Disabled SSLv3 in registry but scans still say vulnerable - sslv3

Windows server 2016 Standard.
Recently we've been getting hit by brute force attempt using POODLE. I did a little research and found we should disable SSLv3. However, when I go into:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
...and look at my SSL 3.0 key, I already have both Client and Server folders in there and both have the same two DWORDs: DisabledByDefault (1), and Enabled (0). I must have already done this in the past at one point: https://www.digicert.com/kb/ssl-support/iis-disabling-ssl-v3.htm
If I scan our site using online scanners:
https://www.poodlescan.com POODLE results: SSLv3 enabled
https://www.site24x7.com/ POODLE results: Error occurred while validating SSL3 Poodlebleed Vulnerability for domain
https://ssl-tools.net/ POODLE results: all show TLSv1.2 with SSLv3 crossed out (strikethrough'd)
So. Three different checkers with three different results. Hmmm.
What more do I need to do to disable SSLv3 and stop this POODLE brute force attempt? This flood of traffic, when it happens, is causing our site to report 503 Service Unavailable every few minutes.

Related

ERR_SSL_PROTOCOL_ERROR only for some users (nodejs, express)

Only some (not all) users are receiving ERR_SSL_PROTOCOL_ERROR in Chrome when attempting to visit my express site. I am not receiving this error, so it is proving a pain to debug.
I am creating a https server using a PFX file I downloaded from my provider (1&1):
var options = {
pfx: fs.readFileSync('./mysite_private_key.pfx'),
passphrase: 'MYPASSPHRASE',
};
https.createServer(options, app).listen(443);
https://whatsmychaincert.com tells me that the chain is correct but complains about the handshake:
[mysite] has the correct chain.
[mysite]: TLS handshake error:
error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
internal error SSL Labs might be able to tell you what went wrong
I've googled this with no success, does anyone know what the problem could be? Ty.
In the end I ditched 1&1 and used GoDaddy's CA service and the problem went away.
A possible source of failed handshake could be the lack of an intermediate certificate, ca option of tls.createSecureContext. It should by public on your provider's website.
Hope this helps.
nowadays , when our server (e.g. 1&1) is securely configured , only tls v1.2 and tls v1.3 are supported ..
so how you debug this:
scan your site with SSL Labs Test too see which ciphers are supported , or alternately see in our nginx/apache config
tail -f the server logs , especially the catchall/other_vhosts log files,since ssl protocol errors might be in the site logs and the generic catchall log when the server cannot decide on the name
try to update the users chrome to support at least tls 1.2
chrome has the some command line switches to change its cipher behaviour:
--ssl-version-max Specifies the maximum SSL/TLS version ("tls1.2" or "tls1.3"). ↪
--ssl-version-min Specifies the minimum SSL/TLS version ("tls1", "tls1.1", "tls1.2", or "tls1.3"). ↪
DANGER ZONE:
as last resort you could try to accept legacy ciphers in your nginx-config ( ssl_ciphers directive) like socat OR (very last resort) socat23 to check which version your clients support,
remember to disable everything below tls v1.2 in production environment

Difference between OpenSSL TLS/SSL versions

I am currently implementing OpenSSL's TLS/SSL standards into my mail service, allowing my users to select the TLS/SSL version they want. Here is the list of versions:
["TLSv1","TLSv1_server","TLSv1_client","SSLv3","SSLv3_server","SSLv3_client","SSLv23","SSLv23_server","SSLv23_client","TLS","TLSv1_1_server","TLSv1_1_client","TLSv1_1","TLSv1_2","TLSv1_2_server","TLSv1_2_client"]
I did some Googling on what the difference of the options are, and I understand that some versions are deprecated, or shouldn't be used because of security issues, such as TLSv1. I don't understand the difference between the client vs server ones, but from my own testing, the server options return errors when trying to send a mail with it.
So my question is - of that list, what should I remove?
What you show are not SSL/TLS versions but various types of SSL contexts which also include the usable SSL/TLS versions. This means the *_server "versions" are all SSL contexts which should be used on the server side where you usually also need a certificate. The *_client variants are for the client side of the TLS handshake, i.e. the one which initiates the TLS handshake.
Within a mail client you don't want to use any server specific SSL contexts because with these the mail client would expect the peer to start with the TLS handshake which it does not.
For more details see the man page of SSL_CTX_new which has a detailed description of what all these different contexts mean.
... allowing my users to select the TLS/SSL version they want.
While your specific implementation is wrong the idea of letting users chose the protocol version is wrong too. Instead you should just use a generic context without limitations (apart from disabling insecure versions) so that it automatically picks the best protocol version during the TLS exchange. Selecting specific protocol versions should only be done in case the peers TLS stack is broken, like for stacks which simply refuse a TLS 1.2 handshake instead of replying with TLS 1.0 in case they don't support TLS 1.2.

Enabling TLS 1.0? Cannot communicate securely with peer: no connection encryption algorithms

For over a year I have been running a photo based website that allows customers to order prints, which are subsequently fulfilled by a printing company. Orders are posted in XML format to a designated URL. Recently it has come to my attention that the orders are not being post and I have found the following error when examining the server logs:
[Mon Dec 01 21:17:38 2014] [error] [client XXX] cURL error: [35] Cannot communicate securely with peer: no common encryption algorithm(s).
The tech team for the printing company was able to provide me with some direction, but I remain confused. Initially they informed me that the server currently supports SSLv2, SSLv3 and TLS 1.0 only, and that it was likely that we only have TLS 1.2 enabled on our end. They claimed that nothing was changed on their end, and I personally know that nothing has been modified on ours for months.
When I originally encountered the problem I attempted to update the server packages, but this failed to resolve the problem. Later I thought that perhaps the issue revolved around the security groups for the Amazon EC2 instance, but I am not entirely sure. How would I go about enabling TLS 1.0, assuming it is not already enabled? How would I check what transport layer securities and secure socket layers are currently enabled? Any other suggestions?
If you can route the traffic through an HTTP proxy, you can install Fiddler and see what is in the TLS negotiation info:
By default on most systems libcurl already speaks TLS 1.0 fine if that's what the server wants.
I rather suspect your problem is that the server insists on using a cipher for this URL that libcurl won't agree to. More specifically, I would suspect it is an RC4-using cipher and RC4 is deemed insecure and is disabled by default by libcurl.

Identify what cipher strength HTTPS apache connections are using

How can I identify the cipher strength of an active https connection to a linux redhat apache webserver. I want to harden my web server by removing lower strength ciphers and would like to check if clients are even using them.
EDIT
My goal is to avoid negative impact of removal of a lower security cipher that a client relies on. Worst case scenario there is a stupid non browser (or old browser) app that is using an old insecure cipher, when I disallow the use of this cipher his/her app could break. I'm trying to proactively identify if there are any apps/browsers using any of the ciphers I'm going to disable.
You can identify unsuccessful handshakes by enabling the appropriate level of logging on mod_ssl. See the Custom Log Formats section on http://httpd.apache.org/docs/2.2/mod/mod_ssl.html, notably
CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
This should enable you to make a list of ciphers requested by clients and configure Apache accordingly.
Your question and your goal aren't necessarily related. Each active connection may use a difference cipher based on the combination of: (a) the capabilities on the server (b) the capabilities of the client (c) cipher preference of the server and client. Looking at any individual connection will not tell you if your SSL configuration is optimal.
If your goal is to harden your SSL configuration, I suggest you use
the SSL Server Test from SSL labs. It grades your server configuration based on known SSL vulnerabilities and best practices.
The last time I updated my SSL configuration I used the configuration tips from this blog post. Note that understanding of SSL vulnerabilities is constantly changing so I suggest you rerun the test every once in a while to ensure your configuration is the best that is currently known.

Why is the handshake protocol sslv3 when the client hello is sslv2

We've been having issues getting a successful SSL connection from a client app trying to connect using wininet on windows xp sp3 (ie v6). The client hello looks off to me, why would the hello state its version as SSL 2.0 and then state the handshake version as SSL 3.0? Is there something coded incorrectly from the app using wininet?
SSLv2 Record Layer: Client Hello
[Version: SSL 2.0 (0x0002)] <---------------------
Length: 76
Handshake Message Type: Client Hello (1)
Version: SSL 3.0 (0x0300) <---------------------
Cipher Spec Length: 51
Session ID Length: 0
Challenge Length: 16
Cipher Specs (17 specs)
Challenge
SSLv3 and TLSv1.x have a compatibility mode in case the client also supports v2 servers, as described in the TLS specification (Backward Compatibility With SSL).
Some clients support this. For example Oracle/Sun Java has an SSLv2Hello pseudo-protocol, which uses SSLv2 Hello, but doesn't actually support SSLv2.
I know this issue is solved but I will share some more info about the subject which may be useful for viewers
"The client sends a SSLv2 ClientHello so that a server who understands only SSLv2 can process that message, and continue with a SSLv2 handshake. But the SSLv2 ClientHello also says "by the way, I know SSLv3, so if you know SSLv3 too, let's do SSLv3 instead of SSLv2", which is what usually happens (servers who know only of SSLv2 are extremely rare nowadays)."
I took it from Thomas Pornin's comment, link
https://security.stackexchange.com/questions/34827/why-clients-offer-handshaking-with-ssl-2-0-protocol

Resources