Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect tlsVersions in output #45

Open
stayallive opened this issue Apr 1, 2022 · 7 comments
Open

Incorrect tlsVersions in output #45

stayallive opened this issue Apr 1, 2022 · 7 comments

Comments

@stayallive
Copy link

Hi there,

Unless I'm misinterpreting something the tlsVersions key seems to be incorrect.

./bin/tls-scan-1.4.8-darwin -c twitter.com --cacert cacert.pem --version-enum
{
    "host": "twitter.com",
    "ip": "104.244.42.193",
    "port": 443,
    "elapsedTime": 221,
    "tlsVersion": "TLSv1.2",
    "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD",
    "tempPublicKeyAlg": "ECDH prime256v1",
    "tempPublicKeySize": 256,
    "secureRenego": true,
    "compression": "NONE",
    "expansion": "NONE",
    "sessionLifetimeHint": 7200,
    "tlsVersions": [
        "TLSv1_3"
    ],
    "x509ChainDepth": 2,
    "verifyCertResult": true,
    "verifyHostResult": true,
    "ocspStapled": false,
    "certificateChain": [
        {
            "version": 3,
            "subject": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
            "issuer": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
            "subjectCN": "twitter.com",
            "subjectAltName": "DNS:twitter.com, DNS:www.twitter.com",
            "signatureAlg": "ecdsa-with-SHA384",
            "notBefore": "Mar  7 00:00:00 2022 GMT",
            "notAfter": "Mar  6 23:59:59 2023 GMT",
            "expired": false,
            "serialNo": "02:93:C3:98:C2:CF:4A:67:BE:83:B5:37:54:DA:93:79",
            "keyUsage": "Digital Signature critical",
            "extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
            "publicKeyAlg": "ECC prime256v1",
            "publicKeySize": 256,
            "basicConstraints": "CA:FALSE",
            "subjectKeyIdentifier": "23:2E:02:96:1A:49:3A:2E:52:84:60:D0:D3:C0:72:0A:8F:53:34:28",
            "sha1Fingerprint": "37:63:F4:77:39:1F:19:EF:D1:63:ED:67:74:1B:92:83:0F:9E:D4:93"
        },
        {
            "version": 3,
            "subject": "CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1; O=DigiCert Inc; C=US",
            "issuer": "CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1; O=DigiCert Inc; C=US",
            "subjectCN": "DigiCert TLS Hybrid ECC SHA384 2020 CA1",
            "signatureAlg": "sha384WithRSAEncryption",
            "notBefore": "Apr 14 00:00:00 2021 GMT",
            "notAfter": "Apr 13 23:59:59 2031 GMT",
            "expired": false,
            "serialNo": "07:F2:F3:5C:87:A8:77:AF:7A:EF:E9:47:99:35:25:BD",
            "keyUsage": "Digital Signature, Certificate Sign, CRL Sign critical",
            "extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
            "publicKeyAlg": "ECC secp384r1",
            "publicKeySize": 384,
            "basicConstraints": "CA:TRUE, pathlen:0 critical",
            "subjectKeyIdentifier": "0A:BC:08:29:17:8C:A5:39:6D:7A:0E:CE:33:C7:2E:B3:ED:FB:C3:7A",
            "sha1Fingerprint": "AE:C1:3C:DD:5E:A6:A3:99:8A:EC:14:AC:33:1A:D9:6B:ED:BB:77:0F"
        }
    ]
}

tlsVersions only lists TLSv1_3 even though tlsVersion states 1.2 which Twitter also supports. So it's either missing TLSv1_2 from the list or I'm missing something obvious why it shouldn't be there :)
@prbinu
Copy link
Owner

prbinu commented Apr 1, 2022

Yes, ideally both should appear in tlsVersions field. I guess, the code fails to add the default (initial) handshake tlsVersion to tlsVersions array. I will look into it.

Thanks!

@prbinu
Copy link
Owner

prbinu commented Jun 5, 2022

@stayallive, I was trying to replicate the reported issue, but I believe, I'm getting correct output. Please let me know if i missed out anything.

$ ~/tls-scan/tls-scan -v
tls-scan 1.4.8 Darwin 2022-01-09
Built with OpenSSL-100020b0 GnuTLS-3060a

$ ~/tls-scan/tls-scan  -c twitter.com --cacert ~/tls-scan/ca-bundle.crt --version-enum --pretty
{
  "host": "twitter.com",
  "ip": "104.244.42.65",
  "port": 443,
  "elapsedTime": 280,
  "tlsVersion": "TLSv1.2",
  "cipher": "ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD",
  "tempPublicKeyAlg": "ECDH prime256v1",
  "tempPublicKeySize": 256,
  "secureRenego": true,
  "compression": "NONE",
  "expansion": "NONE",
  "sessionLifetimeHint": 7200,
  "tlsVersions": [
    "TLSv1_2",
    "TLSv1_3"
  ],
  "x509ChainDepth": 2,
  "verifyCertResult": true,
  "verifyHostResult": true,
  "ocspStapled": false,
  "certificateChain": [
  {
    "version": 3,
    "subject": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
    "issuer": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
    "subjectCN": "twitter.com",
    "subjectAltName": "DNS:twitter.com, DNS:www.twitter.com",
    "signatureAlg": "sha256WithRSAEncryption",
    "notBefore": "Dec 13 00:00:00 2021 GMT",
    "notAfter": "Dec 12 23:59:59 2022 GMT",
    "expired": false,
    "serialNo": "0D:E1:52:69:6B:2F:96:70:D6:C7:DB:18:CE:1C:71:A0",
    "keyUsage": "Digital Signature, Key Encipherment critical",
    "extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
    "publicKeyAlg": "RSA",
    "publicKeySize": 2048,
    "basicConstraints": "CA:FALSE critical",
    "subjectKeyIdentifier": "1B:D7:11:7F:CC:4B:27:B8:12:60:82:C8:6B:34:F4:70:92:22:AD:3E",
    "sha1Fingerprint": "DA:26:F7:2E:AC:AC:75:CC:EE:79:41:40:44:10:20:84:86:97:AE:B0"
  },  {
    "version": 3,
    "subject": "CN=DigiCert TLS RSA SHA256 2020 CA1; O=DigiCert Inc; C=US",
    "issuer": "CN=DigiCert TLS RSA SHA256 2020 CA1; O=DigiCert Inc; C=US",
    "subjectCN": "DigiCert TLS RSA SHA256 2020 CA1",
    "signatureAlg": "sha256WithRSAEncryption",
    "notBefore": "Apr 14 00:00:00 2021 GMT",
    "notAfter": "Apr 13 23:59:59 2031 GMT",
    "expired": false,
    "serialNo": "06:D8:D9:04:D5:58:43:46:F6:8A:2F:A7:54:22:7E:C4",
    "keyUsage": "Digital Signature, Certificate Sign, CRL Sign critical",
    "extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
    "publicKeyAlg": "RSA",
    "publicKeySize": 2048,
    "basicConstraints": "CA:TRUE, pathlen:0 critical",
    "subjectKeyIdentifier": "B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4",
    "sha1Fingerprint": "1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD"
  } ]
}

@stayallive
Copy link
Author

The only thing I can think of at this moment is that I'm using a M1 MacBook.

Just ran it again but same result:

 ❯ ./bin/tls-scan-1.4.8-darwin -v
tls-scan 1.4.8 Darwin 2022-01-09
Built with OpenSSL-100020b0 GnuTLS-3060a

 ❯ ./bin/tls-scan-1.4.8-darwin -c twitter.com --cacert cacert.pem --version-enum --pretty
{
  "host": "twitter.com",
  "ip": "104.244.42.65",
  "port": 443,
  "elapsedTime": 195,
  "tlsVersion": "TLSv1.2",
  "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD",
  "tempPublicKeyAlg": "ECDH prime256v1",
  "tempPublicKeySize": 256,
  "secureRenego": true,
  "compression": "NONE",
  "expansion": "NONE",
  "sessionLifetimeHint": 7200,
  "tlsVersions": [
    "TLSv1_3"
  ],
  "x509ChainDepth": 2,
  "verifyCertResult": true,
  "verifyHostResult": true,
  "ocspStapled": false,
  "certificateChain": [
  {
    "version": 3,
    "subject": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
    "issuer": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
    "subjectCN": "twitter.com",
    "subjectAltName": "DNS:twitter.com, DNS:www.twitter.com",
    "signatureAlg": "ecdsa-with-SHA384",
    "notBefore": "Mar  7 00:00:00 2022 GMT",
    "notAfter": "Mar  6 23:59:59 2023 GMT",
    "expired": false,
    "serialNo": "02:93:C3:98:C2:CF:4A:67:BE:83:B5:37:54:DA:93:79",
    "keyUsage": "Digital Signature critical",
    "extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
    "publicKeyAlg": "ECC prime256v1",
    "publicKeySize": 256,
    "basicConstraints": "CA:FALSE",
    "subjectKeyIdentifier": "23:2E:02:96:1A:49:3A:2E:52:84:60:D0:D3:C0:72:0A:8F:53:34:28",
    "sha1Fingerprint": "37:63:F4:77:39:1F:19:EF:D1:63:ED:67:74:1B:92:83:0F:9E:D4:93"
  },  {
    "version": 3,
    "subject": "CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1; O=DigiCert Inc; C=US",
    "issuer": "CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1; O=DigiCert Inc; C=US",
    "subjectCN": "DigiCert TLS Hybrid ECC SHA384 2020 CA1",
    "signatureAlg": "sha384WithRSAEncryption",
    "notBefore": "Apr 14 00:00:00 2021 GMT",
    "notAfter": "Apr 13 23:59:59 2031 GMT",
    "expired": false,
    "serialNo": "07:F2:F3:5C:87:A8:77:AF:7A:EF:E9:47:99:35:25:BD",
    "keyUsage": "Digital Signature, Certificate Sign, CRL Sign critical",
    "extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
    "publicKeyAlg": "ECC secp384r1",
    "publicKeySize": 384,
    "basicConstraints": "CA:TRUE, pathlen:0 critical",
    "subjectKeyIdentifier": "0A:BC:08:29:17:8C:A5:39:6D:7A:0E:CE:33:C7:2E:B3:ED:FB:C3:7A",
    "sha1Fingerprint": "AE:C1:3C:DD:5E:A6:A3:99:8A:EC:14:AC:33:1A:D9:6B:ED:BB:77:0F"
  } ]
}

<|---------Scan Summary---------|>
 [79456] ciphers             :  (0)
 [79456] host-count          : 1
 [79456] network-error       : 5
 [79456] dns-errcount        : 0
 [79456] remote-close-error  : 0
 [79456] unknown-error       : 0
 [79456] timeout-error       : 0
 [79456] connect-error       : 0
 [79456] tls-handshake       : 1
 [79456] gross-tls-handshake : 2
 [79456] elapsed-time        : 0.312536 secs
<|------------------------------|>

But I also ran it on my Linux server and I got this:

# ./bin/tls-scan-1.4.8-linux -v
tls-scan 1.4.8 Linux 2022-01-09
Built with OpenSSL-100020b0 GnuTLS-3060a

# ./bin/tls-scan-1.4.8-linux -c twitter.com --cacert cacert.pem --version-enum --pretty
{
  "host": "twitter.com",
  "ip": "104.244.42.129",
  "port": 443,
  "elapsedTime": 299,
  "tlsVersion": "TLSv1.2",
  "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD",
  "tempPublicKeyAlg": "ECDH prime256v1",
  "tempPublicKeySize": 256,
  "secureRenego": true,
  "compression": "NONE",
  "expansion": "NONE",
  "sessionLifetimeHint": 7200,
  "tlsVersions": [
    "TLSv1_3"
  ],
  "x509ChainDepth": 2,
  "verifyCertResult": true,
  "verifyHostResult": true,
  "ocspStapled": false,
  "certificateChain": [
  {
    "version": 3,
    "subject": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
    "issuer": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
    "subjectCN": "twitter.com",
    "subjectAltName": "DNS:twitter.com, DNS:www.twitter.com",
    "signatureAlg": "ecdsa-with-SHA384",
    "notBefore": "Mar  7 00:00:00 2022 GMT",
    "notAfter": "Mar  6 23:59:59 2023 GMT",
    "expired": false,
    "serialNo": "02:93:C3:98:C2:CF:4A:67:BE:83:B5:37:54:DA:93:79",
    "keyUsage": "Digital Signature critical",
    "extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
    "publicKeyAlg": "ECC prime256v1",
    "publicKeySize": 256,
    "basicConstraints": "CA:FALSE",
    "subjectKeyIdentifier": "23:2E:02:96:1A:49:3A:2E:52:84:60:D0:D3:C0:72:0A:8F:53:34:28",
    "sha1Fingerprint": "37:63:F4:77:39:1F:19:EF:D1:63:ED:67:74:1B:92:83:0F:9E:D4:93"
  },  {
    "version": 3,
    "subject": "CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1; O=DigiCert Inc; C=US",
    "issuer": "CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1; O=DigiCert Inc; C=US",
    "subjectCN": "DigiCert TLS Hybrid ECC SHA384 2020 CA1",
    "signatureAlg": "sha384WithRSAEncryption",
    "notBefore": "Apr 14 00:00:00 2021 GMT",
    "notAfter": "Apr 13 23:59:59 2031 GMT",
    "expired": false,
    "serialNo": "07:F2:F3:5C:87:A8:77:AF:7A:EF:E9:47:99:35:25:BD",
    "keyUsage": "Digital Signature, Certificate Sign, CRL Sign critical",
    "extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
    "publicKeyAlg": "ECC secp384r1",
    "publicKeySize": 384,
    "basicConstraints": "CA:TRUE, pathlen:0 critical",
    "subjectKeyIdentifier": "0A:BC:08:29:17:8C:A5:39:6D:7A:0E:CE:33:C7:2E:B3:ED:FB:C3:7A",
    "sha1Fingerprint": "AE:C1:3C:DD:5E:A6:A3:99:8A:EC:14:AC:33:1A:D9:6B:ED:BB:77:0F"
  } ]
}

<|---------Scan Summary---------|>
 [1144351] ciphers             :  (0)
 [1144351] host-count          : 1
 [1144351] network-error       : 5
 [1144351] dns-errcount        : 0
 [1144351] remote-close-error  : 0
 [1144351] unknown-error       : 0
 [1144351] timeout-error       : 0
 [1144351] connect-error       : 0
 [1144351] tls-handshake       : 1
 [1144351] gross-tls-handshake : 2
 [1144351] elapsed-time        : 0.313236 secs
<|------------------------------|>

Version numbers match, shouldn't have anything to do with the OpenSSL libraries available on the host machine right? I used the latest CA bundle from here but I doubt that matters.

Any other clue? :D

@prbinu
Copy link
Owner

prbinu commented Jun 22, 2022

All dependencies are statically linked, so it could be something else :( .

@thorgrin
Copy link

I just ran into the same problem.

git clone https://github.com/prbinu/tls-scan.git
cd tls-scan
docker build -t tls-scan .
docker run --rm tls-scan --connect=twitter.com:443 --version-enum  --pretty
{
  "host": "twitter.com",
  "ip": "104.244.42.1",
  "port": 443,
  "elapsedTime": 211,
  "tlsVersion": "TLSv1.2",
  "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD",
  "tempPublicKeyAlg": "ECDH prime256v1",
  "tempPublicKeySize": 256,
  "secureRenego": true,
  "compression": "NONE",
  "expansion": "NONE",
  "sessionLifetimeHint": 7200,
  "tlsVersions": [
    "TLSv1_3"
  ],

@prbinu
Copy link
Owner

prbinu commented Apr 12, 2023

I still could not reproduce this issue :(

$ git clone https://github.com/prbinu/tls-scan.git
Cloning into 'tls-scan'...

$ cd tls-scan/
$ docker build -t tls-scan .
[+] Building 543.2s (14/14) FINISHED
...
 => => writing image sha256:20d0db0adb4ce168cdff78e402d80a72747c4a189013600590a74bee0ebfa893                                                                                                            0.0s
 => => naming to docker.io/library/tls-scan                                                                                                                                                             0.0s

$ docker run --rm tls-scan --connect=twitter.com:443 --version-enum  --pretty
{
  "host": "twitter.com",
  "ip": "104.244.42.65",
  "port": 443,
  "elapsedTime": 418,
  "tlsVersion": "TLSv1.2",
  "cipher": "ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD",
  "tempPublicKeyAlg": "ECDH prime256v1",
  "tempPublicKeySize": 256,
  "secureRenego": true,
  "compression": "NONE",
  "expansion": "NONE",
  "sessionLifetimeHint": 7200,
  "tlsVersions": [
    "TLSv1_2",
    "TLSv1_3"
  ],
  "x509ChainDepth": 2,
  "verifyCertResult": true,
  "verifyHostResult": true,
  "ocspStapled": false,
  "certificateChain": [
  {
    "version": 3,
    "subject": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
    "issuer": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
    "subjectCN": "twitter.com",
    "subjectAltName": "DNS:twitter.com, DNS:www.twitter.com",
    "signatureAlg": "sha256WithRSAEncryption",
    "notBefore": "Dec 11 00:00:00 2022 GMT",
    "notAfter": "Dec 11 23:59:59 2023 GMT",
    "expired": false,
    "serialNo": "0A:2C:01:B8:2B:5D:47:73:9A:5A:01:1A:6F:DC:1A:20",
    "keyUsage": "Digital Signature, Key Encipherment critical",
    "extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
    "publicKeyAlg": "RSA",
    "publicKeySize": 2048,
    "basicConstraints": "CA:FALSE",
    "subjectKeyIdentifier": "C7:5F:C7:8F:F5:AE:79:1A:DB:1F:D0:A4:4B:0B:A5:DE:CE:2C:E3:C2",
    "sha1Fingerprint": "70:53:29:61:4B:71:42:24:19:CE:6F:DE:AB:6F:A5:74:47:E0:D0:84"
  },  {
    "version": 3,
    "subject": "CN=DigiCert TLS RSA SHA256 2020 CA1; O=DigiCert Inc; C=US",
    "issuer": "CN=DigiCert TLS RSA SHA256 2020 CA1; O=DigiCert Inc; C=US",
    "subjectCN": "DigiCert TLS RSA SHA256 2020 CA1",
    "signatureAlg": "sha256WithRSAEncryption",
    "notBefore": "Apr 14 00:00:00 2021 GMT",
    "notAfter": "Apr 13 23:59:59 2031 GMT",
    "expired": false,
    "serialNo": "06:D8:D9:04:D5:58:43:46:F6:8A:2F:A7:54:22:7E:C4",
    "keyUsage": "Digital Signature, Certificate Sign, CRL Sign critical",
    "extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
    "publicKeyAlg": "RSA",
    "publicKeySize": 2048,
    "basicConstraints": "CA:TRUE, pathlen:0 critical",
    "subjectKeyIdentifier": "B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4",
    "sha1Fingerprint": "1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD"
  } ]
}

<|---------Scan Summary---------|>
 [1] ciphers             :  (0)
 [1] host-count          : 1
 [1] network-error       : 4
 [1] dns-errcount        : 0
 [1] remote-close-error  : 0
 [1] unknown-error       : 0
 [1] timeout-error       : 0
 [1] connect-error       : 0
 [1] tls-handshake       : 1
 [1] gross-tls-handshake : 3
 [1] elapsed-time        : 0.432258 secs
<|------------------------------|>

@stayallive
Copy link
Author

I am starting to think this is a GEO-dependant bug maybe... since I can still reproduce it and @thorgrin is in my timezone (UTC+2) so if you @prbinu are in another timezone maybe you are hitting another Twitter datacenter or something which might behave differently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thorgrin @stayallive @prbinu