not working for me

Question

not working for me

4devwithgit opened this issue 5 years ago · 18 comments

I ran it to scan my ftp server adapter running on port 31332, but all I get is,

./cipherscan dublr010vm.dub.usoh.ibm.com:31332
..
Target: dublr010vm.dub.usoh.ibm.com:31332

Certificate: untrusted, bits, signature
TLS ticket lifetime hint:
NPN protocols:
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: none - fallback: no
Renegotiation test error
Supported compression methods test error

TLS Tolerance: no
Fallbacks required:
big-SSLv3 config not supported, connection failed
big-TLSv1.0 config not supported, connection failed
big-TLSv1.1 config not supported, connection failed
big-TLSv1.2 config not supported, connection failed
small-SSLv3 config not supported, connection failed
small-TLSv1.0 config not supported, connection failed
small-TLSv1.1 config not supported, connection failed
small-TLSv1.2 config not supported, connection failed
v2-big-TLSv1.2 config not supported, connection failed
v2-small-SSLv3 config not supported, connection failed
v2-small-TLSv1.0 config not supported, connection failed
v2-small-TLSv1.1 config not supported, connection failed
v2-small-TLSv1.2 config not supported, connection failed
Host does not seem to support SSL or TLS protocol

Answer 1 · 2019-09-24T16:28:12.000Z

what happens if you execute ./openssl-darwin64 s_client -connect dublr010vm.dub.usoh.ibm.com:31332 from the same machine in the same directory?

Answer 2 · 2019-09-25T07:46:50.000Z

thanks for reverting, I am getting below,

/root/cipherscan-master |root@epigone1 |Wed Sep 25 00:45:15
./openssl s_client -connect dublr010vm.dub.usoh.ibm.com:31332
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
CONNECTED(00000003)
139833613383344:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 390 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1569397533
Timeout : 300 (sec)
Verify return code: 0 (ok)

Answer 3 · 2019-09-25T08:01:03.000Z

Please also note, the FTP Server is configured with self signed certificate. Irrespective of that, it should have listed ciphers and TLS protocols, not sure, whats missing here.

Answer 4 · 2019-09-25T11:09:51.000Z

139833613383344:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:

that suggests that the server does not support TLS at that port, it may require use of -starttls ftp for the TLS connection to be successful

Answer 5 · 2019-09-25T13:41:20.000Z

I am able to connect to the server with Filezilla client, and it doest show SSL details before connection, like TLS 1.2, cipher, certificate, etc. So, I am sure, it connects.

Answer 6 · 2019-09-25T13:53:20.000Z

I didn't say that the server is down, I said that the server doesn't support TLS (a.k.a SSL)

Answer 7 · 2019-09-26T08:48:54.000Z

Sure, I got your point, I meant the server is working with on TLS connection through Filezilla client

Answer 8 · 2019-09-26T14:11:10.000Z

did you try it with -starttls ftp?

Answer 9 · 2019-10-08T13:30:39.000Z

any update?

Answer 10 · 2019-10-09T06:54:43.000Z

Yeah, I did try with -starttls ftp, but I dont get the expected output, its below where it asks for login details,

i:/C=US/O=Sterling/OU=Sterling/CN=ASI

Server certificate
-----BEGIN CERTIFICATE-----
MIIDMDCCAhigAwIBAgIBEDANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJVUzER
MA8GA1UEChMIU3RlcmxpbmcxETAPBgNVBAsTCFN0ZXJsaW5nMQwwCgYDVQQDEwNB
U0kwHhcNMTkwNDE5MTczNDQxWhcNMjEwNDE4MTczNDQxWjBBMQswCQYDVQQGEwJV
UzERMA8GA1UEChMIU3RlcmxpbmcxETAPBgNVBAsTCFN0ZXJsaW5nMQwwCgYDVQQD
EwNBU0kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCCf39mu27iBGbw
oATLN5UJJ4FxQGir5cka7VHf8Xy+vO4G31ZHDdeDm+Rl2cHOJcKAy8mkl8PBlPWI
4+hecSEo5xS+mOe2VRhsG68tWn2STV+w5z60ys8OEIpLHJtVUCno/++v/Fa8KTtK
/zUIsCR5kWhLq2miL2Q7jPbyeb/nEDnNcsFkv2UixqdQAzPPV8TPl4+BlkZBKxXe
M5aiN7+EvDJIMbWTPRt4wGKp1EF7kM5KWFUvpPp4KfDScscqDddW9NLZfl6XHvi0
JMfKtqZjRtjV/BDliH7xEYtVcJECIJqu3VQm8bsPYLjY7CT6N3+w+hPOnExSU4x/
qYkPgE4DAgMBAAGjMzAxMC8GA1UdEQEB/wQlMCOCG2R1YmxyMDA0dm0uZHViLnVz
b2guaWJtLmNvbYcECTc9cDANBgkqhkiG9w0BAQsFAAOCAQEAJlWu1JFYP1Uxj+Nb
EjYlB8kLhOeYMDv/JUou69Yn/9OC7F9Kp823nfWtwGgNhPj0QKjmJVG7S53htyRm
ou8lf+jb/5FZ2EPW/o7BvozJgIXC2wTmlj2Is9e5lGKeDbNv31JrCMTMQR0jKDhK
W2N3LUXgmXhc6sBQIlGSgTtpDyYAG3G2KyBSIZmQ5j0XMywwjT84vB9Lu/h57+c8
G+x6CeczNgedEgC49dVVXWJPe3QrMzEa98EI0VSgqt7zU6rxeuhgfis8TZwg1Oxt
MYM9k8vkqATB2Fr4Vv1JRIU1mtAkPJM7vKhP5uHNkOz3jOyWG+md0fz4kSnkJAOb
umNeSg==
-----END CERTIFICATE-----
subject=/C=US/O=Sterling/OU=Sterling/CN=ASI
issuer=/C=US/O=Sterling/OU=Sterling/CN=ASI

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-521, 521 bits

SSL handshake has read 1527 bytes and written 650 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 5D9D83EC7D4C58F8CAB55089927E70DB7B4CFC8B67060248C76D9B183CD80C2D
Session-ID-ctx:
Master-Key: 66FD4CC0ABC29A8811335C1353515365B4B4178149F2A6DCA7E88536F30538AA5114F122C1E421A0BEBC5E6A2D162612
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1570604012
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

220 GIS FTP Server (java -1.1.00) ready for new user.

with filezilla client I get following connection confirmation with ftpes

Answer 11 · 2019-10-09T06:55:32.000Z

command was
./openssl s_client -connect dublr004vm.dub.usoh.ibm.com:31332 -starttls ftp

Answer 12 · 2019-10-09T08:44:35.000Z

so it did connect with TLS

use ./cipherscan -starttls ftp dublr010vm.dub.usoh.ibm.com:31332
that should give you the expected output

Answer 13 · 2019-10-09T14:42:11.000Z

Thank you so much, it worked,

./cipherscan -starttls ftp dublr004vm.dub.usoh.ibm.com:31332
..................
Target: dublr004vm.dub.usoh.ibm.com:31332

prio ciphersuite protocols pfs curves
1 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-521,521bits secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
2 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None
3 AES256-SHA256 TLSv1.2 None None
4 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None
5 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None
6 AES256-GCM-SHA384 TLSv1.2 None None

Certificate: untrusted, 2048 bits, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
NPN protocols: None
OCSP stapling: not supported
Cipher ordering: client
Curves ordering: client - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes
Host does not seem to support SSL or TLS protocol

Answer 14 · 2019-10-09T14:42:54.000Z

4devwithgit commented 5 years ago

Answer 15 · 2019-10-09T18:25:25.000Z

you're welcome

Answer 16 · 2019-10-10T15:34:43.000Z

So, now another important question about using this tool.

We are from Syncsort, partner of IBM, and wanted to know, if we want someone to use this tool against our ftp servers from product Sterling B2B Integrator outside the product, then what are the requirements for copyright, etc.?

Thanks

Answer 17 · 2019-10-10T15:38:52.000Z

sorry, but I'm unable to provide you with legal advice, the project's license is in the root directory: LICENSE

Answer 18 · 2019-10-11T03:46:24.000Z

ok, thanks