View Issue Details

IDProjectCategoryView StatusLast Update
0004372Kali Linux[All Projects] Kali Package Bugpublic2019-09-04 12:37
Reporterhexxonxonx Assigned Todookie  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionopen 
Product Version2017.2 
Target VersionFixed in Version 
Summary0004372: Nikto/Nmap unable to handsake with older SSL version
DescriptionWhen attempting to run tools that require an SSL connection with servers that are using older versions an error occurs, for example in nikto whisker reports:

'whisker' => {
        'uri' => '/',
        'error' => "opening stream: can't connect: SSL negotiation failed: error:1417118C:SSL routines:tls_process_server_hello:version too low at /var/lib/nikto/plugins/LW2.pm line 5157.\n at /var/lib/nikto/plugins/LW2.pm line 5157.\n; at /var/lib/nikto/plugins/LW2.pm line 5157.\n",
        'MAGIC' => 31340
    }

Steps To Reproducerun nikto against an older version of a ssl enable host

commandline:

nikto -ssl -host XX.XX.XX.XX -D d

any other variations will produce the same error. Changing user agent/other twaeks seem to have no effect. I have also pulled Nikto directly from web (non Kali version and get the same error with 2.16 and master)

For ncat the error is:

libnsock handle_connect_result(): EID 9 reconnecting with SSL_OP_NO_SSLv2
libnsock handle_connect_result(): EID 9 reconnecting with SSL_OP_NO_SSLv2

with the command:

ncat -v -v --ssl X.X.X.X 443
Additional Information:Tue Nov 28 17:10:56 2017 - Loading DB: /var/lib//nikto/databases/db_parked_strings
D:Tue Nov 28 17:10:56 2017 - Loading DB: /var/lib//nikto/databases/db_404_strings
D:Tue Nov 28 17:10:56 2017 - Loading DB: /var/lib//nikto/databases/db_outdated
D:Tue Nov 28 17:10:56 2017 - Loading DB: /var/lib//nikto/databases/db_variables
D:Tue Nov 28 17:10:56 2017 - Loading DB: /var/lib//nikto/databases/db_tests
- Nikto v2.1.6
---------------------------------------------------------------------------
D:Tue Nov 28 17:10:56 2017 WARNING: No init found for nikto_core
D:Tue Nov 28 17:10:57 2017 'Request Hash' = {
    'Host' => '10.11.1.35',
    'whisker' => {
        'force_close' => 0,
        'normalize_incoming_headers' => 1,
        'port' => 443,
        'http_eol' => "\r\n",
        'ssl' => 1,
        'uri_param_sep' => '?',
        'timeout' => 10,
        'ssl_rsacertfile' => undef,
        'trailing_slurp' => 0,
        'uri' => '/',
        'require_newline_after_headers' => 0,
        'version' => '1.1',
        'method' => 'HEAD',
        'http_space1' => ' ',
        'include_host_in_uri' => 0,
        'uri_prefix' => '',
        'retry' => 0,
        'force_bodysnatch' => 0,
        'lowercase_incoming_headers' => 1,
        'ssl_certfile' => undef,
        'host' => '10.11.1.35',
        'force_open' => 0,
        'protocol' => 'HTTP',
        'ssl_save_info' => 1,
        'http_space2' => ' ',
        'MAGIC' => 31339,
        'uri_postfix' => '',
        'ignore_duplicate_headers' => 1,
        'invalid_protocol_return_value' => 1,
        'keep-alive' => 1,
        'max_size' => 0
    },
    'User-Agent' => 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)',
    'Connection' => 'Keep-Alive'
};
D:Tue Nov 28 17:10:57 2017 'Result Hash' = {
    'whisker' => {
        'uri' => '/',
        'error' => "opening stream: can't connect: SSL negotiation failed: error:1417118C:SSL routines:tls_process_server_hello:version too low at /var/lib/nikto/plugins/LW2.pm line 5157.\n at /var/lib/nikto/plugins/LW2.pm line 5157.\n; at /var/lib/nikto/plugins/LW2.pm line 5157.\n",
        'MAGIC' => 31340
    }
};
D:Tue Nov 28 17:10:58 2017 'Request Hash' = {
    'Host' => '10.11.1.35',
    'whisker' => {
        'force_close' => 0,
        'port' => 443,
        'normalize_incoming_headers' => 1,
        'http_eol' => "\r\n",
        'uri_param_sep' => '?',
        'ssl' => 1,
        'timeout' => 10,
        'trailing_slurp' => 0,
        'ssl_rsacertfile' => undef,
        'uri' => '/',
        'require_newline_after_headers' => 0,
        'uri_prefix' => '',
        'include_host_in_uri' => 0,
        'method' => 'GET',
        'http_space1' => ' ',
        'version' => '1.1',
        'force_bodysnatch' => 0,
        'retry' => 0,
        'host' => '10.11.1.35',
        'force_open' => 0,
        'protocol' => 'HTTP',
        'ssl_certfile' => undef,
        'lowercase_incoming_headers' => 1,
        'http_space2' => ' ',
        'ssl_save_info' => 1,
        'uri_postfix' => '',
        'MAGIC' => 31339,
        'ignore_duplicate_headers' => 1,
        'max_size' => 0,
        'keep-alive' => 1,
        'invalid_protocol_return_value' => 1
    },
    'User-Agent' => 'Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)',
    'Connection' => 'Keep-Alive'
};
D:Tue Nov 28 17:10:58 2017 'Result Hash' = {
    'whisker' => {
        'error' => "opening stream: can't connect: SSL negotiation failed: error:1417118C:SSL routines:tls_process_server_hello:version too low at /var/lib/nikto/plugins/LW2.pm line 5157.\n at /var/lib/nikto/plugins/LW2.pm line 5157.\n; at /var/lib/nikto/plugins/LW2.pm line 5157.\n",
        'MAGIC' => 31340,
        'uri' => '/'
    }
};
+ No web server found on 10.11.1.35:443
---------------------------------------------------------------------------
+ 0 host(s) tested
D:Tue Nov 28 17:10:58 2017 T:Tue Nov 28 17:10:58 2017: Ending





Relationships

related to 0005158 assignedrhertzog Support old ciphers and old crypto protocols in various tools 

Activities

Mister_X

2017-11-29 00:45

reporter   ~0007624

A few things:
- OpenSSL version got updated back in August/September in Debian testing if I remember correctly to v1.1
- OpenSSL 1.1 disallow TLS 1.0 and 1.1 by default
- Using a lower version of TLS is allowed but requires adding some code

Link to 2 discussion on 2 different projects relying on OpenSSL might be useful:
- https://www.spinics.net/lists/hostap/msg03994.html
- http://lists.freeradius.org/pipermail/freeradius-users/2017-September/088813.html

Solutions are pointed out in both email chains

rhertzog

2017-11-29 07:54

administrator   ~0007625

Do you know which specific version of SSL and/or TLS were failing for you?

Do you know public servers running those old SSL/TLS versions so that I can easily test?

What version of libssl1.1 do you have?

openssl 1.1.0g-1 re-enabled TLS 1.0 and 1.1 by default so that's why I'm asking here (the TLS 1.0 and 1.1 disabled by default is not a choice of upstream OpenSSL but of the Debian openssl maintainer).

hexxonxonx

2017-11-29 13:27

reporter   ~0007626

libssl1.1 : 1.1.0f

The host is inside the Kali Offsec Labs, it is pain. I belive the version on that server is 1.0 based on whisker output

I'm using OffsecVM-2017.2-20171023 from the PWK site.

hexxonxonx

2017-11-30 22:45

reporter   ~0007645

Upgrading to new version of libssl1.1/libssl dev fixed this I only upgraded libssl1.1 via: apt install --only-upgrade libssl moving my version up to 1.1.0g-2 this also upped libc-bin to 2.24-17

Commands run fine now against the host,however the Offsec PWK still has the non working version of the lib in it in the image. Please let me know if you have any qestions

rhertzog

2018-07-27 10:30

administrator   ~0009394

Is this issue still revelant?

@dookie can you check the current OffsecVM from the PWK?

g0tmi1k

2019-09-04 12:37

administrator   ~0011023

Due to the age of the OS (Kali Moto [v1], Kali Safi [v2], Kali Rolling <= 2018.4), these legacy versions are no longer supported.
We will be closing this ticket due to inactivity.

Please could you see if you are able to replicate this issue with the latest version of Kali Linux - https://www.kali.org/downloads/)?

If you are still facing the same problem, feel free to re-open the ticket. If you choose to do this, could you provide more information to the issue you are facing, and also give information about your setup?
For more information, please read: https://kali.training/topic/filing-a-good-bug-report/

Issue History

Date Modified Username Field Change
2017-11-29 00:35 hexxonxonx New Issue
2017-11-29 00:45 Mister_X Note Added: 0007624
2017-11-29 07:45 rhertzog Assigned To => rhertzog
2017-11-29 07:45 rhertzog Status new => assigned
2017-11-29 07:54 rhertzog Note Added: 0007625
2017-11-29 13:27 hexxonxonx Note Added: 0007626
2017-11-30 22:45 hexxonxonx Note Added: 0007645
2018-06-22 06:19 g0tmi1k Severity block => minor
2018-07-27 10:30 rhertzog Status assigned => feedback
2018-07-27 10:30 rhertzog Note Added: 0009394
2018-10-30 11:01 g0tmi1k Assigned To rhertzog => dookie
2018-12-14 10:56 rhertzog Relationship added related to 0005158
2019-09-04 12:37 g0tmi1k Note Added: 0011023
2019-09-04 12:37 g0tmi1k Status feedback => closed