[Cyberduck-trac] [Cyberduck] #8842: Uses insecure SSLv3
Cyberduck
trac at trac.cyberduck.io
Thu May 21 13:04:30 UTC 2015
#8842: Uses insecure SSLv3
----------------------------+-------------------------
Reporter: mellier | Owner: dkocher
Type: defect | Status: assigned
Priority: normal | Milestone: 4.8
Component: webdav | Version: 4.7
Severity: normal | Resolution:
Keywords: webdavs SSL | Architecture:
Platform: Mac OS X 10.10 |
----------------------------+-------------------------
Comment (by dkocher):
Also the trace shows that a `TLSv1.2 Handshake` is initiated.
''Chrome.app'' will print
{{{
Your connection to documents.epfl.ch is encrypted with obsolete
cryptography.
The connection uses TLS 1.0.
}}}
`openssl` also negogiates a TLSv1 connection that is no longer supported
with Cyberduck.
{{{
osaka:~ dkocher$ openssl s_client -connect documents.epfl.ch:443
CONNECTED(00000003)
depth=3 /C=BM/O=QuoVadis Limited/OU=Root Certification
Authority/CN=QuoVadis Root Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=CH/ST=Vaud/L=Lausanne/O=Ecole polytechnique federale de Lausanne
(EPFL)/CN=documents.epfl.ch
i:/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global
SSL ICA
1 s:/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis Global
SSL ICA
i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
2 s:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
i:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis
Root Certification Authority
3 s:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis
Root Certification Authority
i:/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis
Root Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFNjCCBB6gAwIBAgIUb2pZZYdnGYcOOtccFjMgw2xxjL4wDQYJKoZIhvcNAQEF
BQAwazELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHzAd
BgNVBAsTFnd3dy5xdW92YWRpc2dsb2JhbC5jb20xIDAeBgNVBAMTF1F1b1ZhZGlz
IEdsb2JhbCBTU0wgSUNBMB4XDTEyMTExNjEzMjYxM1oXDTE1MTExNjEzMjYxMlow
gYUxCzAJBgNVBAYTAkNIMQ0wCwYDVQQIEwRWYXVkMREwDwYDVQQHEwhMYXVzYW5u
ZTE4MDYGA1UEChMvRWNvbGUgcG9seXRlY2huaXF1ZSBmZWRlcmFsZSBkZSBMYXVz
YW5uZSAoRVBGTCkxGjAYBgNVBAMTEWRvY3VtZW50cy5lcGZsLmNoMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxLEDw3F0q/OICREzbHBbaoAkHxov4VMI
I2I5Pqy1V9H+1FVJdyHTvH+Lumk85XXqdUY3ZQccvSl5PIceerAnVVoGhn/UXWiT
IWRbzxGin9WQock99EeI42BK2D7WZvH1EL+1CxB433vJbYvbLhSphQsiMoNKOWo8
W+BPSlCmTcSrHskF9MpQK75ssyrTd9R3E+JnsCVOAyRPliH6fpQVqgA6V+bjNP0R
SK4X2rLs9XmLFAEbNxIKt1liNMG/x3VzP4Jh0Tyrqu2NTZnBtAcNWdUQ7xIbhI3q
XX0ki9Hf/+Cb/kr71A+I/gB76XziF/5LVW1ikbk1tOS1uBZETvZLjQIDAQABo4IB
tTCCAbEwdAYIKwYBBQUHAQEEaDBmMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5x
dW92YWRpc2dsb2JhbC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly90cnVzdC5xdW92
YWRpc2dsb2JhbC5jb20vcXZzc2xpY2EuY3J0MDoGA1UdEQQzMDGCEWRvY3VtZW50
cy5lcGZsLmNogRxESVQtVEktQ2VydHNAZ3JvdXBlcy5lcGZsLmNoMFEGA1UdIARK
MEgwRgYMKwYBBAG+WAACZAEBMDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cucXVv
dmFkaXNnbG9iYWwuY29tL3JlcG9zaXRvcnkwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQyTaFP6vCumbbu
mwcshAgRUIvifjA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnF1b3ZhZGlz
Z2xvYmFsLmNvbS9xdnNzbGljYS5jcmwwHQYDVR0OBBYEFIdHlH5aJ7QD/nA9iWre
Y8RZfdQ5MA0GCSqGSIb3DQEBBQUAA4IBAQBuz1MgRmtVAmn1bs5hjNCvVU4CTYta
KkZL7AmmPwBuEp8c2/7puK7sjYW3TufXfjxE8/uRYxzQBJHu/ZEKa9djc2j+m8A3
EpQgtpUS/p8qZtjNIRffGOlR0IsDVnf7Xpdp36xKWvr0VdG9LbIlE8QPxPTUWvGl
JR4zhmmFwpsJJBVL8fp2w0rZ3yK0a0HIL4EE8ZgA3Tf7d/FKS3P0UlRACRrm1S5I
Xoi61Ps0ETLwGIznDXuQMAjmqzR21jw/bsV2yfu/wRx+OhHfsPYl03Vgf0LqHiin
OycU6LojV18IDkUm6uhiqTkxwchYhp3Gqv08w0tLPSzvcQwt8YsPIhLK
-----END CERTIFICATE-----
subject=/C=CH/ST=Vaud/L=Lausanne/O=Ecole polytechnique federale de
Lausanne (EPFL)/CN=documents.epfl.ch
issuer=/C=BM/O=QuoVadis Limited/OU=www.quovadisglobal.com/CN=QuoVadis
Global SSL ICA
---
No client certificate CA names sent
---
SSL handshake has read 5671 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
924754251AA57F9F73EB1F39133FA62DFF841E6D32C37456FB714C1114E11091D8037B16DEDD8E103EDE9F18F8952A30
Key-Arg : None
Start Time: 1432213187
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
}}}
It looks to me that this server is configured to only accept TLSv1 but not
later versions.
--
Ticket URL: <https://trac.cyberduck.io/ticket/8842#comment:8>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list