Home
My Page
Projects
OpenVAS

[#1278] open_sock_tcp() + transport

Date:
2010-02-12 10:28
Priority:
3
State:
Open
Submitted by:
Michael Meyer (mime)
Assigned to:
Werner Koch (werner)
Architecture:
None
Product:
OpenVAS
Operating System:
Linux
Component:
openvas-libraries
Version:
None
Severity:
normal
Resolution:
Fixed
Hardware:
All
URL:
 
Summary:
open_sock_tcp() + transport

Detailed description
open_sock_tcp() has problems connecting to some ssl-services.



,---[ test.nasl ]

| port = 8000;

| transport = make_list(ENCAPS_SSLv23,ENCAPS_SSLv3,ENCAPS_TLSv1,ENCAPS_SSLv2);

|

| foreach t (transport) {

| display("TRANSPORT: ",t,"\n");

| soc = open_sock_tcp(port, transport: t);

|

| if(!soc) {

| display("NO SOCKET\n\n");

| } else {

| display("SOCKET OK\n\n");

| send(socket:soc, data: string("GET /\r\n"));

| buf = recv(socket:soc, length: 512);

| display("\n",buf,"\n\n");

| close(soc);

| }

| sleep(2);

| }

`---|



,---|

| mime@kira:~ % sudo openssl s_server -accept 8000 \

| -key /home/mime/ca/serverkey.pem \

| -cert /home/mime/ca/servercert.pem \

| -msg -www

`---|



,---|

| openvas-nasl -X -t 192.168.2.4 /path/to/test.nasl (Also with Client)

|

| TRANSPORT: 2

| [31327] open_stream_connection: TCP:8000 transport:2 timeout:10

| [31327] connect : Operation now in progress

| [31327] gnutls_handshake: The Diffie Hellman prime sent by the server is not acceptable (not long enough).

| NO SOCKET

|

| TRANSPORT: 4

| [31327] open_stream_connection: TCP:8000 transport:4 timeout:10

| [31327] connect : Operation now in progress

| [31327] gnutls_handshake: The Diffie Hellman prime sent by the server is not acceptable (not long enough).

| NO SOCKET

|

| TRANSPORT: 5

| [31327] open_stream_connection: TCP:8000 transport:5 timeout:10

| [31327] connect : Operation now in progress

| [31327] gnutls_handshake: The Diffie Hellman prime sent by the server is not acceptable (not long enough).

| NO SOCKET

|

| TRANSPORT: 3

| [31327] open_stream_connection: TCP:8000 transport:3 timeout:10

| open_stream_connection(): unsupported transport layer 3

| NO SOCKET

`---



,---|

| mime@openvas-qa:~> gnutls-cli -p 8000 192.168.2.4

| Resolving '192.168.2.4'...

| Connecting to '192.168.2.4:8000'...

| - Ephemeral Diffie-Hellman parameters

| - Using prime: 520 bits

| - Secret key: 503 bits

| - Peer's public key: 512 bits

| - Certificate type: X.509

| - Got a certificate list of 1 certificates.

|

| - Certificate[0] info:

| # The hostname in the certificate matches '192.168.2.4'.

| # valid since: Thu Feb 11 16:16:25 CET 2010

| # expires at: Fri Feb 11 16:16:25 CET 2011

| # fingerprint: 63:19:DF:BA:4C:1D:3C:3D:CF:C6:89:62:19:96:58:75

| # Subject's DN: C=DE,ST=Some-State,O=Internet Widgits Pty Ltd,CN=192.168.2.4

| # Issuer's DN: C=DE,ST=Some-State,O=Internet Widgits Pty Ltd,CN=192.168.2.4

|

| - Peer's certificate issuer is unknown

| - Peer's certificate is NOT trusted

| - Version: TLS1.0

| - Key Exchange: DHE-RSA

| - Cipher: AES-128-CBC

| - MAC: SHA1

| - Compression: NULL

| - Handshake was completed

|

| - Simple Client Mode:

`---

Followup

Message
Date: 2012-10-17 14:31
Sender: Werner Koch


Is this bug resolved for you, or is futher action necessary?
Date: 2012-10-17 14:28
Sender: Werner Koch

Hi,

I am currently hacking on an extension. What you can do with it is best explained with that little script:

sock = open_sock_tcp(target_port,
transport:ENCAPS_TLScustom,
priority:strcat("NONE:+VERS-TLS1.0:",
"+AES-256-CBC:+AES-128-CBC:",
"+COMP-DEFLATE:+COMP-NULL:",
"+RSA:+DHE-RSA:+DHE-DSS:+SHA1"));
if (sock > 0) {
testcase_ok();
display("\tencaps: ", get_sock_info(sock, "encaps", asstring:1),"\n");
display("\ttls-proto: ", get_sock_info(sock, "tls-proto"), "\n");
display("\ttls-kx: ", get_sock_info(sock, "tls-kx"), "\n");
display("\ttls-ctype: ", get_sock_info(sock, "tls-certtype"), "\n");
display("\ttls-cipher: ", get_sock_info(sock, "tls-cipher"), "\n");
display("\ttls-mac: ", get_sock_info(sock, "tls-mac"), "\n");
display("\ttls-comp: ", get_sock_info(sock, "tls-comp"), "\n");
}

Thus you may specify any option that GNUTLS offers do upen a connection. I'll commit later the day.
Date: 2012-10-17 08:50
Sender: Werner Koch

Hi,

I am currently hacking on an extension. What you can do with it is best explained with that little script:

sock = open_sock_tcp(target_port,
transport:ENCAPS_TLScustom,
priority:strcat("NONE:+VERS-TLS1.0:",
"+AES-256-CBC:+AES-128-CBC:",
"+COMP-DEFLATE:+COMP-NULL:",
"+RSA:+DHE-RSA:+DHE-DSS:+SHA1"));
if (sock > 0) {
testcase_ok();
display("\tencaps: ", get_sock_info(sock, "encaps", asstring:1),"\n");
display("\ttls-proto: ", get_sock_info(sock, "tls-proto"), "\n");
display("\ttls-kx: ", get_sock_info(sock, "tls-kx"), "\n");
display("\ttls-ctype: ", get_sock_info(sock, "tls-certtype"), "\n");
display("\ttls-cipher: ", get_sock_info(sock, "tls-cipher"), "\n");
display("\ttls-mac: ", get_sock_info(sock, "tls-mac"), "\n");
display("\ttls-comp: ", get_sock_info(sock, "tls-comp"), "\n");
}

Thus you may specify any option that GNUTLS offers do upen a connection. I'll commit later the day.
Date: 2010-02-24 10:11
Sender: Michael Meyer



I'm able to fix the Problem with the Oracle Weblogic by adding:

[ openvas-libraries/misc/network.c ]
static int
set_gnutls_priorities(gnutls_session_t session,
int * protocol_priority,
int * cipher_priority,
int * comp_priority,
int * kx_priority,
int * mac_priority)

[...]

if((err = gnutls_protocol_set_priority(session, protocol_priority))
|| (err = gnutls_cipher_set_priority(session, cipher_priority))
|| (err = gnutls_compression_set_priority(session, comp_priority))
|| (err = gnutls_kx_set_priority(session, kx_priority))
|| (err = gnutls_mac_set_priority(session, mac_priority))
|| (err = gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-TLS1.1:+ARCFOUR-40:+RSA-EXPORT", NULL)))
{
[...]

Therefore, it would be good if I could do the following
in open_sock_tcp().

open_sock_tcp(socket: soc, transport: ENCAPS_SSLv3, priority: "NORMAL:%COMPAT:-VERS-TLS1.1:+ARCFOUR-40:+RSA-EXPORT");
Date: 2010-02-18 09:59
Sender: Felix Wolfsteller

Thanks for all that effort.
A discussion triggered by michael can be found at http://lists.gnu.org/archive/html/help-gnutls/2010-02/msg00000.html .
Date: 2010-02-17 09:39
Sender: Michael Meyer

The above problem can be fixed by adding:

openvas-libraries/misc/network.c (set_gnutls_protocol)
gnutls_dh_set_prime_bits (session, 512);

Problem seems to be that the OpenVAS-Client is using this function as well.
Felix knows more about that.

But there are more problems:

The following is near to the Oracle Weblocig NodeManager which is listen on port 5556
and where i'm not able to get a ssl-socket with open_sock_tcp().

,---|
| kira mime # openssl s_server -accept 5556 -key /root/ca/serverkey.pem -cert /root/ca/servercert.pem -cipher EXP-RC4-MD5
| Using default temp DH parameters
| Using default temp ECDH parameters
| ACCEPT
`---|

,---|
| sudo /opt/openvas3/bin/openvas-nasl -X -t 192.168.2.4 /opt/openvas3/lib/openvas/plugins/test.nasl
| TRANSPORT: 2
| [3334] open_stream_connection: TCP:5556 transport:2 timeout:10
| [3334] connect : Operation now in progress
| [3334] gnutls_handshake: A TLS fatal alert has been received.
| NO SOCKET
|
| TRANSPORT: 4
| [3334] open_stream_connection: TCP:5556 transport:4 timeout:10
| [3334] connect : Operation now in progress
| [3334] gnutls_handshake: A TLS fatal alert has been received.
| NO SOCKET
|
| TRANSPORT: 5
| [3334] open_stream_connection: TCP:5556 transport:5 timeout:10
| [3334] connect : Operation now in progress
| [3334] gnutls_handshake: A TLS fatal alert has been received.
| NO SOCKET
|
| TRANSPORT: 3
| [3334] open_stream_connection: TCP:5556 transport:3 timeout:10
| open_stream_connection(): unsupported transport layer 3
| NO SOCKET
`---|

,---|
| mime@kira:~ % gnutls-cli -p 5556 192.168.2.4
| Resolving '192.168.2.4'...
| Connecting to '192.168.2.4:5556'...
| *** Fatal error: A TLS fatal alert has been received.
| *** Received alert [40]: Handshake failed
| *** Handshake has failed
| GNUTLS ERROR: A TLS fatal alert has been received.
`---|

,---[ help-gnutls@gnu.org ]
| He needs to add +ARCFOUR-40 and +RSA-EXPORT as well. They are not
| enabled by default.
`---|

,---|
| mime@kira:~ % gnutls-cli -p 5556 192.168.2.4 --priority "NORMAL:%COMPAT:+ARCFOUR-40:+RSA-EXPORT"
| Resolving '192.168.2.4'...
| Connecting to '192.168.2.4:5556'...
| - Certificate type: X.509
| - Got a certificate list of 1 certificates.
| - Certificate[0] info:
| - subject `C=DE,ST=Some-State,O=Internet Widgits Pty Ltd,CN=192.168.2.4', issuer `C=DE,ST=Some-State,O=Internet Widgits Pty Ltd,CN=192.168.2.4', RSA key 2048 bits, signed using RSA-SHA, activated `2010-02-11 15:16:25 UTC', expires `2011-02-11 15:16:25 UTC', SHA-1 fingerprint `42895851ceeee97c020f4e92351a75a56d236562'
| - The hostname in the certificate matches '192.168.2.4'.
| - Peer's certificate issuer is unknown
| - Peer's certificate is NOT trusted
| - Version: TLS1.0
| - Key Exchange: RSA-EXPORT
| - Cipher: ARCFOUR-40
| - MAC: MD5
| - Compression: NULL
| - Handshake was completed
|
| - Simple Client Mode:
`---|

But for the Oracle Weblogic NodeManager:

,---|
| mime@kira:~ % gnutls-cli -p 5556 192.168.2.6 --priority "NORMAL:%COMPAT:+ARCFOUR-40:+RSA-EXPORT"
| Resolving '192.168.2.6'...
| Connecting to '192.168.2.6:5556'...
| *** Fatal error: A TLS fatal alert has been received.
| *** Received alert [70]: Error in protocol version
| *** Handshake has failed
| GNUTLS ERROR: A TLS fatal alert has been received.
`---|

,---[ help-gnutls@gnu.org ]
| >> Try disabling TLS versions > 1.0 or TLS extensions.
`---|

,---|
| mime@kira:~ % gnutls-cli --insecure -p 5556 192.168.2.6 --priority "NORMAL:%COMPAT:-VERS-TLS1.1:+ARCFOUR-40:+RSA-EXPORT"
| Resolving '192.168.2.6'...
| Connecting to '192.168.2.6:5556'...
| - Certificate type: X.509
| - Got a certificate list of 1 certificates.
| - Certificate[0] info:
| - subject `C=US,ST=MyState,L=MyTown,O=MyOrganization,OU=FOR TESTING ONLY,CN=GFDGFDGSFD', issuer `C=US,ST=MyState,L=MyTown,O=MyOrganization,OU=FOR TESTING ONLY,CN=CertGenCAB', RSA key 512 bits, signed using RSA-MD5 (broken!), activated `2010-02-14 10:21:38 UTC', expires `2025-02-15 10:21:38 UTC', SHA-1 fingerprint `aab4b6f0dcd6486e43661455865dd365dc5cb164'
| - The hostname in the certificate does NOT match '192.168.2.6'
| - Peer's certificate issuer is unknown
| - Peer's certificate is NOT trusted
| - Version: TLS1.0
| - Key Exchange: RSA-EXPORT
| - Cipher: ARCFOUR-40
| - MAC: MD5
| - Compression: NULL
| - Handshake was completed
|
| - Simple Client Mode:
`---|

,---[ help-gnutls@gnu.org ]
| >> Any hints how to make this work also with C-code? :)
| >> We are looking for the best way to *always* get
| >> a connection in C? Even if there is something
| >> "strange" on the remote side.
|
| > Call something like this:
| >
| > rc = gnutls_priority_set_direct (session, "NORMAL:%COMPAT....", NULL);
| >
| > http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-priority-set-direct
| > http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-priority-init
`---|

For open_sock_tcp() GnuTLS should be configured in a way where it is possible to get *always* a connection. Enable
all available Ciphers, enable compatibility mode, enable "--insecure",...

Attached Files:

Changes:

Field Old Value Date By
ResolutionNone2012-10-17 14:28werner
assigned_tonone2012-10-17 08:50werner

This site is hosted by Intevation GmbH