SNI name host
TLS Fallback SCSV: OpenSSL OpenSSL 1.0.2-chacha (1.0.2g-dev) looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation OpenSSL OpenSSL 1.0.2-chacha (1.0.2g-dev) looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation Server does not support TLS Fallback SCSV
TLS renegotiation: OpenSSL OpenSSL 1.0.2-chacha (1.0.2g-dev) looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation use_unsafe_renegotiation_op Session renegotiation not supported
TLS Compression: OpenSSL OpenSSL 1.0.2-chacha (1.0.2g-dev) looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation Compression disabled
Heartbleed: TLS 1.2 not vulnerable to heartbleed TLS 1.1 not vulnerable to heartbleed TLS 1.0 not vulnerable to heartbleed
Supported Server Cipher(s): SSL_get_error(ssl, cipherStatus) said: 1 SSL_get_error(ssl, cipherStatus) said: 1 SSL_get_error(ssl, cipherStatus) said: 1
I'm able to use the nmap ssl-enum-ciphers script to enumerate the ciphers without issue, see below:
root@kali:~/# nmap -P0 -sV -p 443 --script=ssl-enum-ciphers --max-rate 100 host
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-30 11:22 EDT Nmap scan report for host (IP) Host is up (0.051s latency).
PORT STATE SERVICE VERSION 443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |http-server-header: Microsoft-HTTPAPI/2.0 | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | least strength: A Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.37 seconds
Is it possible to get anymore verbosity out of the sslscan application? Has this error been encountered before and is there a workaround or other mitigation?
Thanks for any help you can provide. Jordan
I've seen this issue when the server requires a client certificate (which sslscan doesn't have), but I think a number of things could cause it.
If it's still an issue for you in 2019 and you have the inclination to test, I've submitted a pull request that will display the underlying SSL error here: https://github.com/rbsec/sslscan/pull/179
...however it doesn't address the "client certificate" case.
You might just see:
SSL_get_error(ssl, cipherStatus) returned: 1 (SSL_ERROR_SSL) [sslscan.c:testCipher@1584]:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
...which is caused by testing for SSLv3 against a server that doesn't support SSLv3.
I have the same issue, the error is SSL_get_error(ssl, cipherStatus) returned: 5 (SSL_ERROR_SYSCALL)
No issues under WSL/Linux; no issues with testssl.sh under MSYS/MinGW using a MinGW build of Peter Mosman's OpenSSL. The only other case with issues is SSLyze, but I haven't tried debugging that to confirm if it's the same problem causing it.
To reproduce it, scan a server started like this using a Windows version of sslscan:
export KEYDIR=.
openssl req -x509 -nodes -sha1 -newkey rsa:1024-keyout selfsigned.key -out selfsigned.crt -days 9999
openssl dhparam -out dhparam.pem 512
openssl s_server -4 -accept 8081 -www -cert $KEYDIR/selfsigned.crt -key $KEYDIR/selfsigned.key -dhparam $KEYDIR/dhparam.pem -cipher "ALL:eNULL:ADH:EXPORT"
