[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: RE: wget TLS error from peer (alert code 40): handshake failure on TLS 1.2 and TLS 1.3 X25519 AES256
From: "Hannasch, David Alexander" <dahanna () sandia ! gov>
Date: 2022-01-11 18:34:38
Message-ID: SA9PR09MB507295B5FE946276C6569F8DD7519 () SA9PR09MB5072 ! namprd09 ! prod ! outlook ! com
[Download RAW message or body]
Sorry for the separate messages, but I said something wrong before. It's not quite a \
matter of TLS version per se, I don't think. I tried with a host that supports only \
TLS 1.2, and busybox wget worked.
In this case, nmap showed:
$ nmap --script ssl-enum-ciphers -p 443 $INTERNAL_HOST
Starting Nmap 7.92 ( https://nmap.org<https://nmap.org/> ) at 2022-01-11 17:52 UTC
Nmap scan report for [MASKED]
Host is up (0.0011s latency).
PORT STATE SERVICE
443/tcp open https
> ssl-enum-ciphers:
> TLSv1.2:
> ciphers:
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
> TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
> TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
> TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
> TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
> compressors:
> NULL
> cipher preference: client
> _ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds
And busybox:1.35.0 worked:
$ wget --proxy off http://$USERNAME:$PASSWORD@$INTERNAL_HOST<http://$USERNAME:$PASSWORD@%24internal_host/>
Connecting to [MASKED] (:80)
Connecting to [MASKED] (:443)
wget: note: TLS certificate validation not implemented
saving to 'index.html'
index.html 100% |********************************| 45427 0:00:00 ETA
'index.html' saved
I think maybe it's a particular cipher that busybox doesn't work with. This other \
host has TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) but also has a lot of \
other things. I don't know how to tell which cipher busybox wget is actually using.
I haven't found any documentation on how the TLS is done, but I did find \
https://git.busybox.net/busybox/tree/networking/tls.c#n1503
//TODO: GCM_SHA384 ciphers can be supported, only need sha384-based PRF?
#if ALLOW_ECDHE_RSA_WITH_AES_128_GCM_SHA256
0xC0,0x2F, // 8 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - ok: openssl \
s_server ... -cipher ECDHE-RSA-AES128-GCM-SHA256 #endif
// 0xC0,0x30, // TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - openssl \
s_server ... -cipher ECDHE-RSA-AES256-GCM-SHA384: "decryption failed or bad record \
mac"
This looks promising!
It looks like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is currently commented out of the \
function send_client_hello_and_alloc_hsd with a TODO noting that all it requires is a \
SHA384-based Pseudo-Random Function.
https://git.busybox.net/busybox/tree/networking/tls.c#n518
// RFC 5246:
// 5. HMAC and the Pseudorandom Function
//...
// In this section, we define one PRF, based on HMAC. This PRF with the
// SHA-256 hash function is used for all cipher suites defined in this
// document and in TLS documents published prior to this document when
// TLS 1.2 is negotiated.
// ^^^^^^^^^^^^^ IMPORTANT!
// PRF uses sha256 regardless of cipher for all ciphers
// defined by RFC 5246. It's not sha1 for AES_128_CBC_SHA!
// However, for _SHA384 ciphers, it's sha384. See RFC 5288,5289.
// RFC 5288:
// For cipher suites ending with _SHA256, the PRF is the TLS PRF
// with SHA-256 as the hash function.
// For cipher suites ending with _SHA384, the PRF is the TLS PRF
// with SHA-384 as the hash function.
static void prf_hmac_sha256(/*tls_state_t *tls,*/
It looks like that's where the SHA256 PRF is implemented.
I now *think* that it's a question of having a prf_hmac_sha384 and using it to enable \
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 alongside \
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
It looks like ecdh_x25519 is already supported:
https://git.busybox.net/busybox/tree/networking/tls.c#n1543
#if ALLOW_CURVE_X25519
0x00,0x1d, //curve_x25519 (RFC 7748)
#endif
(assuming the code is compiled with ALLOW_CURVE_X25519)
https://git.busybox.net/busybox/commit/?id=d4681c7293da6aeb901101b5bc239229f4963926
From: Hannasch, David Alexander
Sent: Monday, January 10, 2022 3:33 PM
To: busybox@busybox.net
Subject: wget TLS error from peer (alert code 40): handshake failure on TLS 1.2 and \
TLS 1.3 X25519 AES256-GCM
package: busybox
version: 1.35.0
When I execute busybox 'wget' it is unable to handshake with a TLS 1.3 X25519 \
AES256-GCM host.
I have not been able to build busybox from source, so I am using the busybox:1.35.0 \
container.
I have been using the following scripting:
test-busybox:
tags:
- docker
image: busybox:1.35.0
script:
- find / -name *libtls*
- find / -name *libretls*
- wget $TLS_13_URL
test-alpine:
tags:
- docker
image: alpine:3.15.0
script:
- find / -name *libtls* # /usr/lib/libtls.so.2.0.0
- find / -name *libretls*
- wget $TLS_13_URL
If you're not familiar with GitLab YAML, all that matters is the image name and the \
script. It's just loading busybox:1.35.0 and trying to wget.
Using Ubuntu, CentOS, or Alpine, wget works fine on this URL.
$ wget $TLS_13_URL
saving to 'index.html'
index.html 100% |********************************| 32211 0:00:00 ETA
'index.html' saved
Using busybox:1.35.0, wget fails.
$ wget $TLS_13_URL
wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer
(If it matters, 1.34.1 fails the same way.)
Unfortunately I do not know of a public-facing URL that supports only TLS 1.2 and \
1.3, but I expect that wget will fail in the same way.
If desired, I have a great deal more information on the supported TLS below.
As mentioned, Ubuntu/CentOS/Alpine are all able to use wget just fine. Alpine is the \
most interesting, since Alpine actually uses BusyBox 1.34.1. It looks like they \
rebuilt against a newer version of libtls. \
https://gitlab.alpinelinux.org/alpine/aports/-/issues/11695 BusyBox doesn't appear \
(?) to be using libtls, or at least, I haven't found reference to it in the source, \
so I'm not sure whether a similar solution would work outside of Alpine.
Thank you,
David Hannasch
The promised details on the server are:
$ openssl s_client -connect $INTERNAL_HOST:443 -tls1_3
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = \
USERTrust RSA Certification Authority verify return:1
---
Certificate chain
...
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6990 bytes and written 325 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
$ openssl s_client -connect $INTERNAL_HOST:443 -tls1_2
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = \
USERTrust RSA Certification Authority verify return:1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6898 bytes and written 309 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 4096 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Verify return code: 0 (ok)
Extended master secret: yes
---
DONE
$ openssl s_client -connect $INTERNAL_HOST:443 -tls1_1 || echo "TLS 1.1 is not \
supported." CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 134 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1641851758
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
TLS 1.1 is not supported.
$ nmap --script ssl-enum-ciphers -p 443 $INTERNAL_HOST
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-10 21:55 UTC
Host is up (0.0011s latency).
PORT STATE SERVICE
443/tcp open https
> ssl-enum-ciphers:
> TLSv1.2:
> ciphers:
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
> compressors:
> NULL
> cipher preference: server
> warnings:
> Key exchange (ecdh_x25519) of lower strength than certificate key
> TLSv1.3:
> ciphers:
> TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
> TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
> TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
> cipher preference: server
> _ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
If there are some TLS's that BusyBox does not support, is that documented anywhere?
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.gl-white-space-pre-wrap
{mso-style-name:gl-white-space-pre-wrap;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Sorry for the separate messages, but I said something wrong \
before. It’s not quite a matter of TLS version per se, I don’t \
think.<o:p></o:p></p> <p class="MsoNormal">I tried with a host that supports only TLS \
1.2, and busybox wget worked.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">In this case, nmap \
showed:<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><b><span \
style="font-size:10.0pt;font-family:Consolas;color:#00D600">$ nmap --script \
ssl-enum-ciphers -p 443 $INTERNAL_HOST</span></b></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Starting Nmap 7.92 ( <a \
href="https://nmap.org/">https://nmap.org</a> ) at 2022-01-11 17:52 \
UTC</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Nmap scan report for \
[MASKED]</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Host is up (0.0011s \
latency).</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">PORT STATE \
SERVICE</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">443/tcp open \
https</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| ssl-enum-ciphers: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| TLSv1.2: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| ciphers: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| compressors: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| NULL</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| cipher preference: \
client</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">|_ least strength: \
A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Nmap done: 1 IP address (1 \
host up) scanned in 0.85 seconds</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">And busybox:1.35.0 \
worked:<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><b><span \
style="font-size:10.0pt;font-family:Consolas;color:#00D600">$ wget --proxy off <a \
href="http://$USERNAME:$PASSWORD@%24internal_host/">http://$USERNAME:$PASSWORD@$INTERNAL_HOST</a></span></b></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Connecting to [MASKED] \
(:80)</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Connecting to [MASKED] \
(:443)</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">wget: note: TLS certificate \
validation not implemented</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">saving to \
'index.html'</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">index.html 100% \
|********************************| 45427 0:00:00 ETA</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">'index.html' \
saved</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">I think maybe it’s \
a particular cipher that busybox doesn’t work with. This other host has \
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) but also has a lot of other \
things. I don’t know how to tell which cipher busybox wget is actually \
using.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I haven’t found any documentation on how the TLS is done, \
but I did find <a href="https://git.busybox.net/busybox/tree/networking/tls.c#n1503">https://git.busybox.net/busybox/tree/networking/tls.c#n1503</a><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span \
style="font-size:10.0pt;font-family:"Courier New";color:black">//TODO: \
GCM_SHA384 ciphers can be supported, only need sha384-based \
PRF?<o:p></o:p></span></p> <p class="MsoNormal" style="background:white"><span \
style="font-size:10.0pt;font-family:"Courier New";color:black">#if \
ALLOW_ECDHE_RSA_WITH_AES_128_GCM_SHA256<o:p></o:p></span></p> <p class="MsoNormal" \
style="background:white"><span style="font-size:10.0pt;font-family:"Courier \
New";color:black"> \
0xC0,0x2F, // 8 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - ok: openssl s_server ... \
-cipher ECDHE-RSA-AES128-GCM-SHA256<o:p></o:p></span></p> <p class="MsoNormal" \
style="background:white"><span style="font-size:10.0pt;font-family:"Courier \
New";color:black">#endif<o:p></o:p></span></p> <p class="MsoNormal" \
style="background:white"><span style="font-size:10.0pt;font-family:"Courier \
New";color:black"> \
// 0xC0,0x30, // \
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - openssl s_server ... -cipher \
ECDHE-RSA-AES256-GCM-SHA384: "decryption failed or bad record \
mac"<o:p></o:p></span></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This looks promising!<o:p></o:p></p>
<p class="MsoNormal">It looks like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is currently \
commented out of the function send_client_hello_and_alloc_hsd with a TODO noting that \
all it requires is a SHA384-based Pseudo-Random Function.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><a \
href="https://git.busybox.net/busybox/tree/networking/tls.c#n518">https://git.busybox.net/busybox/tree/networking/tls.c#n518</a><o:p></o:p></p>
<pre style="background:white"><code><span style="color:black">// RFC \
5246:<o:p></o:p></span></code></pre> <pre style="background:white"><code><span \
style="color:black">// 5. HMAC and the Pseudorandom \
Function<o:p></o:p></span></code></pre> <pre style="background:white"><code><span \
style="color:black">//...<o:p></o:p></span></code></pre> <pre \
style="background:white"><code><span style="color:black">// In this section, we \
define one PRF, based on HMAC. This PRF with the<o:p></o:p></span></code></pre> \
<pre style="background:white"><code><span style="color:black">// SHA-256 hash \
function is used for all cipher suites defined in this<o:p></o:p></span></code></pre> \
<pre style="background:white"><code><span style="color:black">// document and in TLS \
documents published prior to this document when<o:p></o:p></span></code></pre> <pre \
style="background:white"><code><span style="color:black">// TLS 1.2 is \
negotiated.<o:p></o:p></span></code></pre> <pre style="background:white"><code><span \
style="color:black">// ^^^^^^^^^^^^^ IMPORTANT!<o:p></o:p></span></code></pre> <pre \
style="background:white"><code><span \
style="color:black">// \
PRF uses sha256 regardless of cipher for all ciphers<o:p></o:p></span></code></pre> \
<pre style="background:white"><code><span \
style="color:black">// \
defined by RFC 5246. It's not sha1 for \
AES_128_CBC_SHA!<o:p></o:p></span></code></pre> <pre \
style="background:white"><code><span \
style="color:black">// \
However, for _SHA384 ciphers, it's sha384. See RFC 5288,5289.</span></code><span \
style="color:black"><o:p></o:p></span></pre> <pre \
style="background:white"><code><span style="color:black">// RFC \
5288:<o:p></o:p></span></code></pre> <pre style="background:white"><code><span \
style="color:black">// For cipher suites ending with _SHA256, the PRF is the TLS \
PRF<o:p></o:p></span></code></pre> <pre style="background:white"><code><span \
style="color:black">// with SHA-256 as the hash \
function.<o:p></o:p></span></code></pre> <pre style="background:white"><code><span \
style="color:black">// For cipher suites ending with _SHA384, the PRF is the TLS \
PRF<o:p></o:p></span></code></pre> <pre style="background:white"><code><span \
style="color:black">// with SHA-384 as the hash \
function.<o:p></o:p></span></code></pre> <pre style="background:white"><code><span \
style="color:black">static void prf_hmac_sha256(/*tls_state_t \
*tls,*/</span></code><span style="color:black"><o:p></o:p></span></pre> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">It looks like \
that’s where the SHA256 PRF is implemented.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">I now *<b>think</b>* \
that it’s a question of having a prf_hmac_sha384 and using it to enable \
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 alongside \
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">It looks like \
ecdh_x25519 is already supported:<o:p></o:p></p> <p class="MsoNormal"><a \
href="https://git.busybox.net/busybox/tree/networking/tls.c#n1543">https://git.busybox.net/busybox/tree/networking/tls.c#n1543</a><o:p></o:p></p>
<pre style="background:white"><code><span style="color:black">#if \
ALLOW_CURVE_X25519<o:p></o:p></span></code></pre> <pre \
style="background:white"><code><span \
style="color:black"> \
0x00,0x1d, //curve_x25519 (RFC 7748)<o:p></o:p></span></code></pre> <pre \
style="background:white"><code><span style="color:black">#endif</span></code><span \
style="color:black"><o:p></o:p></span></pre> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">(assuming the code is \
compiled with ALLOW_CURVE_X25519)<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><a \
href="https://git.busybox.net/busybox/commit/?id=d4681c7293da6aeb901101b5bc239229f4963 \
926">https://git.busybox.net/busybox/commit/?id=d4681c7293da6aeb901101b5bc239229f4963926</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Hannasch, David Alexander <br>
<b>Sent:</b> Monday, January 10, 2022 3:33 PM<br>
<b>To:</b> busybox@busybox.net<br>
<b>Subject:</b> wget TLS error from peer (alert code 40): handshake failure on TLS \
1.2 and TLS 1.3 X25519 AES256-GCM <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">package: busybox<o:p></o:p></p>
<p class="MsoNormal">version: 1.35.0<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">When I execute busybox ‘wget’ it is unable to \
handshake with a TLS 1.3 X25519 AES256-GCM host.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">I have not been able to \
build busybox from source, so I am using the busybox:1.35.0 container.<o:p></o:p></p> \
<p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">I have been using the \
following scripting:<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier \
New"">test-busybox:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New""> \
tags:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New""> - \
docker<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New""> image: \
busybox:1.35.0<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New""> \
script:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New""> - find / -name \
*libtls*<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New""> - find / -name \
*libretls*<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New""> - wget \
$TLS_13_URL<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier \
New""><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier \
New"">test-alpine:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New""> \
tags:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New""> - \
docker<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New""> image: \
alpine:3.15.0<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New""> \
script:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New""> - find / -name \
*libtls* # /usr/lib/libtls.so.2.0.0<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier \
New""> - find / -name *libretls*<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier \
New""> - wget $TLS_13_URL<o:p></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">If you’re not \
familiar with GitLab YAML, all that matters is the image name and the script. \
It’s just loading busybox:1.35.0 and trying to wget.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Using Ubuntu, CentOS, or \
Alpine, wget works fine on this URL.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal" \
style="background:#111111"><span class="gl-white-space-pre-wrap"><b><span \
style="font-size:10.0pt;font-family:Consolas;color:#00D600">$ wget \
$TLS_13_URL</span></b></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">saving to \
'index.html'</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">index.html 100% \
|********************************| 32211 0:00:00 ETA</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">'index.html' \
saved</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Using busybox:1.35.0, \
wget fails.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><b><span \
style="font-size:10.0pt;font-family:Consolas;color:#00D600">$ wget \
$TLS_13_URL</span></b></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">wget: TLS error from peer \
(alert code 40): handshake failure</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">wget: error getting \
response: Connection reset by peer</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">(If it matters, 1.34.1 \
fails the same way.)<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Unfortunately I do not know of a public-facing URL that supports \
only TLS 1.2 and 1.3, but I expect that wget will fail in the same \
way.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If desired, I have a great deal more information on the \
supported TLS below.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As mentioned, Ubuntu/CentOS/Alpine are all able to use wget just \
fine. Alpine is the most interesting, since Alpine actually uses BusyBox 1.34.1. \
<o:p></o:p></p> <p class="MsoNormal">It looks like they rebuilt against a newer \
version of libtls.<o:p></o:p></p> <p class="MsoNormal"><a \
href="https://gitlab.alpinelinux.org/alpine/aports/-/issues/11695">https://gitlab.alpinelinux.org/alpine/aports/-/issues/11695</a><o:p></o:p></p>
<p class="MsoNormal">BusyBox doesn’t appear (?) to be using libtls, or at \
least, I haven’t found reference to it in the source, so I’m not sure \
whether a similar solution would work outside of Alpine.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Thank \
you,<o:p></o:p></p> <p class="MsoNormal">David Hannasch<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The promised details on the server are:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><b><span \
style="font-size:10.0pt;font-family:Consolas;color:#00D600">$ openssl s_client \
-connect $INTERNAL_HOST:443 -tls1_3</span></b></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">CONNECTED(00000003)</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">depth=2 C = US, ST = New \
Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification \
Authority</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">verify \
return:1</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">---</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Certificate \
chain</span><o:p></o:p></span></p> <p class="MsoNormal" \
style="background:#111111"><span class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">…</span></span><o:p></o:p></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">No client certificate CA \
names sent</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Peer signing digest: \
SHA256</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Peer signature type: \
RSA-PSS</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Server Temp Key: X25519, \
253 bits</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">---</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">SSL handshake has read 6990 \
bytes and written 325 bytes</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Verification: \
OK</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">---</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">New, TLSv1.3, Cipher is \
TLS_AES_256_GCM_SHA384</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Server public key is 4096 \
bit</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Secure Renegotiation IS NOT \
supported</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">No ALPN \
negotiated</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Early data was not \
sent</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Verify return code: 0 \
(ok)</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">---</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">DONE</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><b><span \
style="font-size:10.0pt;font-family:Consolas;color:#00D600">$ openssl s_client \
-connect $INTERNAL_HOST:443 -tls1_2</span></b></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">CONNECTED(00000003)</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">depth=2 C = US, ST = New \
Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification \
Authority</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">verify \
return:1</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">---</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">No client certificate CA \
names sent</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Peer signing digest: \
SHA256</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Peer signature type: \
RSA-PSS</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Server Temp Key: X25519, \
253 bits</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">---</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">SSL handshake has read 6898 \
bytes and written 309 bytes</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Verification: \
OK</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">---</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">New, TLSv1.2, Cipher is \
ECDHE-RSA-CHACHA20-POLY1305</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Server public key is 4096 \
bit</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Secure Renegotiation IS \
supported</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">No ALPN \
negotiated</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">SSL-Session:</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Protocol : \
TLSv1.2</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Cipher : \
ECDHE-RSA-CHACHA20-POLY1305</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Extended master secret: \
yes</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">---</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">DONE</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><b><span \
style="font-size:10.0pt;font-family:Consolas;color:#00D600">$ openssl s_client \
-connect $INTERNAL_HOST:443 -tls1_1 || echo "TLS 1.1 is not \
supported."</span></b></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">CONNECTED(00000003)</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">---</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">no peer certificate \
available</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">---</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">No client certificate CA \
names sent</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">---</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">SSL handshake has read 7 \
bytes and written 134 bytes</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Verification: \
OK</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">---</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">New, (NONE), Cipher is \
(NONE)</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Secure Renegotiation IS NOT \
supported</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">No ALPN \
negotiated</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">SSL-Session:</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Protocol : \
TLSv1.1</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Cipher : \
0000</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Session-ID: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Session-ID-ctx: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Master-Key: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">PSK identity: \
None</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">PSK identity hint: \
None</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">SRP username: \
None</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Start Time: \
1641851758</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Timeout : 7200 \
(sec)</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Verify return code: 0 \
(ok)</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Extended master secret: \
no</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">---</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">TLS 1.1 is not \
supported.</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><b><span \
style="font-size:10.0pt;font-family:Consolas;color:#00D600">$ nmap --script \
ssl-enum-ciphers -p 443 $INTERNAL_HOST</span></b></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Starting Nmap 7.92 ( <a \
href="https://nmap.org">https://nmap.org</a> ) at 2022-01-10 21:55 \
UTC</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Host is up (0.0011s \
latency).</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">PORT STATE \
SERVICE</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">443/tcp open \
https</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| ssl-enum-ciphers: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| TLSv1.2: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| ciphers: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| compressors: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| NULL</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| warnings: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| Key exchange \
(ecdh_x25519) of lower strength than certificate key</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| TLSv1.3: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| ciphers: \
</span></span><span style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| \
TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">| cipher preference: \
server</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">|_ least strength: \
A</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal" style="background:#111111"><span \
class="gl-white-space-pre-wrap"><span \
style="font-size:10.0pt;font-family:Consolas;color:white">Nmap done: 1 IP address (1 \
host up) scanned in 0.50 seconds</span></span><span \
style="font-size:10.0pt;font-family:Consolas;color:white"><o:p></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">If there are some \
TLS’s that BusyBox does not support, is that documented \
anywhere?<o:p></o:p></p> </div>
</body>
</html>
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
--===============9205937297467394827==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic