Re: API worked for one year, today getting SSL errors ?!?

klohse · ‎11-16-2017

Hello,

we just wanted to use the OpenVuln API today, Webserver responds with 200 but an SSL encryption error.

Any knows errors on your side ?

It worked for one year without problems.

kind regards,

Kai Lohse

marmclau · ‎11-16-2017

Hi Kai,

It may be related to your the SSL library you are using. Some libraries have started to enforce strict checks on the encryption algorithms that are accepted by default.

Can you tell me what language and library you are using? I suspect there is a parameter you can use to fix this.

klohse · ‎11-17-2017

Hi Mark-David,

i am using Delphi7 with Indy sockets.

It worked fine the whole year, we did thousands of requests and never had problems, we did not change our tool, i tried on two machines with transparent Internet access, a colleague who is using Linux and Python has the same problem since a few days.

So i thought maybe you changed something on your side...

klohse · ‎11-17-2017

Hi Mark-David,

just tried again with a Wireshark, it shows a handshake failure:

No.	Time	Source	Destination	Protocol Length Info
	50 66.031697000 173.37.145.221	10.1.1.11	TLSv1	61	Alert (Level: Fatal, Description: Handshake Failure)

Frame 50: 61 bytes on wire (488 bits), 61 bytes captured (488 bits) on interface 0

Ethernet II, Src: b0:e5:ed:5c:46:8d (b0:e5:ed:5c:46:8d), Dst: Inventec_20:e3:27 (00:a0:d1:20:e3:27)

Internet Protocol Version 4, Src: 173.37.145.221 (173.37.145.221), Dst: 10.1.1.11 (10.1.1.11)

Transmission Control Protocol, Src Port: https (443), Dst Port: 1030 (1030), Seq: 1, Ack: 91, Len: 7

Secure Sockets Layer

	TLSv1 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
	Content Type: Alert (21)
	Version: TLS 1.0 (0x0301)
	Length: 2
	Alert Message
	Level: Fatal (2)
	Description: Handshake Failure (40)

marmclau · ‎11-17-2017

Can you look at the ClientHello and ServerHello messages? I would suspect that the ProtocolNameList/cipher suites is the problem. I have only seen this once and I had to change the supported cyphers in the client to make the connection. I didn't spend too much time debugging.

Omar Santos · ‎11-17-2017

Hi klohse,

Assuming that you are using Delphi with OpenSSL, please send me the output of the following command:

openssl s_client -connect api.cisco.com:443

You should see something like this:

openssl s_client -connect api.cisco.com:443

CONNECTED(00000003)

depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5

verify return:1

depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4

verify return:1

depth=0 C = US, ST = California, L = San Jose, O = Cisco Systems, OU = APIX-Platform-EB2B-IT, CN = api.cisco.com

verify return:1

---

Certificate chain

0 s:/C=US/ST=California/L=San Jose/O=Cisco Systems/OU=APIX-Platform-EB2B-IT/CN=api.cisco.com

   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIGuTCCBaGgAwIBAgIQWpWzQm+FhlK2sOnl7Qz2RDANBgkqhkiG9w0BAQsFADB+

MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd

BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj

IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MDEyOTAwMDAwMFoX

DTE4MDEyODIzNTk1OVowgYUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y

bmlhMREwDwYDVQQHDAhTYW4gSm9zZTEWMBQGA1UECgwNQ2lzY28gU3lzdGVtczEe

MBwGA1UECwwVQVBJWC1QbGF0Zm9ybS1FQjJCLUlUMRYwFAYDVQQDDA1hcGkuY2lz

Y28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyOo2B5SvMwOU

qcNhGERmE1f5NiBoHTppItcHqvEPd9Em+rWBhPzHQbUoW5XgfI1eQWQ4Hy04XsvJ

V9jybL10voWni7yhnZA+tEJBks0Qo6XL020R78GhaoMKpQBI8jlIqmXifFY0azhU

2X5Hy7phD2Ipf4U7WiLSPmEmeYUfnjJ9FiSEFOAyu5X8cndPJU9Y4FwNHF7lGF+3

2gqN4QzYMkQcpWAXDUAcGK7InlYrbbsGaB5z/thGW6iEyWoYKeusi72aaCH5YqKZ

57PhU8hNt/rsU2AterEu2TtRUR7SwLLhH6qx4t+1hY7fG/hUUqO8jX/jj86bqz9f

jlbwZKRLpQIDAQABo4IDKTCCAyUwWgYDVR0RBFMwUYIUYXBpLWV4dC0wMS5jaXNj

by5jb22CFGFwaS1leHQtMDIuY2lzY28uY29tghRhcGktZXh0LWRyLmNpc2NvLmNv

bYINYXBpLmNpc2NvLmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNV

HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwYQYDVR0gBFowWDBWBgZngQwBAgIw

TDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUH

AgIwGRoXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHwYDVR0jBBgwFoAUX2DPYZBV

34RDFIpgKrL1evRDGO8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3NzLnN5bWNi

LmNvbS9zcy5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8v

c3Muc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vc3Muc3ltY2IuY29tL3Nz

LmNydDCCAYEGCisGAQQB1nkCBAIEggFxBIIBbQFrAHcA3esdK3oNT6Ygi4GtgWhw

fi6OnQHVXIiNPRHEzbbsvswAAAFSjuVrBQAABAMASDBGAiEA2gbFkuWTzieeDKr6

Fu1h5wGkIOiEMoCTASsTl+0MXjICIQDmXje24TOMLNdre+P4IBU+svPfITqhNom8

71Xf5I8/IQB3AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABUo7l

aygAAAQDAEgwRgIhAIv1uIVIcL8FzFE4R2++VQ2MeyfMsG5zkIoJxdw0gDQzAiEA

h/CFRhscQNEpn+Q8XTnpq1VpJnw+cggN0vbLl+MVVhAAdwBo9pj4H2SCvjqM7rko

HUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVKO5WsrAAAEAwBIMEYCIQD/5nZE+pwCraKa

lnWp2xQHm5UBhar7i0MmU+HAE4wCygIhAIYOcUQRxNx51KP9JUUr9KClp2orSw9x

GbZJ/pFpYmEHMA0GCSqGSIb3DQEBCwUAA4IBAQCVBc+tgZtTgnfbhuB97zQ48shH

5PMsXWFy2hzG/N7n2ASdstVGQ48e4m2yGNKCfNwXKLRJVKvqQPi6QCAYETE+kPuk

YPII5LfLjXFk6f0Uu+qClSf5TvMO/DbbCvmSTruaJdCrINlSDxwUfRTckIewvH7n

xbBLIt1JH2DUALYxrh6Lvwy848i5KK/KrKX/+wFysjaSJs6zIcKFHinN5tOcQ/Cn

Omaj/Sx2qOblbDBELwH0lhZSdd3GL+/S3aFgJgkrFnFjg11E2qYzN8LdeHer3Q8l

zqcuYb+H7F3SJVUuzDXvTYad1t0B8NkVdn+CZvxjbmILTLgJDgmSr/T2beUM

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=San Jose/O=Cisco Systems/OU=APIX-Platform-EB2B-IT/CN=api.cisco.com

issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

---

No client certificate CA names sent

---

SSL handshake has read 4501 bytes and written 663 bytes

---

New, TLSv1/SSLv3, Cipher is AES128-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol : TLSv1.2

    Cipher    : AES128-SHA256

    Session-ID: B9AB02DD000000000000000000000000000084685A0F9CE90000000051474B5F

    Session-ID-ctx:

    Master-Key: A6C0C1DB94F99DBF5E7D7D9EC45CDA1A17CA6034CD1B9E625AA7DB2E26E07FBC9A1FCA1A2981435ED06E7E05EA0D135E

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1510972104

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

I don't believe that anything related to the TLS implementation has changed recently from our side. I also did a quick test using our Python client (openVulnQuery) and was successful:

omar@omar:~$ openVulnQuery --cvrf --latest 1

[

 {

 "advisory_id": "cisco-sa-20171115-findit",

 "advisory_title": "Cisco FindIT Discovery Utility Insecure Library Loading Vulnerability",

 "bug_ids": [

 "CSCvf37955"

 ],

 "cves": [

 "CVE-2017-12314"

 ],

 "cvrf_url": "https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-20171115-findit/cvrf/cisco-sa-20171115-findit_cvrf.xml",

 "cvss_base_score": "4.8",

 "cwe": [

 "CWE-427"

 ],

 "first_published": "2017-11-15T16:00:00-0600",

 "ips_signatures": [

 "NA"

 ],

 "last_updated": "2017-11-15T19:07:21-0600",

 "product_names": [

 "Cisco FindIT Network Discovery Utility "

 ],

 "publication_url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-findit",

 "sir": "Medium",

 "summary": "A vulnerability in the Cisco FindIT Network Discovery Utility could allow an authenticated, local attacker to perform a DLL preloading attack, potentially causing a partial impact to the device availability, confidentiality, and integrity. \n \nThe vulnerability is due to the application loading a malicious copy of a specific, nondefined DLL file instead of the DLL file it was expecting. An attacker could exploit this vulnerability by placing an affected DLL within the search path of the host system. An exploit could allow the attacker to load a malicious DLL file into the system, thus partially compromising confidentiality, integrity, and availability on the device. \n \nThere are no workarounds that address this vulnerability. \n \nThis advisory is available at the following link: \n<a href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-findit\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-findit</a>"

 }

]

omar@omar:~$

klohse · ‎11-18-2017

Thanks for the suggestions.

It's not OpenSSL, it is the free Indy V9.0.10

I place two DLLs in the EXE directory and it uses TLSv1.0 . you are using TLSv1.2 , maybe this is a problem.

ssleay32.dll

libeay32.dll

Unfortunately the DLLs don't contain any version or developer info, will try to find the archive which contain them.

Just found out i have the same problem with the SupportAPI, OpenAuth still works, i receive valid tokens.

klohse · ‎11-18-2017

Hi,

did some more research, it is a recompiled OpenSSL to match Indy9.

OAuth works, API access shows an error:

OpenSSL> s_client -connect api.cisco.com:443

Loading 'screen' into random state - done

CONNECTED(00000088)

868:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:455:

OpenSSL>

OpenSSL> s_client -connect cloudsso.cisco.com:443

Loading 'screen' into random state - done

CONNECTED(00000088)

depth=1 /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class

3 Secure Server CA - G4

verify error:num=20:unable to get local issuer certificate

verify return:0

---

Certificate chain

0 s:/C=US/ST=California/L=San Jose/O=Cisco Systems/OU=GIS/CN=cloudsso.cisco.com

i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3

Secure Server CA - G4

1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3

Secure Server CA - G4

- For authorized use only/CN=VeriSign Class 3 Public Primary Certification Auth

ority - G5

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFKDCCBBCgAwIBAgIQSAgzHpu3JGHajIEL73vO5zANBgkqhkiG9w0BAQsFADB+

MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd

BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj

IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE1MTEwMzAwMDAwMFoX

DTE4MTEwMjIzNTk1OVoweDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju

aWExETAPBgNVBAcMCFNhbiBKb3NlMRYwFAYDVQQKDA1DaXNjbyBTeXN0ZW1zMQww

CgYDVQQLDANHSVMxGzAZBgNVBAMMEmNsb3Vkc3NvLmNpc2NvLmNvbTCCASIwDQYJ

KoZIhvcNAQEBBQADggEPADCCAQoCggEBALwhLYio9NhAmru1tGm9s01gBcuwiftF

91Q1BEBuObCCIszcwPTl0s36gZXDu866kfqBisoXEOrYY84ZRyDYDb0s2hb0tofJ

llBx/hM3taHJ/HGYjopRc2vC589Xf46+cC+s465fhLN84W6ZKyaRvvUe1isuGwfV

GJ07QPeLQlIMqtgtB6lQxpTUMxTgEDyk13gtu6hccbzhfwaKunJvaJKAIsR9Ooiq

mjexLdDmgmX1sCmmNxrxhPhjyfBHtm2qSAQIEqKk7/9eUi+9xQCdSLaslHydadbP

Az7qn1Q+U5UGefPq9PwBhab7d6VU1PhhT6A/OUVy+5tuzEEXY5AG5UsCAwEAAaOC

AaYwggGiMFwGA1UdEQRVMFOCE2Nsb3Vkc3NvMS5jaXNjby5jb22CE2Nsb3Vkc3Nv

Mi5jaXNjby5jb22CE2Nsb3Vkc3NvMy5jaXNjby5jb22CEmNsb3Vkc3NvLmNpc2Nv

LmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF

BQcDAQYIKwYBBQUHAwIwYQYDVR0gBFowWDBWBgZngQwBAgIwTDAjBggrBgEFBQcC

ARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIwGRoXaHR0cHM6

Ly9kLnN5bWNiLmNvbS9ycGEwHwYDVR0jBBgwFoAUX2DPYZBV34RDFIpgKrL1evRD

GO8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcmww

VwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vc3Muc3ltY2QuY29t

MCYGCCsGAQUFBzAChhpodHRwOi8vc3Muc3ltY2IuY29tL3NzLmNydDANBgkqhkiG

9w0BAQsFAAOCAQEAWoiA/pGSyBBB1Nb4845Da0JEPE+AfaASwBhUPv7AAY2r8KLi

HiSEDOca4HIR2TvcgveNCiOwmCLMKdriRu1YkKZddpPU2MZoRCQwj1icZbSY9Ke8

89TuMzmQOAXVsADJPjRxuDa56gFsCxcpN17I0X7dqR4vJiXBldiwAT3DKHXfBzk1

H+yy1PPuvBqoLbXWrP8r7T0zX8Kuoo6/tQNsD5u6euG0GfA7cVMjenKhzZ5NBs/d

HJhO4yZvKS20QoHXqBdUzZg3T6J+G5Y6uSmCBcadNjSkbNRN1V+Co92QzNitSAj2

PyHSVv1emwNJHY8UqicK3aNDnOiddYLr7gK5MA==

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=San Jose/O=Cisco Systems/OU=GIS/CN=cloudsso.cisco.

com

issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class

3 Secure Server CA - G4

---

No client certificate CA names sent

---

SSL handshake has read 2811 bytes and written 448 bytes

---

New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA

Server public key is 2048 bit

SSL-Session:

Protocol : TLSv1

Cipher : DES-CBC3-SHA

Session-ID: B9AB06910000000000000000000000020001168E5A11287B0000000051951688

Session-ID-ctx:

Master-Key: 9FDE6F8146D7C739AA64F8082C2364CAC65B151B96B8BCF6786AA50D9729F482

3CE8BF052FD8BBCDA72D4EA0CB0B09FF

Key-Arg : None

Start Time: 1511074021

Timeout : 300 (sec)

Verify return code: 20 (unable to get local issuer certificate)

---

write:errno=10054

OpenSSL>

klohse · ‎11-19-2017

Hi all,

good News, it works again, updated OpenSSL.

After googeling it seems I'm not the only one who had this problem.

THANX FOR ALL THE HELP

DELPHI FOREVER