GeoNames Home | Postal Codes | Download / Webservice | About 

GeoNames Forum
  [Search] Search   [Recent Topics] Recent Topics   [Groups] Back to home page 
[Register] Register / 
[Login] Login 
secure.geonames.org uses TLSv3 only and unsupported ciphers  XML
Forum Index -> General
Author Message
Mirko Klingmann



Joined: 13/03/2024 12:41:36
Messages: 3
Offline

Dear team,

as of today, it seems no longer possible to access the REST interface (Server secure.geonames.org:443 [188.40.33.19]) using TLSv2 or lower. SSLyze output is:

Code:
  CHECKING CONNECTIVITY TO SERVER(S)
  ----------------------------------
 
    secure.geonames.org:443   => 188.40.33.19 
 
 
  SCAN RESULTS FOR SECURE.GEONAMES.ORG:443 - 188.40.33.19
  -------------------------------------------------------
 
  * Certificates Information:
        Hostname sent for SNI:             secure.geonames.org
        Number of certificates detected:   1
 
 
      Certificate #0 ( _EllipticCurvePublicKey )
        SHA1 Fingerprint:                  58c30dd60114a3a8e061dba7c39a5fef1f182ac3
        Common Name:                       secure.geonames.org
        Issuer:                            R3
        Serial Number:                     330928683485074596298992038033851802751582
        Not Before:                        2024-03-05
        Not After:                         2024-06-03
        Public Key Algorithm:              _EllipticCurvePublicKey
        Signature Algorithm:               sha256
        Key Size:                          256
        Curve:                             secp256r1
        SubjAltName - DNS Names:           ['secure.geonames.org']
 
      Certificate #0 - Trust
        Hostname Validation:               OK - Certificate matches server hostname
        Android CA Store (13.0.0_r9):      OK - Certificate is trusted
        Apple CA Store (iOS 16.5, iPadOS 16.5, macOS 13.5, tvOS 16.5, and watchOS 9.5):OK - Certificate is trusted
        Java CA Store (jdk-13.0.2):        OK - Certificate is trusted
        Mozilla CA Store (2023-07-27):     OK - Certificate is trusted
        Windows CA Store (2023-06-11):     OK - Certificate is trusted
        Symantec 2018 Deprecation:         OK - Not a Symantec-issued certificate
        Received Chain:                    secure.geonames.org --> R3
        Verified Chain:                    secure.geonames.org --> R3 --> ISRG Root X1
        Received Chain Contains Anchor:    OK - Anchor certificate not sent
        Received Chain Order:              OK - Order is valid
        Verified Chain contains SHA1:      OK - No SHA1-signed certificate in the verified certificate chain
 
      Certificate #0 - Extensions
        OCSP Must-Staple:                  NOT SUPPORTED - Extension not found
        Certificate Transparency:          WARNING - Only 2 SCTs included but Google recommends 3 or more
 
      Certificate #0 - OCSP Stapling
                                           NOT SUPPORTED - Server did not send back an OCSP response
 
  * SSL 2.0 Cipher Suites:
      Attempted to connect using 7 cipher suites; the server rejected all cipher suites.
 
  * SSL 3.0 Cipher Suites:
      Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
 
  * TLS 1.0 Cipher Suites:
      Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
 
  * TLS 1.1 Cipher Suites:
      Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
 
  * TLS 1.2 Cipher Suites:
      Attempted to connect using 156 cipher suites; the server rejected all cipher suites.
 
  * TLS 1.3 Cipher Suites:
      Attempted to connect using 5 cipher suites.
 
      The server accepted the following 4 cipher suites:
         TLS_CHACHA20_POLY1305_SHA256                      256       ECDH: X25519 (253 bits)
         TLS_AES_256_GCM_SHA384                            256       ECDH: X25519 (253 bits)
         TLS_AES_128_GCM_SHA256                            128       ECDH: X25519 (253 bits)
         TLS_AES_128_CCM_SHA256                            128       ECDH: X25519 (253 bits)
 
 
  * Deflate Compression:
                                           OK - Compression disabled
 
  * OpenSSL CCS Injection:
                                           OK - Not vulnerable to OpenSSL CCS injection
 
  * OpenSSL Heartbleed:
                                           OK - Not vulnerable to Heartbleed
 
  * ROBOT Attack:
                                           OK - Not vulnerable, RSA cipher suites not supported.
 
  * Session Renegotiation:
        Client Renegotiation DoS Attack:   OK - Not vulnerable
        Secure Renegotiation:              OK - Supported
 
  * Elliptic Curve Key Exchange:
        Supported curves:                  X25519, X448, prime256v1, secp384r1, secp521r1
        Rejected curves:                   prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1
 
  SCANS COMPLETED IN 7.248850 S
  -----------------------------
 
  COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION
  --------------------------------------------
 
     Checking results against Mozilla's "MozillaTlsConfigurationEnum.INTERMEDIATE" configuration. See <a href="https://ssl-config.mozilla.org/" target="_blank" rel="nofollow">https://ssl-config.mozilla.org/</a> for more details.
 
     secure.geonames.org:443: FAILED - Not compliant.
         * ciphersuites: TLS 1.3 cipher suites {'TLS_AES_128_CCM_SHA256'} are supported, but should be rejected.
 


On the other hand the web server (www.geoname.org:443 [188.40.62.8]) and the forum server (forum.geonames.org:443 [176.9.39.79]) both show TLSv1 up to TLSv3 active:

Code:
  CHECKING CONNECTIVITY TO SERVER(S)
  ----------------------------------
 
    www.geonames.org:443      => 188.40.62.8 
 
 
  SCAN RESULTS FOR WWW.GEONAMES.ORG:443 - 188.40.62.8
  ---------------------------------------------------
 
  * Certificates Information:
        Hostname sent for SNI:             www.geonames.org
        Number of certificates detected:   1
 
 
      Certificate #0 ( _RSAPublicKey )
        SHA1 Fingerprint:                  6acfb114c7da59c4ff9d240030286d906e97f63b
        Common Name:                       www.geonames.org
        Issuer:                            R3
        Serial Number:                     305080888114575987342835635147447188705651
        Not Before:                        2024-03-07
        Not After:                         2024-06-05
        Public Key Algorithm:              _RSAPublicKey
        Signature Algorithm:               sha256
        Key Size:                          2048
        Exponent:                          65537
        SubjAltName - DNS Names:           ['www.geonames.org']
 
      Certificate #0 - Trust
        Hostname Validation:               OK - Certificate matches server hostname
        Android CA Store (13.0.0_r9):      OK - Certificate is trusted
        Apple CA Store (iOS 16.5, iPadOS 16.5, macOS 13.5, tvOS 16.5, and watchOS 9.5):OK - Certificate is trusted
        Java CA Store (jdk-13.0.2):        OK - Certificate is trusted
        Mozilla CA Store (2023-07-27):     OK - Certificate is trusted
        Windows CA Store (2023-06-11):     OK - Certificate is trusted
        Symantec 2018 Deprecation:         OK - Not a Symantec-issued certificate
        Received Chain:                    www.geonames.org --> R3
        Verified Chain:                    www.geonames.org --> R3 --> ISRG Root X1
        Received Chain Contains Anchor:    OK - Anchor certificate not sent
        Received Chain Order:              OK - Order is valid
        Verified Chain contains SHA1:      OK - No SHA1-signed certificate in the verified certificate chain
 
      Certificate #0 - Extensions
        OCSP Must-Staple:                  NOT SUPPORTED - Extension not found
        Certificate Transparency:          WARNING - Only 2 SCTs included but Google recommends 3 or more
 
      Certificate #0 - OCSP Stapling
                                           NOT SUPPORTED - Server did not send back an OCSP response
 
  * SSL 2.0 Cipher Suites:
      Attempted to connect using 7 cipher suites; the server rejected all cipher suites.
 
  * SSL 3.0 Cipher Suites:
      Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
 
  * TLS 1.0 Cipher Suites:
      Attempted to connect using 80 cipher suites.
 
      The server accepted the following 4 cipher suites:
         TLS_RSA_WITH_AES_256_CBC_SHA                      256                      
         TLS_RSA_WITH_AES_128_CBC_SHA                      128                      
         TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  256       DH (2048 bits) 
         TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  128       DH (2048 bits) 
 
      The group of cipher suites supported by the server has the following properties:
        Forward Secrecy                    OK - Supported
        Legacy RC4 Algorithm               OK - Not Supported
 
 
  * TLS 1.1 Cipher Suites:
      Attempted to connect using 80 cipher suites.
 
      The server accepted the following 4 cipher suites:
         TLS_RSA_WITH_AES_256_CBC_SHA                      256                      
         TLS_RSA_WITH_AES_128_CBC_SHA                      128                      
         TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  256       DH (2048 bits) 
         TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  128       DH (2048 bits) 
 
      The group of cipher suites supported by the server has the following properties:
        Forward Secrecy                    OK - Supported
        Legacy RC4 Algorithm               OK - Not Supported
 
 
  * TLS 1.2 Cipher Suites:
      Attempted to connect using 156 cipher suites.
 
      The server accepted the following 6 cipher suites:
         TLS_RSA_WITH_AES_256_CBC_SHA                      256                      
         TLS_RSA_WITH_AES_128_CBC_SHA                      128                      
         TLS_DHE_RSA_WITH_AES_256_GCM_SHA384               256       DH (2048 bits) 
         TLS_DHE_RSA_WITH_AES_256_CBC_SHA256               256       DH (2048 bits) 
         TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  256       DH (2048 bits) 
         TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  128       DH (2048 bits) 
 
      The group of cipher suites supported by the server has the following properties:
        Forward Secrecy                    OK - Supported
        Legacy RC4 Algorithm               OK - Not Supported
 
 
  * TLS 1.3 Cipher Suites:
      Attempted to connect using 5 cipher suites.
 
      The server accepted the following 4 cipher suites:
         TLS_CHACHA20_POLY1305_SHA256                      256       ECDH: X25519 (253 bits)
         TLS_AES_256_GCM_SHA384                            256       ECDH: X25519 (253 bits)
         TLS_AES_128_GCM_SHA256                            128       ECDH: X25519 (253 bits)
         TLS_AES_128_CCM_SHA256                            128       ECDH: X25519 (253 bits)
 
 
  * Deflate Compression:
                                           OK - Compression disabled
 
  * OpenSSL CCS Injection:
                                           OK - Not vulnerable to OpenSSL CCS injection
 
  * OpenSSL Heartbleed:
                                           OK - Not vulnerable to Heartbleed
 
  * ROBOT Attack:
                                           OK - Not vulnerable.
 
  * Session Renegotiation:
        Client Renegotiation DoS Attack:   OK - Not vulnerable
        Secure Renegotiation:              OK - Supported
 
  * Elliptic Curve Key Exchange:
        Supported curves:                  X25519, X448, prime256v1, secp384r1, secp521r1
        Rejected curves:                   prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1
 
  SCANS COMPLETED IN 7.973056 S
  -----------------------------
 
  COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION
  --------------------------------------------
 
     Checking results against Mozilla's "MozillaTlsConfigurationEnum.INTERMEDIATE" configuration. See <a href="https://ssl-config.mozilla.org/" target="_blank" rel="nofollow">https://ssl-config.mozilla.org/</a> for more details.
 
     www.geonames.org:443: FAILED - Not compliant.
         * tls_versions: TLS versions {'TLSv1.1', 'TLSv1'} are supported, but should be rejected.
         * ciphersuites: TLS 1.3 cipher suites {'TLS_AES_128_CCM_SHA256'} are supported, but should be rejected.
         * ciphers: Cipher suites {'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256'} are supported, but should be rejected.
 


Could you please reconfigure secure.geonames.org to support the same protocols (at least TLSv2) and cipher these two do?

Best Regards
Mirko
marc



Joined: 08/12/2005 07:39:47
Messages: 4439
Offline

Hi Mirko

hm, annoying. The config is the same, but the openssl version is different. I have not yet figured out how to enable the old tls1.2
Can't you switch to the non-ssl endpoint as a workaround if you don't care about the newer ssl versions anyhow? Or to the premium end point

I assume it has good reasons that newer openssl versions no longer support older ciphers and tls versions.


Best Regards

Marc

[WWW]
Mirko Klingmann



Joined: 13/03/2024 12:41:36
Messages: 3
Offline

Hi Marc,

thank you for your quick response.

As I can see in the server's response, you are using Apache as the web server.
I found found this on enabling TLS protocols for OpenSSL in Apache:
https://serverfault.com/questions/314858/how-to-enable-tls-1-1-and-1-2-with-openssl-and-apache
Hope that helps.

I will switch to the non-SSL version then, as we do not transfer any sensitive information. I might try to switch back to TLS at a later time to assure data integrity, if protocol nogitiation is possible again.

Best Regards
Mirko
 
Forum Index -> General
Go to:   
Powered by JForum 2.1.5 © JForum Team