-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect tlsVersions
in output
#45
Comments
Yes, ideally both should appear in Thanks! |
@stayallive, I was trying to replicate the reported issue, but I believe, I'm getting correct output. Please let me know if i missed out anything. $ ~/tls-scan/tls-scan -v
tls-scan 1.4.8 Darwin 2022-01-09
Built with OpenSSL-100020b0 GnuTLS-3060a
$ ~/tls-scan/tls-scan -c twitter.com --cacert ~/tls-scan/ca-bundle.crt --version-enum --pretty
{
"host": "twitter.com",
"ip": "104.244.42.65",
"port": 443,
"elapsedTime": 280,
"tlsVersion": "TLSv1.2",
"cipher": "ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD",
"tempPublicKeyAlg": "ECDH prime256v1",
"tempPublicKeySize": 256,
"secureRenego": true,
"compression": "NONE",
"expansion": "NONE",
"sessionLifetimeHint": 7200,
"tlsVersions": [
"TLSv1_2",
"TLSv1_3"
],
"x509ChainDepth": 2,
"verifyCertResult": true,
"verifyHostResult": true,
"ocspStapled": false,
"certificateChain": [
{
"version": 3,
"subject": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"issuer": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"subjectCN": "twitter.com",
"subjectAltName": "DNS:twitter.com, DNS:www.twitter.com",
"signatureAlg": "sha256WithRSAEncryption",
"notBefore": "Dec 13 00:00:00 2021 GMT",
"notAfter": "Dec 12 23:59:59 2022 GMT",
"expired": false,
"serialNo": "0D:E1:52:69:6B:2F:96:70:D6:C7:DB:18:CE:1C:71:A0",
"keyUsage": "Digital Signature, Key Encipherment critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "RSA",
"publicKeySize": 2048,
"basicConstraints": "CA:FALSE critical",
"subjectKeyIdentifier": "1B:D7:11:7F:CC:4B:27:B8:12:60:82:C8:6B:34:F4:70:92:22:AD:3E",
"sha1Fingerprint": "DA:26:F7:2E:AC:AC:75:CC:EE:79:41:40:44:10:20:84:86:97:AE:B0"
}, {
"version": 3,
"subject": "CN=DigiCert TLS RSA SHA256 2020 CA1; O=DigiCert Inc; C=US",
"issuer": "CN=DigiCert TLS RSA SHA256 2020 CA1; O=DigiCert Inc; C=US",
"subjectCN": "DigiCert TLS RSA SHA256 2020 CA1",
"signatureAlg": "sha256WithRSAEncryption",
"notBefore": "Apr 14 00:00:00 2021 GMT",
"notAfter": "Apr 13 23:59:59 2031 GMT",
"expired": false,
"serialNo": "06:D8:D9:04:D5:58:43:46:F6:8A:2F:A7:54:22:7E:C4",
"keyUsage": "Digital Signature, Certificate Sign, CRL Sign critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "RSA",
"publicKeySize": 2048,
"basicConstraints": "CA:TRUE, pathlen:0 critical",
"subjectKeyIdentifier": "B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4",
"sha1Fingerprint": "1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD"
} ]
} |
The only thing I can think of at this moment is that I'm using a M1 MacBook. Just ran it again but same result:
But I also ran it on my Linux server and I got this:
Version numbers match, shouldn't have anything to do with the OpenSSL libraries available on the host machine right? I used the latest CA bundle from here but I doubt that matters. Any other clue? :D |
All dependencies are statically linked, so it could be something else :( . |
I just ran into the same problem.
|
I still could not reproduce this issue :( $ git clone https://github.com/prbinu/tls-scan.git
Cloning into 'tls-scan'...
$ cd tls-scan/
$ docker build -t tls-scan .
[+] Building 543.2s (14/14) FINISHED
...
=> => writing image sha256:20d0db0adb4ce168cdff78e402d80a72747c4a189013600590a74bee0ebfa893 0.0s
=> => naming to docker.io/library/tls-scan 0.0s
$ docker run --rm tls-scan --connect=twitter.com:443 --version-enum --pretty
{
"host": "twitter.com",
"ip": "104.244.42.65",
"port": 443,
"elapsedTime": 418,
"tlsVersion": "TLSv1.2",
"cipher": "ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD",
"tempPublicKeyAlg": "ECDH prime256v1",
"tempPublicKeySize": 256,
"secureRenego": true,
"compression": "NONE",
"expansion": "NONE",
"sessionLifetimeHint": 7200,
"tlsVersions": [
"TLSv1_2",
"TLSv1_3"
],
"x509ChainDepth": 2,
"verifyCertResult": true,
"verifyHostResult": true,
"ocspStapled": false,
"certificateChain": [
{
"version": 3,
"subject": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"issuer": "CN=twitter.com; O=Twitter, Inc.; L=San Francisco; ST=California; C=US",
"subjectCN": "twitter.com",
"subjectAltName": "DNS:twitter.com, DNS:www.twitter.com",
"signatureAlg": "sha256WithRSAEncryption",
"notBefore": "Dec 11 00:00:00 2022 GMT",
"notAfter": "Dec 11 23:59:59 2023 GMT",
"expired": false,
"serialNo": "0A:2C:01:B8:2B:5D:47:73:9A:5A:01:1A:6F:DC:1A:20",
"keyUsage": "Digital Signature, Key Encipherment critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "RSA",
"publicKeySize": 2048,
"basicConstraints": "CA:FALSE",
"subjectKeyIdentifier": "C7:5F:C7:8F:F5:AE:79:1A:DB:1F:D0:A4:4B:0B:A5:DE:CE:2C:E3:C2",
"sha1Fingerprint": "70:53:29:61:4B:71:42:24:19:CE:6F:DE:AB:6F:A5:74:47:E0:D0:84"
}, {
"version": 3,
"subject": "CN=DigiCert TLS RSA SHA256 2020 CA1; O=DigiCert Inc; C=US",
"issuer": "CN=DigiCert TLS RSA SHA256 2020 CA1; O=DigiCert Inc; C=US",
"subjectCN": "DigiCert TLS RSA SHA256 2020 CA1",
"signatureAlg": "sha256WithRSAEncryption",
"notBefore": "Apr 14 00:00:00 2021 GMT",
"notAfter": "Apr 13 23:59:59 2031 GMT",
"expired": false,
"serialNo": "06:D8:D9:04:D5:58:43:46:F6:8A:2F:A7:54:22:7E:C4",
"keyUsage": "Digital Signature, Certificate Sign, CRL Sign critical",
"extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
"publicKeyAlg": "RSA",
"publicKeySize": 2048,
"basicConstraints": "CA:TRUE, pathlen:0 critical",
"subjectKeyIdentifier": "B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4",
"sha1Fingerprint": "1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD"
} ]
}
<|---------Scan Summary---------|>
[1] ciphers : (0)
[1] host-count : 1
[1] network-error : 4
[1] dns-errcount : 0
[1] remote-close-error : 0
[1] unknown-error : 0
[1] timeout-error : 0
[1] connect-error : 0
[1] tls-handshake : 1
[1] gross-tls-handshake : 3
[1] elapsed-time : 0.432258 secs
<|------------------------------|>
|
Hi there,
Unless I'm misinterpreting something the
tlsVersions
key seems to be incorrect.tlsVersions
only listsTLSv1_3
even thoughtlsVersion
states 1.2 which Twitter also supports. So it's either missingTLSv1_2
from the list or I'm missing something obvious why it shouldn't be there :)The text was updated successfully, but these errors were encountered: