[Cyberduck-trac] [Cyberduck] #8842: Uses insecure SSLv3 (was: webdavs use unsecure SSLv3)

Cyberduck trac at trac.cyberduck.io
Thu May 21 12:00:40 UTC 2015 

#8842: Uses insecure SSLv3
----------------------------+------------------------
 Reporter:  mellier         |         Owner:  dkocher
     Type:  defect          |        Status:  new
 Priority:  normal          |     Milestone:  4.8
Component:  webdav          |       Version:  4.7
 Severity:  normal          |    Resolution:
 Keywords:  webdavs SSL     |  Architecture:
 Platform:  Mac OS X 10.10  |
----------------------------+------------------------
Changes (by dkocher):

 * owner:   => dkocher
 * component:  core => webdav
 * milestone:   => 4.8


Old description:

> Would it possible to replace unsecure SSLv3 with TLS1.1 or higher for the
> encryption ?
>
> This is because our webdav server refuses (Heartbit effect) any
> negociation with SSLv3.
>
> The SSL dump for Hello phase:
>
> 1 1  0.3343 (0.3343)  C>SV3.3(275)  Handshake
>       ClientHello
>         Version 3.3
>         random[32]=
>           55 5d bd 6e f9 a4 b6 9e 2d c5 3d a9 d7 60 15 81
>           36 a6 3a e9 05 86 e5 e6 5f a7 1d 99 a9 4b 6c f8
>         cipher suites
>         Unknown value 0xc024
>         Unknown value 0xc028
>         Unknown value 0x3d
>         Unknown value 0xc026
>         Unknown value 0xc02a
>         Unknown value 0x6b
>         Unknown value 0x6a
>         Unknown value 0xc00a
>         Unknown value 0xc014
>         Unknown value 0x35
>         Unknown value 0xc005
>         Unknown value 0xc00f
>         Unknown value 0x39
>         Unknown value 0x38
>         Unknown value 0xc023
>         Unknown value 0xc027
>         Unknown value 0x3c
>         Unknown value 0xc025
>         Unknown value 0xc029
>         TLS_DHE_DSS_WITH_NULL_SHA
>         Unknown value 0x40
>         Unknown value 0xc009
>         Unknown value 0xc013
>         Unknown value 0x2f
>         Unknown value 0xc004
>         Unknown value 0xc00e
>         Unknown value 0x33
>         Unknown value 0x32
>         Unknown value 0xc02c
>         Unknown value 0xc02b
>         Unknown value 0xc030
>         Unknown value 0x9d
>         Unknown value 0xc02e
>         Unknown value 0xc032
>         Unknown value 0x9f
>         Unknown value 0xa3
>         Unknown value 0xc02f
>         Unknown value 0x9c
>         Unknown value 0xc02d
>         Unknown value 0xc031
>         Unknown value 0x9e
>         Unknown value 0xa2
>         Unknown value 0xc008
>         Unknown value 0xc012
>         TLS_RSA_WITH_3DES_EDE_CBC_SHA
>         Unknown value 0xc003
>         Unknown value 0xc00d
>         TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>         TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>         Unknown value 0xc007
>         Unknown value 0xc011
>         TLS_RSA_WITH_RC4_128_SHA
>         Unknown value 0xc002
>         Unknown value 0xc00c
>         TLS_RSA_WITH_RC4_128_MD5
>         Unknown value 0xff
>         compression methods
>                   NULL
> 1 2  0.3345 (0.0002)  S>CV3.0(2)  Alert
>     level           fatal
>     value           protocol_version
> 1    0.3345 (0.0000)  S>C  TCP FIN
> 1    0.3351 (0.0005)  C>S  TCP FIN

New description:

 Would it possible to replace unsecure SSLv3 with TLS1.1 or higher for the
 encryption ?

 This is because our webdav server refuses (Heartbit effect) any
 negociation with SSLv3.

 The SSL dump for Hello phase:


 {{{
 1 1  0.3343 (0.3343)  C>SV3.3(275)  Handshake
       ClientHello
         Version 3.3
         random[32]=
           55 5d bd 6e f9 a4 b6 9e 2d c5 3d a9 d7 60 15 81
           36 a6 3a e9 05 86 e5 e6 5f a7 1d 99 a9 4b 6c f8
         cipher suites
         Unknown value 0xc024
         Unknown value 0xc028
         Unknown value 0x3d
         Unknown value 0xc026
         Unknown value 0xc02a
         Unknown value 0x6b
         Unknown value 0x6a
         Unknown value 0xc00a
         Unknown value 0xc014
         Unknown value 0x35
         Unknown value 0xc005
         Unknown value 0xc00f
         Unknown value 0x39
         Unknown value 0x38
         Unknown value 0xc023
         Unknown value 0xc027
         Unknown value 0x3c
         Unknown value 0xc025
         Unknown value 0xc029
         TLS_DHE_DSS_WITH_NULL_SHA
         Unknown value 0x40
         Unknown value 0xc009
         Unknown value 0xc013
         Unknown value 0x2f
         Unknown value 0xc004
         Unknown value 0xc00e
         Unknown value 0x33
         Unknown value 0x32
         Unknown value 0xc02c
         Unknown value 0xc02b
         Unknown value 0xc030
         Unknown value 0x9d
         Unknown value 0xc02e
         Unknown value 0xc032
         Unknown value 0x9f
         Unknown value 0xa3
         Unknown value 0xc02f
         Unknown value 0x9c
         Unknown value 0xc02d
         Unknown value 0xc031
         Unknown value 0x9e
         Unknown value 0xa2
         Unknown value 0xc008
         Unknown value 0xc012
         TLS_RSA_WITH_3DES_EDE_CBC_SHA
         Unknown value 0xc003
         Unknown value 0xc00d
         TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
         TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
         Unknown value 0xc007
         Unknown value 0xc011
         TLS_RSA_WITH_RC4_128_SHA
         Unknown value 0xc002
         Unknown value 0xc00c
         TLS_RSA_WITH_RC4_128_MD5
         Unknown value 0xff
         compression methods
                   NULL
 1 2  0.3345 (0.0002)  S>CV3.0(2)  Alert
     level           fatal
     value           protocol_version
 1    0.3345 (0.0000)  S>C  TCP FIN
 1    0.3351 (0.0005)  C>S  TCP FIN
 }}}

--

-- 
Ticket URL: <https://trac.cyberduck.io/ticket/8842#comment:1>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list