[Cyberduck-trac] [Cyberduck] #8842: Uses insecure SSLv3

Cyberduck trac at trac.cyberduck.io
Thu May 21 13:04:30 UTC 2015 

#8842: Uses insecure SSLv3
----------------------------+-------------------------
 Reporter:  mellier         |         Owner:  dkocher
     Type:  defect          |        Status:  assigned
 Priority:  normal          |     Milestone:  4.8
Component:  webdav          |       Version:  4.7
 Severity:  normal          |    Resolution:
 Keywords:  webdavs SSL     |  Architecture:
 Platform:  Mac OS X 10.10  |
----------------------------+-------------------------

Comment (by dkocher):

 Also the trace shows that a `TLSv1.2 Handshake` is initiated.
 ''Chrome.app'' will print
 {{{
 Your connection to documents.epfl.ch is encrypted with obsolete
 cryptography.

 The connection uses TLS 1.0.
 }}}

 `openssl` also negogiates a TLSv1 connection that is no longer supported
 with Cyberduck.

 {{{
 osaka:~ dkocher$ openssl s_client -connect documents.epfl.ch:443
 CONNECTED(00000003)
 depth=3 /C=BM/O=QuoVadis Limited/OU=Root Certification
 Authority/CN=QuoVadis Root Certification Authority
 verify error:num=19:self signed certificate in certificate chain
 verify return:0
 ---
 Certificate chain
  0 s:/C=CH/ST=Vaud/L=Lausanne/O=Ecole polytechnique federale de Lausanne
 (EPFL)/CN=documents.epfl.ch
    i:/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global
 SSL ICA
  1 s:/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global
 SSL ICA
    i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
  2 s:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
    i:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis
 Root Certification Authority
  3 s:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis
 Root Certification Authority
    i:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis
 Root Certification Authority
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
 MIIFNjCCBB6gAwIBAgIUb2pZZYdnGYcOOtccFjMgw2xxjL4wDQYJKoZIhvcNAQEF
 BQAwazELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHzAd
 BgNVBAsTFnd3dy5xdW92YWRpc2dsb2JhbC5jb20xIDAeBgNVBAMTF1F1b1ZhZGlz
 IEdsb2JhbCBTU0wgSUNBMB4XDTEyMTExNjEzMjYxM1oXDTE1MTExNjEzMjYxMlow
 gYUxCzAJBgNVBAYTAkNIMQ0wCwYDVQQIEwRWYXVkMREwDwYDVQQHEwhMYXVzYW5u
 ZTE4MDYGA1UEChMvRWNvbGUgcG9seXRlY2huaXF1ZSBmZWRlcmFsZSBkZSBMYXVz
 YW5uZSAoRVBGTCkxGjAYBgNVBAMTEWRvY3VtZW50cy5lcGZsLmNoMIIBIjANBgkq
 hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxLEDw3F0q/OICREzbHBbaoAkHxov4VMI
 I2I5Pqy1V9H+1FVJdyHTvH+Lumk85XXqdUY3ZQccvSl5PIceerAnVVoGhn/UXWiT
 IWRbzxGin9WQock99EeI42BK2D7WZvH1EL+1CxB433vJbYvbLhSphQsiMoNKOWo8
 W+BPSlCmTcSrHskF9MpQK75ssyrTd9R3E+JnsCVOAyRPliH6fpQVqgA6V+bjNP0R
 SK4X2rLs9XmLFAEbNxIKt1liNMG/x3VzP4Jh0Tyrqu2NTZnBtAcNWdUQ7xIbhI3q
 XX0ki9Hf/+Cb/kr71A+I/gB76XziF/5LVW1ikbk1tOS1uBZETvZLjQIDAQABo4IB
 tTCCAbEwdAYIKwYBBQUHAQEEaDBmMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5x
 dW92YWRpc2dsb2JhbC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly90cnVzdC5xdW92
 YWRpc2dsb2JhbC5jb20vcXZzc2xpY2EuY3J0MDoGA1UdEQQzMDGCEWRvY3VtZW50
 cy5lcGZsLmNogRxESVQtVEktQ2VydHNAZ3JvdXBlcy5lcGZsLmNoMFEGA1UdIARK
 MEgwRgYMKwYBBAG+WAACZAEBMDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cucXVv
 dmFkaXNnbG9iYWwuY29tL3JlcG9zaXRvcnkwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
 JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQyTaFP6vCumbbu
 mwcshAgRUIvifjA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnF1b3ZhZGlz
 Z2xvYmFsLmNvbS9xdnNzbGljYS5jcmwwHQYDVR0OBBYEFIdHlH5aJ7QD/nA9iWre
 Y8RZfdQ5MA0GCSqGSIb3DQEBBQUAA4IBAQBuz1MgRmtVAmn1bs5hjNCvVU4CTYta
 KkZL7AmmPwBuEp8c2/7puK7sjYW3TufXfjxE8/uRYxzQBJHu/ZEKa9djc2j+m8A3
 EpQgtpUS/p8qZtjNIRffGOlR0IsDVnf7Xpdp36xKWvr0VdG9LbIlE8QPxPTUWvGl
 JR4zhmmFwpsJJBVL8fp2w0rZ3yK0a0HIL4EE8ZgA3Tf7d/FKS3P0UlRACRrm1S5I
 Xoi61Ps0ETLwGIznDXuQMAjmqzR21jw/bsV2yfu/wRx+OhHfsPYl03Vgf0LqHiin
 OycU6LojV18IDkUm6uhiqTkxwchYhp3Gqv08w0tLPSzvcQwt8YsPIhLK
 -----END CERTIFICATE-----
 subject=/C=CH/ST=Vaud/L=Lausanne/O=Ecole polytechnique federale de
 Lausanne (EPFL)/CN=documents.epfl.ch
 issuer=/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis
 Global SSL ICA
 ---
 No client certificate CA names sent
 ---
 SSL handshake has read 5671 bytes and written 456 bytes
 ---
 New, TLSv1/SSLv3, Cipher is AES256-SHA
 Server public key is 2048 bit
 Secure Renegotiation IS NOT supported
 Compression: NONE
 Expansion: NONE
 SSL-Session:
     Protocol  : TLSv1
     Cipher    : AES256-SHA
     Session-ID:
     Session-ID-ctx:
     Master-Key:
 924754251AA57F9F73EB1F39133FA62DFF841E6D32C37456FB714C1114E11091D8037B16DEDD8E103EDE9F18F8952A30
     Key-Arg   : None
     Start Time: 1432213187
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)
 ---
 }}}

 It looks to me that this server is configured to only accept TLSv1 but not
 later versions.

-- 
Ticket URL: <https://trac.cyberduck.io/ticket/8842#comment:8>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list