Incorrect `tlsVersions` in output
stayallive opened this issue · 7 comments
stayallive commented
Hi there,
Unless I'm misinterpreting something the tlsVersions key seems to be incorrect.
./bin/tls-scan-1.4.8-darwin -c twitter.com --cacert cacert.pem --version-enum{
"host": "twitter.com",
"ip": "104.244.42.193",
"port": 443,
"elapsedTime": 221,
"tlsVersion": "TLSv1.2",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD",
"tempPublicKeyAlg": "ECDH prime256v1",
"tempPublicKeySize": 256,
"secureRenego": true,
"compression": "NONE",
"expansion": "NONE",
"sessionLifetimeHint": 7200,
"tlsVersions": [
"TLSv1_3"
],
"x509ChainDepth": 2,
"verifyCertResult": true,
"verifyHostResult": true,
"ocspStapled": false,
"certificateChain": [
{
"version": 3,
"subject": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"issuer": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"subjectCN": "twitter.com",
"subjectAltName": "DNS:twitter.com, DNS:www.twitter.com",
"signatureAlg": "ecdsa-with-SHA384",
"notBefore": "Mar 7 00:00:00 2022 GMT",
"notAfter": "Mar 6 23:59:59 2023 GMT",
"expired": false,
"serialNo": "02:93:C3:98:C2:CF:4A:67:BE:83:B5:37:54:DA:93:79",
"keyUsage": "Digital Signature critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "ECC prime256v1",
"publicKeySize": 256,
"basicConstraints": "CA:FALSE",
"subjectKeyIdentifier": "23:2E:02:96:1A:49:3A:2E:52:84:60:D0:D3:C0:72:0A:8F:53:34:28",
"sha1Fingerprint": "37:63:F4:77:39:1F:19:EF:D1:63:ED:67:74:1B:92:83:0F:9E:D4:93"
},
{
"version": 3,
"subject": "CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1; O=DigiCert Inc; C=US",
"issuer": "CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1; O=DigiCert Inc; C=US",
"subjectCN": "DigiCert TLS Hybrid ECC SHA384 2020 CA1",
"signatureAlg": "sha384WithRSAEncryption",
"notBefore": "Apr 14 00:00:00 2021 GMT",
"notAfter": "Apr 13 23:59:59 2031 GMT",
"expired": false,
"serialNo": "07:F2:F3:5C:87:A8:77:AF:7A:EF:E9:47:99:35:25:BD",
"keyUsage": "Digital Signature, Certificate Sign, CRL Sign critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "ECC secp384r1",
"publicKeySize": 384,
"basicConstraints": "CA:TRUE, pathlen:0 critical",
"subjectKeyIdentifier": "0A:BC:08:29:17:8C:A5:39:6D:7A:0E:CE:33:C7:2E:B3:ED:FB:C3:7A",
"sha1Fingerprint": "AE:C1:3C:DD:5E:A6:A3:99:8A:EC:14:AC:33:1A:D9:6B:ED:BB:77:0F"
}
]
}tlsVersions only lists TLSv1_3 even though tlsVersion states 1.2 which Twitter also supports. So it's either missing TLSv1_2 from the list or I'm missing something obvious why it shouldn't be there :)
prbinu commented
Yes, ideally both should appear in tlsVersions field. I guess, the code fails to add the default (initial) handshake tlsVersion to tlsVersions array. I will look into it.
Thanks!
prbinu commented
@stayallive, I was trying to replicate the reported issue, but I believe, I'm getting correct output. Please let me know if i missed out anything.
$ ~/tls-scan/tls-scan -v
tls-scan 1.4.8 Darwin 2022-01-09
Built with OpenSSL-100020b0 GnuTLS-3060a
$ ~/tls-scan/tls-scan -c twitter.com --cacert ~/tls-scan/ca-bundle.crt --version-enum --pretty
{
"host": "twitter.com",
"ip": "104.244.42.65",
"port": 443,
"elapsedTime": 280,
"tlsVersion": "TLSv1.2",
"cipher": "ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD",
"tempPublicKeyAlg": "ECDH prime256v1",
"tempPublicKeySize": 256,
"secureRenego": true,
"compression": "NONE",
"expansion": "NONE",
"sessionLifetimeHint": 7200,
"tlsVersions": [
"TLSv1_2",
"TLSv1_3"
],
"x509ChainDepth": 2,
"verifyCertResult": true,
"verifyHostResult": true,
"ocspStapled": false,
"certificateChain": [
{
"version": 3,
"subject": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"issuer": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"subjectCN": "twitter.com",
"subjectAltName": "DNS:twitter.com, DNS:www.twitter.com",
"signatureAlg": "sha256WithRSAEncryption",
"notBefore": "Dec 13 00:00:00 2021 GMT",
"notAfter": "Dec 12 23:59:59 2022 GMT",
"expired": false,
"serialNo": "0D:E1:52:69:6B:2F:96:70:D6:C7:DB:18:CE:1C:71:A0",
"keyUsage": "Digital Signature, Key Encipherment critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "RSA",
"publicKeySize": 2048,
"basicConstraints": "CA:FALSE critical",
"subjectKeyIdentifier": "1B:D7:11:7F:CC:4B:27:B8:12:60:82:C8:6B:34:F4:70:92:22:AD:3E",
"sha1Fingerprint": "DA:26:F7:2E:AC:AC:75:CC:EE:79:41:40:44:10:20:84:86:97:AE:B0"
}, {
"version": 3,
"subject": "CN=DigiCert TLS RSA SHA256 2020 CA1; O=DigiCert Inc; C=US",
"issuer": "CN=DigiCert TLS RSA SHA256 2020 CA1; O=DigiCert Inc; C=US",
"subjectCN": "DigiCert TLS RSA SHA256 2020 CA1",
"signatureAlg": "sha256WithRSAEncryption",
"notBefore": "Apr 14 00:00:00 2021 GMT",
"notAfter": "Apr 13 23:59:59 2031 GMT",
"expired": false,
"serialNo": "06:D8:D9:04:D5:58:43:46:F6:8A:2F:A7:54:22:7E:C4",
"keyUsage": "Digital Signature, Certificate Sign, CRL Sign critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "RSA",
"publicKeySize": 2048,
"basicConstraints": "CA:TRUE, pathlen:0 critical",
"subjectKeyIdentifier": "B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4",
"sha1Fingerprint": "1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD"
} ]
}stayallive commented
The only thing I can think of at this moment is that I'm using a M1 MacBook.
Just ran it again but same result:
❯ ./bin/tls-scan-1.4.8-darwin -v
tls-scan 1.4.8 Darwin 2022-01-09
Built with OpenSSL-100020b0 GnuTLS-3060a
❯ ./bin/tls-scan-1.4.8-darwin -c twitter.com --cacert cacert.pem --version-enum --pretty
{
"host": "twitter.com",
"ip": "104.244.42.65",
"port": 443,
"elapsedTime": 195,
"tlsVersion": "TLSv1.2",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD",
"tempPublicKeyAlg": "ECDH prime256v1",
"tempPublicKeySize": 256,
"secureRenego": true,
"compression": "NONE",
"expansion": "NONE",
"sessionLifetimeHint": 7200,
"tlsVersions": [
"TLSv1_3"
],
"x509ChainDepth": 2,
"verifyCertResult": true,
"verifyHostResult": true,
"ocspStapled": false,
"certificateChain": [
{
"version": 3,
"subject": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"issuer": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"subjectCN": "twitter.com",
"subjectAltName": "DNS:twitter.com, DNS:www.twitter.com",
"signatureAlg": "ecdsa-with-SHA384",
"notBefore": "Mar 7 00:00:00 2022 GMT",
"notAfter": "Mar 6 23:59:59 2023 GMT",
"expired": false,
"serialNo": "02:93:C3:98:C2:CF:4A:67:BE:83:B5:37:54:DA:93:79",
"keyUsage": "Digital Signature critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "ECC prime256v1",
"publicKeySize": 256,
"basicConstraints": "CA:FALSE",
"subjectKeyIdentifier": "23:2E:02:96:1A:49:3A:2E:52:84:60:D0:D3:C0:72:0A:8F:53:34:28",
"sha1Fingerprint": "37:63:F4:77:39:1F:19:EF:D1:63:ED:67:74:1B:92:83:0F:9E:D4:93"
}, {
"version": 3,
"subject": "CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1; O=DigiCert Inc; C=US",
"issuer": "CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1; O=DigiCert Inc; C=US",
"subjectCN": "DigiCert TLS Hybrid ECC SHA384 2020 CA1",
"signatureAlg": "sha384WithRSAEncryption",
"notBefore": "Apr 14 00:00:00 2021 GMT",
"notAfter": "Apr 13 23:59:59 2031 GMT",
"expired": false,
"serialNo": "07:F2:F3:5C:87:A8:77:AF:7A:EF:E9:47:99:35:25:BD",
"keyUsage": "Digital Signature, Certificate Sign, CRL Sign critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "ECC secp384r1",
"publicKeySize": 384,
"basicConstraints": "CA:TRUE, pathlen:0 critical",
"subjectKeyIdentifier": "0A:BC:08:29:17:8C:A5:39:6D:7A:0E:CE:33:C7:2E:B3:ED:FB:C3:7A",
"sha1Fingerprint": "AE:C1:3C:DD:5E:A6:A3:99:8A:EC:14:AC:33:1A:D9:6B:ED:BB:77:0F"
} ]
}
<|---------Scan Summary---------|>
[79456] ciphers : (0)
[79456] host-count : 1
[79456] network-error : 5
[79456] dns-errcount : 0
[79456] remote-close-error : 0
[79456] unknown-error : 0
[79456] timeout-error : 0
[79456] connect-error : 0
[79456] tls-handshake : 1
[79456] gross-tls-handshake : 2
[79456] elapsed-time : 0.312536 secs
<|------------------------------|>
But I also ran it on my Linux server and I got this:
# ./bin/tls-scan-1.4.8-linux -v
tls-scan 1.4.8 Linux 2022-01-09
Built with OpenSSL-100020b0 GnuTLS-3060a
# ./bin/tls-scan-1.4.8-linux -c twitter.com --cacert cacert.pem --version-enum --pretty
{
"host": "twitter.com",
"ip": "104.244.42.129",
"port": 443,
"elapsedTime": 299,
"tlsVersion": "TLSv1.2",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD",
"tempPublicKeyAlg": "ECDH prime256v1",
"tempPublicKeySize": 256,
"secureRenego": true,
"compression": "NONE",
"expansion": "NONE",
"sessionLifetimeHint": 7200,
"tlsVersions": [
"TLSv1_3"
],
"x509ChainDepth": 2,
"verifyCertResult": true,
"verifyHostResult": true,
"ocspStapled": false,
"certificateChain": [
{
"version": 3,
"subject": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"issuer": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"subjectCN": "twitter.com",
"subjectAltName": "DNS:twitter.com, DNS:www.twitter.com",
"signatureAlg": "ecdsa-with-SHA384",
"notBefore": "Mar 7 00:00:00 2022 GMT",
"notAfter": "Mar 6 23:59:59 2023 GMT",
"expired": false,
"serialNo": "02:93:C3:98:C2:CF:4A:67:BE:83:B5:37:54:DA:93:79",
"keyUsage": "Digital Signature critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "ECC prime256v1",
"publicKeySize": 256,
"basicConstraints": "CA:FALSE",
"subjectKeyIdentifier": "23:2E:02:96:1A:49:3A:2E:52:84:60:D0:D3:C0:72:0A:8F:53:34:28",
"sha1Fingerprint": "37:63:F4:77:39:1F:19:EF:D1:63:ED:67:74:1B:92:83:0F:9E:D4:93"
}, {
"version": 3,
"subject": "CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1; O=DigiCert Inc; C=US",
"issuer": "CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1; O=DigiCert Inc; C=US",
"subjectCN": "DigiCert TLS Hybrid ECC SHA384 2020 CA1",
"signatureAlg": "sha384WithRSAEncryption",
"notBefore": "Apr 14 00:00:00 2021 GMT",
"notAfter": "Apr 13 23:59:59 2031 GMT",
"expired": false,
"serialNo": "07:F2:F3:5C:87:A8:77:AF:7A:EF:E9:47:99:35:25:BD",
"keyUsage": "Digital Signature, Certificate Sign, CRL Sign critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "ECC secp384r1",
"publicKeySize": 384,
"basicConstraints": "CA:TRUE, pathlen:0 critical",
"subjectKeyIdentifier": "0A:BC:08:29:17:8C:A5:39:6D:7A:0E:CE:33:C7:2E:B3:ED:FB:C3:7A",
"sha1Fingerprint": "AE:C1:3C:DD:5E:A6:A3:99:8A:EC:14:AC:33:1A:D9:6B:ED:BB:77:0F"
} ]
}
<|---------Scan Summary---------|>
[1144351] ciphers : (0)
[1144351] host-count : 1
[1144351] network-error : 5
[1144351] dns-errcount : 0
[1144351] remote-close-error : 0
[1144351] unknown-error : 0
[1144351] timeout-error : 0
[1144351] connect-error : 0
[1144351] tls-handshake : 1
[1144351] gross-tls-handshake : 2
[1144351] elapsed-time : 0.313236 secs
<|------------------------------|>
Version numbers match, shouldn't have anything to do with the OpenSSL libraries available on the host machine right? I used the latest CA bundle from here but I doubt that matters.
Any other clue? :D
prbinu commented
All dependencies are statically linked, so it could be something else :( .
thorgrin commented
I just ran into the same problem.
git clone https://github.com/prbinu/tls-scan.git
cd tls-scan
docker build -t tls-scan .
docker run --rm tls-scan --connect=twitter.com:443 --version-enum --pretty
{
"host": "twitter.com",
"ip": "104.244.42.1",
"port": 443,
"elapsedTime": 211,
"tlsVersion": "TLSv1.2",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD",
"tempPublicKeyAlg": "ECDH prime256v1",
"tempPublicKeySize": 256,
"secureRenego": true,
"compression": "NONE",
"expansion": "NONE",
"sessionLifetimeHint": 7200,
"tlsVersions": [
"TLSv1_3"
],
prbinu commented
I still could not reproduce this issue :(
$ git clone https://github.com/prbinu/tls-scan.git
Cloning into 'tls-scan'...
$ cd tls-scan/
$ docker build -t tls-scan .
[+] Building 543.2s (14/14) FINISHED
...
=> => writing image sha256:20d0db0adb4ce168cdff78e402d80a72747c4a189013600590a74bee0ebfa893 0.0s
=> => naming to docker.io/library/tls-scan 0.0s
$ docker run --rm tls-scan --connect=twitter.com:443 --version-enum --pretty
{
"host": "twitter.com",
"ip": "104.244.42.65",
"port": 443,
"elapsedTime": 418,
"tlsVersion": "TLSv1.2",
"cipher": "ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD",
"tempPublicKeyAlg": "ECDH prime256v1",
"tempPublicKeySize": 256,
"secureRenego": true,
"compression": "NONE",
"expansion": "NONE",
"sessionLifetimeHint": 7200,
"tlsVersions": [
"TLSv1_2",
"TLSv1_3"
],
"x509ChainDepth": 2,
"verifyCertResult": true,
"verifyHostResult": true,
"ocspStapled": false,
"certificateChain": [
{
"version": 3,
"subject": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"issuer": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"subjectCN": "twitter.com",
"subjectAltName": "DNS:twitter.com, DNS:www.twitter.com",
"signatureAlg": "sha256WithRSAEncryption",
"notBefore": "Dec 11 00:00:00 2022 GMT",
"notAfter": "Dec 11 23:59:59 2023 GMT",
"expired": false,
"serialNo": "0A:2C:01:B8:2B:5D:47:73:9A:5A:01:1A:6F:DC:1A:20",
"keyUsage": "Digital Signature, Key Encipherment critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "RSA",
"publicKeySize": 2048,
"basicConstraints": "CA:FALSE",
"subjectKeyIdentifier": "C7:5F:C7:8F:F5:AE:79:1A:DB:1F:D0:A4:4B:0B:A5:DE:CE:2C:E3:C2",
"sha1Fingerprint": "70:53:29:61:4B:71:42:24:19:CE:6F:DE:AB:6F:A5:74:47:E0:D0:84"
}, {
"version": 3,
"subject": "CN=DigiCert TLS RSA SHA256 2020 CA1; O=DigiCert Inc; C=US",
"issuer": "CN=DigiCert TLS RSA SHA256 2020 CA1; O=DigiCert Inc; C=US",
"subjectCN": "DigiCert TLS RSA SHA256 2020 CA1",
"signatureAlg": "sha256WithRSAEncryption",
"notBefore": "Apr 14 00:00:00 2021 GMT",
"notAfter": "Apr 13 23:59:59 2031 GMT",
"expired": false,
"serialNo": "06:D8:D9:04:D5:58:43:46:F6:8A:2F:A7:54:22:7E:C4",
"keyUsage": "Digital Signature, Certificate Sign, CRL Sign critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "RSA",
"publicKeySize": 2048,
"basicConstraints": "CA:TRUE, pathlen:0 critical",
"subjectKeyIdentifier": "B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4",
"sha1Fingerprint": "1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD"
} ]
}
<|---------Scan Summary---------|>
[1] ciphers : (0)
[1] host-count : 1
[1] network-error : 4
[1] dns-errcount : 0
[1] remote-close-error : 0
[1] unknown-error : 0
[1] timeout-error : 0
[1] connect-error : 0
[1] tls-handshake : 1
[1] gross-tls-handshake : 3
[1] elapsed-time : 0.432258 secs
<|------------------------------|>
stayallive commented