TLS-Timeout on several hosts

[sauttefk]

I get an error on several hosts e.g. for https://spiegel.de/

On the webservice:
https://tls.imirhil.fr/https/spiegel.de

[HTTPS] spiegel.de (03/12/2018 15:12:22 +00:00)
spiegel.de - 128.65.210.8 : 443
Fehler bei der Analyse: Timeout when TLS connect to 128.65.210.8:443 (max 20 seconds)

And also on the shell:
docker run --rm cryptcheck bin/check_https spiegel.de

128.65.210.8:443 [spiegel.de]

Supported methods
  Method TLSv1_2
  Method TLSv1_1
  Method TLSv1
Timeout when TLS connecting to 128.65.210.8:443 (max 20 seconds)

[sauttefk]

@aeris Oh, I forgot to mention:
Cryptcheck is a really great tool for analysing all those webservers I have to manage!
Thanks!

[aeris]

Seems the service on the other side is not fully SSL/TLS compliant.
SSLv2 negociation hangs and so max analysis duration is hit.
If the service doesn't support SSLv2, it needs to reject the connection cleanly (fatal protocol version).

[sauttefk]

OK, good point...
But I think cryptcheck should respond graceful to this server side misconfiguration and continue it's analysis.

[aeris]

I limit the analysis duration to avoid DoS of the CryptCheck service (20s max for a TCP connection and 10min max for the overall scan).
Will think about adding an option to ignore some timeout.

[sauttefk]

I think the 20s timeout is OK.
This should be reported in the output, but all the other results should still be reported.

[aeris]

At this point, there is no result to report, this is just fast TLS ping to detect supported protocols.
Perhaps I may consider errors at this point as "not supported protocol" rather than "server error". But this may hide misconfiguration too.

[sauttefk]

SSL Labs shows SSLv2 and SSLv3 as not supported.
https://www.ssllabs.com/ssltest/analyze.html?d=spiegel.de

[aeris]

Yep, but missed here the fact the server is not SSL/TLS compliant 😂