[Cryptography] SSLv3 in the wild
jsd at av8n.com
Wed Oct 29 15:38:55 EDT 2014
As John Oliver might say:
SSLv3 -- How is that still a thing?
SSLv3 was deprecated and superseded by TLS1.0 in 1999
I was disappointed to find large SSLv3-only servers existing
in the wild, 15 years post TLS, and two weeks post-POODLE.
I was expecting a few small clients, but I'm not sure I was
expecting large servers.
Here is an example that you may find useful, as a test-target
or perhaps a talking point. Canadian tax dollars at work:
Note that there is no "http" access to the navcanada site.
This is relevant because it removes a possible workaround,
and violates the dictum that says if you can't encrypt
properly you shouldn't encrypt at all.
The overall situation is a pain in the neck because it means
I can't just eradicate all traces of SSLv3 and forget about it.
> Secure Connection Failed
> An error occurred during a connection to flightplanning.navcanada.ca.
> Cannot communicate securely with peer: no common encryption
> algorithm(s). (Error code: ssl_error_no_cypher_overlap)
Nmap seems to have an overoptimistic notion of "strong":
nmap --script ssl-enum-ciphers -p 443 flightplanning.navcanada.ca
> Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-29 12:07 MST
> Nmap scan report for flightplanning.navcanada.ca (184.108.40.206)
> Host is up (0.076s latency).
> rDNS record for 220.127.116.11: www.metcambeta.navcanada.ca
> PORT STATE SERVICE
> 443/tcp open https
> | ssl-enum-ciphers:
> | SSLv3:
> | ciphers:
> | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
> | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
> | TLS_RSA_WITH_AES_128_CBC_SHA - strong
> | TLS_RSA_WITH_AES_256_CBC_SHA - strong
> | compressors:
> | NULL
> |_ least strength: strong
> Nmap done: 1 IP address (1 host up) scanned in 2.82 seconds
More information about the cryptography