[Cyberduck-trac] [Cyberduck] #8842: Uses insecure SSLv3
Cyberduck
trac at trac.cyberduck.io
Thu May 21 12:03:40 UTC 2015
#8842: Uses insecure SSLv3
----------------------------+-------------------------
Reporter: mellier | Owner: dkocher
Type: defect | Status: assigned
Priority: normal | Milestone: 4.8
Component: webdav | Version: 4.7
Severity: normal | Resolution:
Keywords: webdavs SSL | Architecture:
Platform: Mac OS X 10.10 |
----------------------------+-------------------------
Changes (by dkocher):
* status: new => assigned
Old description:
> Would it possible to replace unsecure SSLv3 with TLS1.1 or higher for the
> encryption ?
>
> This is because our webdav server refuses (Heartbit effect) any
> negociation with SSLv3.
>
> The SSL dump for Hello phase:
>
> {{{
> 1 1 0.3343 (0.3343) C>SV3.3(275) Handshake
> ClientHello
> Version 3.3
> random[32]=
> 55 5d bd 6e f9 a4 b6 9e 2d c5 3d a9 d7 60 15 81
> 36 a6 3a e9 05 86 e5 e6 5f a7 1d 99 a9 4b 6c f8
> cipher suites
> Unknown value 0xc024
> Unknown value 0xc028
> Unknown value 0x3d
> Unknown value 0xc026
> Unknown value 0xc02a
> Unknown value 0x6b
> Unknown value 0x6a
> Unknown value 0xc00a
> Unknown value 0xc014
> Unknown value 0x35
> Unknown value 0xc005
> Unknown value 0xc00f
> Unknown value 0x39
> Unknown value 0x38
> Unknown value 0xc023
> Unknown value 0xc027
> Unknown value 0x3c
> Unknown value 0xc025
> Unknown value 0xc029
> TLS_DHE_DSS_WITH_NULL_SHA
> Unknown value 0x40
> Unknown value 0xc009
> Unknown value 0xc013
> Unknown value 0x2f
> Unknown value 0xc004
> Unknown value 0xc00e
> Unknown value 0x33
> Unknown value 0x32
> Unknown value 0xc02c
> Unknown value 0xc02b
> Unknown value 0xc030
> Unknown value 0x9d
> Unknown value 0xc02e
> Unknown value 0xc032
> Unknown value 0x9f
> Unknown value 0xa3
> Unknown value 0xc02f
> Unknown value 0x9c
> Unknown value 0xc02d
> Unknown value 0xc031
> Unknown value 0x9e
> Unknown value 0xa2
> Unknown value 0xc008
> Unknown value 0xc012
> TLS_RSA_WITH_3DES_EDE_CBC_SHA
> Unknown value 0xc003
> Unknown value 0xc00d
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> Unknown value 0xc007
> Unknown value 0xc011
> TLS_RSA_WITH_RC4_128_SHA
> Unknown value 0xc002
> Unknown value 0xc00c
> TLS_RSA_WITH_RC4_128_MD5
> Unknown value 0xff
> compression methods
> NULL
> 1 2 0.3345 (0.0002) S>CV3.0(2) Alert
> level fatal
> value protocol_version
> 1 0.3345 (0.0000) S>C TCP FIN
> 1 0.3351 (0.0005) C>S TCP FIN
> }}}
New description:
Would it possible to replace insecure SSLv3 with TLS1.1 or higher for the
encryption ?
This is because our webdav server refuses (Heartbeat attack) any
negotiation with SSLv3.
The SSL dump for Hello phase:
{{{
1 1 0.3343 (0.3343) C>SV3.3(275) Handshake
ClientHello
Version 3.3
random[32]=
55 5d bd 6e f9 a4 b6 9e 2d c5 3d a9 d7 60 15 81
36 a6 3a e9 05 86 e5 e6 5f a7 1d 99 a9 4b 6c f8
cipher suites
Unknown value 0xc024
Unknown value 0xc028
Unknown value 0x3d
Unknown value 0xc026
Unknown value 0xc02a
Unknown value 0x6b
Unknown value 0x6a
Unknown value 0xc00a
Unknown value 0xc014
Unknown value 0x35
Unknown value 0xc005
Unknown value 0xc00f
Unknown value 0x39
Unknown value 0x38
Unknown value 0xc023
Unknown value 0xc027
Unknown value 0x3c
Unknown value 0xc025
Unknown value 0xc029
TLS_DHE_DSS_WITH_NULL_SHA
Unknown value 0x40
Unknown value 0xc009
Unknown value 0xc013
Unknown value 0x2f
Unknown value 0xc004
Unknown value 0xc00e
Unknown value 0x33
Unknown value 0x32
Unknown value 0xc02c
Unknown value 0xc02b
Unknown value 0xc030
Unknown value 0x9d
Unknown value 0xc02e
Unknown value 0xc032
Unknown value 0x9f
Unknown value 0xa3
Unknown value 0xc02f
Unknown value 0x9c
Unknown value 0xc02d
Unknown value 0xc031
Unknown value 0x9e
Unknown value 0xa2
Unknown value 0xc008
Unknown value 0xc012
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc003
Unknown value 0xc00d
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc007
Unknown value 0xc011
TLS_RSA_WITH_RC4_128_SHA
Unknown value 0xc002
Unknown value 0xc00c
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xff
compression methods
NULL
1 2 0.3345 (0.0002) S>CV3.0(2) Alert
level fatal
value protocol_version
1 0.3345 (0.0000) S>C TCP FIN
1 0.3351 (0.0005) C>S TCP FIN
}}}
--
--
Ticket URL: <https://trac.cyberduck.io/ticket/8842#comment:4>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list