Siamo SaaS & Provider IaaS che utilizza prevalentemente Windows 2012 (R2) per l'hosting. Abbiamo iniziato a valutare il sistema operativo Windows 2016 e abbiamo notato che i nostri siti non sono più accessibili tramite Chrome / Firefox (funziona tramite IE / Edge). Getta:
This site can’t be reached
The webpage at https://gemini-ci.dev.company.com.au/ might be temporarily down or it may have moved permanently to a new web address. ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY
Di seguito è riportato l'output di Fiddler:
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
Random: F6 42 DD 5A 96 11 36 5C DD 6C 85 43 1D 9C 29 48 D4 E5 62 05 66 A6 14 6F 4B B8 D7 C4 02 2B 86 85
"Time": 23/04/2018 12:20:38 PM
SessionID: D2 44 00 00 BF 88 16 FA BC 63 84 AC DD 57 4C 7E A0 15 AA 84 9A BA DF DD 03 0C E6 FC E1 D3 F1 E9
Extensions:
0xdada empty
renegotiation_info 00
server_name gemini-ci.dev.company.com.au
extended_master_secret empty
SessionTicket empty
signature_algs sha256_ecdsa, Unknown[0x8]_Unknown[0x4], sha256_rsa, sha384_ecdsa, Unknown[0x8]_Unknown[0x5], sha384_rsa, Unknown[0x8]_Unknown[0x6], sha512_rsa, sha1_rsa
status_request OCSP - Implicit Responder
SignedCertTimestamp (RFC6962) empty
ALPN h2, http/1.1
channel_id(GoogleDraft) empty
ec_point_formats uncompressed [0x0]
elliptic_curves unknown [0x4A4A), unknown [0x1D), secp256r1 [0x17], secp384r1 [0x18]
0x5a5a 00
padding 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Ciphers:
[FAFA] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[CCA9] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
[CCA8] TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
[C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[009C] TLS_RSA_WITH_AES_128_GCM_SHA256
[009D] TLS_RSA_WITH_AES_256_GCM_SHA384
[002F] TLS_RSA_AES_128_SHA
[0035] TLS_RSA_AES_256_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
Compression:
[00] NO_COMPRESSION
e
This is a CONNECT tunnel, through which encrypted HTTPS traffic flows.
To view the encrypted sessions inside this tunnel, enable the Tools > Options > HTTPS > Decrypt HTTPS traffic option.
A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
SessionID: D2 44 00 00 BF 88 16 FA BC 63 84 AC DD 57 4C 7E A0 15 AA 84 9A BA DF DD 03 0C E6 FC E1 D3 F1 E9
Random: 59 81 38 EA 88 E4 DA 94 9C 2F 59 86 38 92 D3 42 B8 59 6F F7 F3 08 EF D6 CC 8E 76 CF E3 99 36 EE
Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384 [0x009D]
CompressionSuite: NO_COMPRESSION [0x00]
Extensions:
ALPN h2
extended_master_secret empty
renegotiation_info 00
server_name empty
Tutte le configurazioni rilevanti per Hash, Algoritmi per lo scambio di chiavi, supporto TLS / SSL, gli ordini di Cipher Suite sono automatizzati e gestiti tramite Puppet, che funziona bene sulle macchine virtuali R2 2012 ma non tanto sul sistema operativo del 2016.
Di seguito è quello che ho fatto finora:
Disabled PCT 1.0, SSL 2.0, SSL 3.0
Enabled TLS 1.0, TLS 1.1, TLS 1.2
Enabled Ciphers AES 128/128, AES 256/256, Triple DES 168/168
Enabled Hashes MD5, SHA, SHA256, SHA384, SHA512
Enabled Key-Exchange algorithms Diffie-Hellman, PKCS, ECDH
Ordine suite di crittografia:
'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
'TLS_RSA_WITH_AES_256_GCM_SHA384',
'TLS_RSA_WITH_AES_128_GCM_SHA256',
'TLS_RSA_WITH_AES_256_CBC_SHA256',
'TLS_RSA_WITH_AES_128_CBC_SHA256',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_AES_128_CBC_SHA'
Perché si lamenta che extended_master_secret è vuoto? Capisco che si tratta di un problema con l'ordine di Cipher Suite ma non riesco a trovare un perfetto ordine di segretezza. Qualsiasi suggerimento sarebbe di grande aiuto, grazie.
Karthik