Oracle Weblogic 10.3 + gnutls-cli = A TLS fatal...

Post by Michael Meyer
Hello,
Default installation of a Oracle Weblogic 10.3. NodeManager is listen
at port 5556.
Resolving 'GFDGFDGSFD'...
Connecting to '192.168.2.6:5556'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [70]: Error in protocol version
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.
gnutls-cli-debug -p 5556 GFDGFDGSFD -V
http://pastebin.com/m2de5dfaa
gnutls-cli --port 5556 GFDGFDGSFD -d 4711 -V
http://pastebin.com/f27633473
openssl s_client -host 192.168.2.6 -port 5556
http://pastebin.com/m61a8b468
Why i can't connect to the Weblogic Server with gnutls-cli? Is there
anything i can do to make it work?

Try disabling TLS versions > 1.0 or TLS extensions.

/Simon

Michael Meyer

2010-02-15 11:21:59 UTC

Hello,

Post by Michael Meyer
Why i can't connect to the Weblogic Server with gnutls-cli? Is there
anything i can do to make it work?

Try disabling TLS versions > 1.0 or TLS extensions.

Don't work. I hope I make it right. ;)

http://pastebin.com/f56a825f6

Thanks

Micha

Nikos Mavrogiannopoulos

2010-02-15 14:58:20 UTC

As far as I understand from the logs this server only supports RC4-40.
(ARCFOUR-40 in gnutls)
and does not want to see anything over TLS 1.0.

Post by Michael Meyer
Hello,

Post by Michael Meyer
Why i can't connect to the Weblogic Server with gnutls-cli? Is there
anything i can do to make it work?

Try disabling TLS versions > 1.0 or TLS extensions.

Don't work. I hope I make it right. ;)
http://pastebin.com/f56a825f6
Thanks
Micha
_______________________________________________
Help-gnutls mailing list
http://lists.gnu.org/mailman/listinfo/help-gnutls

Simon Josefsson

2010-02-15 19:34:14 UTC

Post by Michael Meyer
Hello,

Post by Michael Meyer
Why i can't connect to the Weblogic Server with gnutls-cli? Is there
anything i can do to make it work?

Try disabling TLS versions > 1.0 or TLS extensions.

Don't work. I hope I make it right. ;)
http://pastebin.com/f56a825f6

Try

gnutls-cli --disable-extensions -p 5556 GFDGFDGSFD -d 4711 -V --priority "NORMAL:%COMPAT:-VERS-TLS1.1:-CTYPE-OPENPGP"

/Simon

Michael Meyer

2010-02-15 20:17:15 UTC

Post by Michael Meyer
http://pastebin.com/f56a825f6

gnutls-cli --disable-extensions -p 5556 GFDGFDGSFD -d 4711 -V --priority "NORMAL:%COMPAT:-VERS-TLS1.1:-CTYPE-OPENPGP"

No, doesn't work either.

http://pastebin.com/m60914e97

It *seems* that this behavior can be reproduced by doing:

,---|
| ***@kira:~ % openssl s_server -accept 5556 \
| -key /home/mime/ca/serverkey.pem \
| -cert /home/mime/ca/servercert.pem \
| -cipher EXP-RC4-MD5
`---|

http://pastebin.com/m5471d160

Thanks again for your help.

Micha

Nikos Mavrogiannopoulos

2010-02-15 20:40:31 UTC

Post by Michael Meyer
http://pastebin.com/f56a825f6

gnutls-cli --disable-extensions -p 5556 GFDGFDGSFD -d 4711 -V --priority "NORMAL:%COMPAT:-VERS-TLS1.1:-CTYPE-OPENPGP"

He needs to add +ARCFOUR-40 and +RSA-EXPORT as well. They are not
enabled by default.

regards,
Nikos

Simon Josefsson

2010-02-15 20:49:30 UTC

Post by Nikos Mavrogiannopoulos

Post by Michael Meyer
http://pastebin.com/f56a825f6

gnutls-cli --disable-extensions -p 5556 GFDGFDGSFD -d 4711 -V --priority "NORMAL:%COMPAT:-VERS-TLS1.1:-CTYPE-OPENPGP"

He needs to add +ARCFOUR-40 and +RSA-EXPORT as well. They are not
enabled by default.

Michael can you try that? Also try %SSL3_RECORD_VERSION.

/Simon

Michael Meyer

2010-02-16 09:29:40 UTC

Post by Nikos Mavrogiannopoulos

Post by Michael Meyer
http://pastebin.com/f56a825f6

gnutls-cli --disable-extensions -p 5556 GFDGFDGSFD -d 4711 -V --priority "NORMAL:%COMPAT:-VERS-TLS1.1:-CTYPE-OPENPGP"

He needs to add +ARCFOUR-40 and +RSA-EXPORT as well. They are not
enabled by default.

I've tried with +ARCFOUR-40 but never with +RSA-EXPORT.

Post by Simon Josefsson
Michael can you try that? Also try %SSL3_RECORD_VERSION.

gnutls-cli -p 5556 GFDGFDGSFD --priority "NORMAL:%COMPAT:-VERS-TLS1.1:+ARCFOUR-40:+RSA-EXPORT"

That's it. It works. http://pastebin.com/m357f13b2

Any hints how to make this work also with C-code? :) One of our
C-Developers ask me that. We are looking for the best way to
*always* get a connection in C? Even if there is something
"strange" on the remote side.

Many thanks to you both.

Micha

Simon Josefsson

2010-02-16 13:22:00 UTC

Post by Nikos Mavrogiannopoulos

Post by Michael Meyer
http://pastebin.com/f56a825f6

gnutls-cli --disable-extensions -p 5556 GFDGFDGSFD -d 4711 -V --priority "NORMAL:%COMPAT:-VERS-TLS1.1:-CTYPE-OPENPGP"

He needs to add +ARCFOUR-40 and +RSA-EXPORT as well. They are not
enabled by default.

I've tried with +ARCFOUR-40 but never with +RSA-EXPORT.

Post by Simon Josefsson
Michael can you try that? Also try %SSL3_RECORD_VERSION.

gnutls-cli -p 5556 GFDGFDGSFD --priority "NORMAL:%COMPAT:-VERS-TLS1.1:+ARCFOUR-40:+RSA-EXPORT"
That's it. It works. http://pastebin.com/m357f13b2

Do you need all of them? Try removing each of them until it breaks, and
until you have tried removing all items.

Post by Michael Meyer
Any hints how to make this work also with C-code? :) One of our
C-Developers ask me that. We are looking for the best way to
*always* get a connection in C? Even if there is something
"strange" on the remote side.

Call something like this:

rc = gnutls_priority_set_direct (session, "NORMAL:%COMPAT....", NULL);

http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-priority-set-direct
http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-priority-init

/Simon

Michael Meyer

2010-02-16 14:34:03 UTC

Post by Simon Josefsson
Michael can you try that? Also try %SSL3_RECORD_VERSION.

gnutls-cli -p 5556 GFDGFDGSFD --priority "NORMAL:%COMPAT:-VERS-TLS1.1:+ARCFOUR-40:+RSA-EXPORT"
That's it. It works. http://pastebin.com/m357f13b2

Do you need all of them?

Yes.

Post by Simon Josefsson
Try removing each of them until it breaks, and
until you have tried removing all items.

I did. ;) If even one option is away, it no longer works.

rc = gnutls_priority_set_direct (session, "NORMAL:%COMPAT....", NULL);
http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-priority-set-direct
http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-priority-init

Ok. I'll pass the information to our C-developers. It seems that we
need some deeper knowledge about GnuTLS in our project (http://openvas.org).
Anybody interested to help? ;)

Micha

Simon Josefsson

2010-02-17 14:46:27 UTC

Post by Simon Josefsson
Michael can you try that? Also try %SSL3_RECORD_VERSION.

gnutls-cli -p 5556 GFDGFDGSFD --priority "NORMAL:%COMPAT:-VERS-TLS1.1:+ARCFOUR-40:+RSA-EXPORT"
That's it. It works. http://pastebin.com/m357f13b2

Do you need all of them?

Yes.

Post by Simon Josefsson
Try removing each of them until it breaks, and
until you have tried removing all items.

I did. ;) If even one option is away, it no longer works.

Wow. Then it is the most broken TLS server I've heard of so far. I
wonder what TLS stack that is...

Ok. I'll pass the information to our C-developers. It seems that we
need some deeper knowledge about GnuTLS in our project (http://openvas.org).
Anybody interested to help? ;)

I'll certainly try to help by answering questions. Anything in
particular you need help with?

/Simon

Michael Meyer

2010-02-17 16:12:14 UTC

Post by Michael Meyer
I did. ;) If even one option is away, it no longer works.

Wow. Then it is the most broken TLS server I've heard of so far. I
wonder what TLS stack that is...

No Idea. I can do any test you suggested.

Post by Michael Meyer
Anybody interested to help? ;)

I'll certainly try to help by answering questions. Anything in
particular you need help with?

I'm not a C-developer, just a plugin-writer. But you can see my
Bug-Report at

http://wald.intevation.org/tracker/index.php?func=detail&aid=1278&group_id=29&atid=220

I think that one of our developers will subscribe to this list and can
provide more specific questions. I can't, i have only less knowledge in C.

Micha

Simon Josefsson

2010-02-17 17:16:41 UTC

Post by Michael Meyer
I did. ;) If even one option is away, it no longer works.

Wow. Then it is the most broken TLS server I've heard of so far. I
wonder what TLS stack that is...

No Idea. I can do any test you suggested.

Identifying that with confidence requires access to the server to look
at the actual server system. Looking at logs and/or the binaries may
help.

Post by Michael Meyer
Anybody interested to help? ;)

I'll certainly try to help by answering questions. Anything in
particular you need help with?

I'm not a C-developer, just a plugin-writer. But you can see my
Bug-Report at
http://wald.intevation.org/tracker/index.php?func=detail&aid=1278&group_id=29&atid=220
I think that one of our developers will subscribe to this list and can
provide more specific questions. I can't, i have only less knowledge in C.

I don't think defaulting to insecure mode is a good idea. What we
recommend is to use the default, and expose the "priority string"
interface to configuration. Then administrators can chose to add
priority strings that may be necessary to talk to some broken server.
The proper solution is always to fix the broken server, but meanwhile
that happens, having a configuration option to work around is useful.
Using GnuTLS in known insecure modes just because there are broken
servers out there doesn't seem like a good idea. Then you might as well
not use TLS at all, and just use TCP?

Anyway, in general it is not possible to configure GnuTLS to *always*
get a connection up, since some bugs in other components may be severe
enough that it simply isn't possible.

I suspect something in your design needs to reflect these ideas, but I
don't know OpenVAS enough to say what.

/Simon

Michael Meyer

2010-02-17 19:51:12 UTC

Post by Simon Josefsson
Identifying that with confidence requires access to the server to look
at the actual server system. Looking at logs and/or the binaries may
help.

There is a trial version available at
http://www.oracle.com/technology/software/products/ias/htdocs/wls_main.html

I have Oracle WebLogic Server 10.3 (also the trial version) running under a
Microsoft Windows XP.

Post by Simon Josefsson
I don't think defaulting to insecure mode is a good idea.

[...]

Post by Simon Josefsson
Using GnuTLS in known insecure modes just because there are broken
servers out there doesn't seem like a good idea. Then you might as well
not use TLS at all, and just use TCP?

Let me explain.

OpenVAS stands for Open Vulnerability Assessment System and is a
network security scanner. OpenVAS is a GPL fork of Nessus.

I try to write a plugin for
http://www.securityfocus.com/bid/37926

Normaly this is very simple. See
http://intevydis.blogspot.com/2010/01/oracle-weblogic-1032-node-manager-fun.html

For that a SSL connection is required.

in NASL (Nessus Attack Scripting Language) it would look like (simplified):

,---|
| port = 5556;
| soc = open_sock_tcp(port, transport: ENCAPS_SSLv3); # or ENCAPS_SSLv23, ENCAPS_TLSv1
|
| if(!soc) {
| display("NO SOCKET\n\n");
| } else {
| display("SOCKET OK\n\n");
| send(socket:soc, data: string("HELLO asdf\r\n"));
| buf = recv(socket:soc, length: 512);
| display("\n",buf,"\n\n");
| close(soc);
| }
`---|

Result should be "+OK Node manager v10.3 started". I got always "NO
SOCKET". With any kind of "transport". GnuTLS error at this point is:
"A TLS fatal alert has been received".

At this point, it's a problem, if GnuTLS (rather the NASL function
open_sock_tcp() which is using GnuTLS) cant't connect to the remote
service because of some problems (e.g. broken certificate, insecure
cipher, ...) on the remote side. It means that I can not recognize the
vulnerability. That's bad. ;)

That's why i need - whenever humanly possible - a succesfull
connection. In this case I'm not interested whether the connection is
really secure.

Micha

Simon Josefsson

2010-02-18 12:00:57 UTC