Skip to content

Multiple issues with pure SSLv2 server #601

New issue
New issue
Closed
Closed
Multiple issues with pure SSLv2 server#601
Labels
fix ready
@extrwi

Description

@extrwi
extrwi
opened on Apr 18, 2023

Describe the bug
sslyze seems to be unable to connect to pure SSLv2 servers.

To Reproduce
Steps to reproduce the behavior:

  1. Build a legacy version of OpenSSL 1.0.2e with options zlib enable-rc5 enable-md2 enable-gost enable-cast enable-idea enable-ripemd enable-mdc2
  2. Run a server with only SSLv2 enabled: /opt/openssl-1.0.2e/bin/openssl s_server -www -port 1234 -cert foo.crt -key foo.key -ssl2
  3. Run sslyze localhost:1234
  4. Observe first error: Probing failed: could not find a TLS version and cipher suite supported by the server; discarding scan.
  5. Apply patch (see below)
  6. Run sslyze localhost:1234
  7. Observe multiple errors (see replies)

Expected behavior
sslyze should complete all checks without errors.

Python environment (please complete the following information):

  • OS: Ubuntu 22.04
  • Python version: Python 3.10

Additional context
I was unsure whether to open multiple issues or not. I'm going to respond to this bug report, so you can split as needed.

Patch

diff --git a/sslyze/server_connectivity.py b/sslyze/server_connectivity.py
index 7a2c9ab..860d6ec 100644
--- a/sslyze/server_connectivity.py
+++ b/sslyze/server_connectivity.py
@@ -86,6 +86,7 @@ def check_connectivity_to_server(
             TlsVersionEnum.TLS_1_1,
             TlsVersionEnum.TLS_1_0,
             TlsVersionEnum.SSL_3_0,
+            TlsVersionEnum.SSL_2_0,
         ]:
             try:
                 tls_detection_result = _detect_support_for_tls_1_2_or_below(
@@ -275,7 +276,14 @@ def _detect_support_for_tls_1_2_or_below(
     # First try the default cipher list, and then all ciphers; this is to work around F5 network devices
     # that time out when the client hello is too long (ie. too many cipher suites enabled)
     # https://support.f5.com/csp/article/K14758
-    for cipher_list in ["DEFAULT", "ALL:COMPLEMENTOFALL:-PSK:-SRP"]:
+
+    # DEFAULT excludes SSLv2 ciphers in OpenSSL 1.0.2
+    if tls_version == TlsVersionEnum.SSL_2_0:
+        default_cipher_list = "SSLv2"
+    else:
+        default_cipher_list = "DEFAULT"
+
+    for cipher_list in [default_cipher_list, "ALL:COMPLEMENTOFALL:-PSK:-SRP"]:
         ssl_connection = SslConnection(
             server_location=server_location,
             network_configuration=network_config,

Metadata

Metadata

Assignees

No one assigned

    Labels

    fix ready

    Projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions