| Author |
Message |
![[Post New]](/gforum/templates/default/images/icon_minipost_new.gif) 14/03/2024 17:55:16
|
Mirko Klingmann
Joined: 13/03/2024 12:41:36
Messages: 3
Offline
|
Dear team,
as of today, it seems no longer possible to access the REST interface (Server secure.geonames.org:443 [188.40.33.19]) using TLSv2 or lower. SSLyze output is:
Code:
CHECKING CONNECTIVITY TO SERVER(S)
----------------------------------
secure.geonames.org:443 => 188.40.33.19
SCAN RESULTS FOR SECURE.GEONAMES.ORG:443 - 188.40.33.19
-------------------------------------------------------
* Certificates Information:
Hostname sent for SNI: secure.geonames.org
Number of certificates detected: 1
Certificate #0 ( _EllipticCurvePublicKey )
SHA1 Fingerprint: 58c30dd60114a3a8e061dba7c39a5fef1f182ac3
Common Name: secure.geonames.org
Issuer: R3
Serial Number: 330928683485074596298992038033851802751582
Not Before: 2024-03-05
Not After: 2024-06-03
Public Key Algorithm: _EllipticCurvePublicKey
Signature Algorithm: sha256
Key Size: 256
Curve: secp256r1
SubjAltName - DNS Names: ['secure.geonames.org']
Certificate #0 - Trust
Hostname Validation: OK - Certificate matches server hostname
Android CA Store (13.0.0_r9): OK - Certificate is trusted
Apple CA Store (iOS 16.5, iPadOS 16.5, macOS 13.5, tvOS 16.5, and watchOS 9.5):OK - Certificate is trusted
Java CA Store (jdk-13.0.2): OK - Certificate is trusted
Mozilla CA Store (2023-07-27): OK - Certificate is trusted
Windows CA Store (2023-06-11): OK - Certificate is trusted
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: secure.geonames.org --> R3
Verified Chain: secure.geonames.org --> R3 --> ISRG Root X1
Received Chain Contains Anchor: OK - Anchor certificate not sent
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain
Certificate #0 - Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: WARNING - Only 2 SCTs included but Google recommends 3 or more
Certificate #0 - OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
* SSL 2.0 Cipher Suites:
Attempted to connect using 7 cipher suites; the server rejected all cipher suites.
* SSL 3.0 Cipher Suites:
Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
* TLS 1.0 Cipher Suites:
Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
* TLS 1.1 Cipher Suites:
Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
* TLS 1.2 Cipher Suites:
Attempted to connect using 156 cipher suites; the server rejected all cipher suites.
* TLS 1.3 Cipher Suites:
Attempted to connect using 5 cipher suites.
The server accepted the following 4 cipher suites:
TLS_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits)
TLS_AES_256_GCM_SHA384 256 ECDH: X25519 (253 bits)
TLS_AES_128_GCM_SHA256 128 ECDH: X25519 (253 bits)
TLS_AES_128_CCM_SHA256 128 ECDH: X25519 (253 bits)
* Deflate Compression:
OK - Compression disabled
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* ROBOT Attack:
OK - Not vulnerable, RSA cipher suites not supported.
* Session Renegotiation:
Client Renegotiation DoS Attack: OK - Not vulnerable
Secure Renegotiation: OK - Supported
* Elliptic Curve Key Exchange:
Supported curves: X25519, X448, prime256v1, secp384r1, secp521r1
Rejected curves: prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1
SCANS COMPLETED IN 7.248850 S
-----------------------------
COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION
--------------------------------------------
Checking results against Mozilla's "MozillaTlsConfigurationEnum.INTERMEDIATE" configuration. See <a href="https://ssl-config.mozilla.org/" target="_blank" rel="nofollow">https://ssl-config.mozilla.org/</a> for more details.
secure.geonames.org:443: FAILED - Not compliant.
* ciphersuites: TLS 1.3 cipher suites {'TLS_AES_128_CCM_SHA256'} are supported, but should be rejected.
On the other hand the web server (www.geoname.org:443 [188.40.62.8]) and the forum server (forum.geonames.org:443 [176.9.39.79]) both show TLSv1 up to TLSv3 active:
Code:
CHECKING CONNECTIVITY TO SERVER(S)
----------------------------------
www.geonames.org:443 => 188.40.62.8
SCAN RESULTS FOR WWW.GEONAMES.ORG:443 - 188.40.62.8
---------------------------------------------------
* Certificates Information:
Hostname sent for SNI: www.geonames.org
Number of certificates detected: 1
Certificate #0 ( _RSAPublicKey )
SHA1 Fingerprint: 6acfb114c7da59c4ff9d240030286d906e97f63b
Common Name: www.geonames.org
Issuer: R3
Serial Number: 305080888114575987342835635147447188705651
Not Before: 2024-03-07
Not After: 2024-06-05
Public Key Algorithm: _RSAPublicKey
Signature Algorithm: sha256
Key Size: 2048
Exponent: 65537
SubjAltName - DNS Names: ['www.geonames.org']
Certificate #0 - Trust
Hostname Validation: OK - Certificate matches server hostname
Android CA Store (13.0.0_r9): OK - Certificate is trusted
Apple CA Store (iOS 16.5, iPadOS 16.5, macOS 13.5, tvOS 16.5, and watchOS 9.5):OK - Certificate is trusted
Java CA Store (jdk-13.0.2): OK - Certificate is trusted
Mozilla CA Store (2023-07-27): OK - Certificate is trusted
Windows CA Store (2023-06-11): OK - Certificate is trusted
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: www.geonames.org --> R3
Verified Chain: www.geonames.org --> R3 --> ISRG Root X1
Received Chain Contains Anchor: OK - Anchor certificate not sent
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain
Certificate #0 - Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: WARNING - Only 2 SCTs included but Google recommends 3 or more
Certificate #0 - OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
* SSL 2.0 Cipher Suites:
Attempted to connect using 7 cipher suites; the server rejected all cipher suites.
* SSL 3.0 Cipher Suites:
Attempted to connect using 80 cipher suites; the server rejected all cipher suites.
* TLS 1.0 Cipher Suites:
Attempted to connect using 80 cipher suites.
The server accepted the following 4 cipher suites:
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 DH (2048 bits)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (2048 bits)
The group of cipher suites supported by the server has the following properties:
Forward Secrecy OK - Supported
Legacy RC4 Algorithm OK - Not Supported
* TLS 1.1 Cipher Suites:
Attempted to connect using 80 cipher suites.
The server accepted the following 4 cipher suites:
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 DH (2048 bits)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (2048 bits)
The group of cipher suites supported by the server has the following properties:
Forward Secrecy OK - Supported
Legacy RC4 Algorithm OK - Not Supported
* TLS 1.2 Cipher Suites:
Attempted to connect using 156 cipher suites.
The server accepted the following 6 cipher suites:
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 256 DH (2048 bits)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 256 DH (2048 bits)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 DH (2048 bits)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (2048 bits)
The group of cipher suites supported by the server has the following properties:
Forward Secrecy OK - Supported
Legacy RC4 Algorithm OK - Not Supported
* TLS 1.3 Cipher Suites:
Attempted to connect using 5 cipher suites.
The server accepted the following 4 cipher suites:
TLS_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits)
TLS_AES_256_GCM_SHA384 256 ECDH: X25519 (253 bits)
TLS_AES_128_GCM_SHA256 128 ECDH: X25519 (253 bits)
TLS_AES_128_CCM_SHA256 128 ECDH: X25519 (253 bits)
* Deflate Compression:
OK - Compression disabled
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* ROBOT Attack:
OK - Not vulnerable.
* Session Renegotiation:
Client Renegotiation DoS Attack: OK - Not vulnerable
Secure Renegotiation: OK - Supported
* Elliptic Curve Key Exchange:
Supported curves: X25519, X448, prime256v1, secp384r1, secp521r1
Rejected curves: prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1
SCANS COMPLETED IN 7.973056 S
-----------------------------
COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION
--------------------------------------------
Checking results against Mozilla's "MozillaTlsConfigurationEnum.INTERMEDIATE" configuration. See <a href="https://ssl-config.mozilla.org/" target="_blank" rel="nofollow">https://ssl-config.mozilla.org/</a> for more details.
www.geonames.org:443: FAILED - Not compliant.
* tls_versions: TLS versions {'TLSv1.1', 'TLSv1'} are supported, but should be rejected.
* ciphersuites: TLS 1.3 cipher suites {'TLS_AES_128_CCM_SHA256'} are supported, but should be rejected.
* ciphers: Cipher suites {'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256'} are supported, but should be rejected.
Could you please reconfigure secure.geonames.org to support the same protocols (at least TLSv2) and cipher these two do?
Best Regards
Mirko
|
|
|
 |
18/03/2024 09:32:03
|
marc
Joined: 08/12/2005 07:39:47
Messages: 4416
Offline
|
Hi Mirko
hm, annoying. The config is the same, but the openssl version is different. I have not yet figured out how to enable the old tls1.2
Can't you switch to the non-ssl endpoint as a workaround if you don't care about the newer ssl versions anyhow? Or to the premium end point 
I assume it has good reasons that newer openssl versions no longer support older ciphers and tls versions.
Best Regards
Marc
|
 |
|
|
|
18/03/2024 11:32:26
|
Mirko Klingmann
Joined: 13/03/2024 12:41:36
Messages: 3
Offline
|
Hi Marc,
thank you for your quick response.
As I can see in the server's response, you are using Apache as the web server.
I found found this on enabling TLS protocols for OpenSSL in Apache:
https://serverfault.com/questions/314858/how-to-enable-tls-1-1-and-1-2-with-openssl-and-apache
Hope that helps.
I will switch to the non-SSL version then, as we do not transfer any sensitive information. I might try to switch back to TLS at a later time to assure data integrity, if protocol nogitiation is possible again.
Best Regards
Mirko
|
|
|
|
|
|
|
|
![[Search]](/gforum/templates/default/images/icon_mini_search.gif){kind=icon}
![[Recent Topics]](/gforum/templates/default/images/icon_mini_recentTopics.gif){kind=icon}
![[Groups]](/gforum/templates/default/images/icon_mini_groups.gif){kind=icon}
![[Register]](/gforum/templates/default/images/icon_mini_register.gif){kind=icon}
Register![[Login]](/gforum/templates/default/images/icon_mini_login.gif){kind=icon}
Login
![[Up]](/gforum/templates/default/images/icon_up.gif){kind=icon}
![[WWW]](/gforum/templates/default/images/icon_www.gif){kind=icon}