cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: weak cipher suites with OpenSSL, SecureTransport and... ?

From: Marc H�rsken <info_at_marc-hoersken.de>
Date: Sun, 12 Jan 2014 22:47:44 +0100

Am 09.01.2014 23:34, schrieb Daniel Stenberg:
> Left to do is then to build curl with other TLS backends and try it
> against https://www.howsmyssl.com/a/check to see if there are more
> flaws in this style.
>

WinSSL on Windows 7 SP1 looks okay:

$ src/curl -v "https://www.howsmyssl.com/a/check"
* timeout on name lookup is not supported
* Hostname was NOT found in DNS cache
* Trying 54.245.96.51...
  % Total % Received % Xferd Average Speed Time Time Time
Current
                                 Dload Upload Total Spent Left
Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0*
Connected to www.howsmyssl.com (54.245.96.51) port 443 (#0)
* schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 130 bytes...
* schannel: sent initial handshake data: sent 130 bytes
* schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 2/3)
* schannel: encrypted data buffer: offset 47 length 4096
  0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0*
schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 2/3)
* schannel: encrypted data buffer: offset 1452 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 2/3)
* schannel: encrypted data buffer: offset 2904 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 2/3)
* schannel: encrypted data buffer: offset 3302 length 4096
* schannel: sending next handshake data: sending 326 bytes...
  0 0 0 0 0 0 0 0 --:--:-- 0:00:01
--:--:-- 0*
schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 2/3)
* schannel: encrypted data buffer: offset 59 length 4096
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with www.howsmyssl.com port 443 (step 3/3)
* schannel: incremented credential handle refcount = 1
* schannel: stored credential handle in session cache
> GET /a/check HTTP/1.1
> User-Agent: curl/7.34.1-DEV
> Host: www.howsmyssl.com
> Accept: */*
>
* schannel: client wants to read 16384 bytes
* schannel: encrypted data buffer: offset 0 length 16384
* schannel: encrypted data got 991
* schannel: encrypted data buffer: offset 991 length 16384
* schannel: decrypted data length: 1
* schannel: decrypted data added: 1
* schannel: decrypted data cached: offset 1 length 16384
* schannel: encrypted data length: 954
* schannel: encrypted data cached: offset 954 length 16384
* schannel: decrypted data length: 890
* schannel: decrypted data added: 890
* schannel: decrypted data cached: offset 891 length 16384
* schannel: encrypted data length: 37
* schannel: encrypted data cached: offset 37 length 16384
* schannel: decrypted data buffer: offset 891 length 16384
* schannel: decrypted data returned 891
* schannel: decrypted data buffer: offset 0 length 16384
< HTTP/1.1 200 OK
< Content-Length: 698
< Connection: close
< Content-Type: application/json
< Date: Sun, 12 Jan 2014 21:44:23 GMT
< Strict-Transport-Security: max-age=631138519; includeSubdomains
<
{ [data not shown]
100 698 100 698 0 0 331 0 0:00:02 0:00:02
--:--:-- 338{"
given_cipher_suites":["TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_S
HA","TLS_RSA_WITH_RC4_128_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WI
TH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_A
ES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_DHE_DSS_WITH_AES_128
_CBC_SHA","TLS_DHE_DSS_WITH_AES_256_CBC_SHA","TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
,"TLS_RSA_WITH_RC4_128_MD5"],"ephemeral_keys_supported":true,"session_ticket_sup
ported":false,"tls_compression_supported":false,"unknown_cipher_suite_supported"
:false,"beast_vuln":true,"able_to_detect_n_minus_one_splitting":true,"insecure_c
ipher_suites":{},"tls_version":"TLS 1.0","rating":"Bad"}
* Closing connection 0
* schannel: shutting down SSL/TLS connection with www.howsmyssl.com port 443
* schannel: clear security context handle
* schannel: decremented credential handle refcount = 0
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-01-12

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: weak cipher suites with OpenSSL, SecureTransport and... ?"
Previous message: Rich Gray: "Re: HTTP POST: fail early if unknown data size (read function)"
In reply to: Daniel Stenberg: "weak cipher suites with OpenSSL, SecureTransport and... ?"
Next in thread: Daniel Stenberg: "Re: weak cipher suites with OpenSSL, SecureTransport and... ?"
Reply: Daniel Stenberg: "Re: weak cipher suites with OpenSSL, SecureTransport and... ?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]