[Interest] Ignore SSL errors on Android 6.0+
Richard Moore
rich at kde.org
Wed Mar 29 11:32:45 CEST 2017
Your ciphers are too good for the server - it wants terrible ones.
eg. RC4-MD5:
openssl s_client -connect www.webnotes.cz:443 -cipher RC4-MD5
Cheers
Rich.
On 28 March 2017 at 17:41, Thiago Macieira <thiago.macieira at intel.com>
wrote:
> On terça-feira, 28 de março de 2017 09:39:41 PDT Thiago Macieira wrote:
> > On terça-feira, 28 de março de 2017 09:28:17 PDT Richard Moore wrote:
> > > There isn't a bug in Qt here. The server isn't transmitting the full
> > > chain
> > > as it's required to. You can bypass the error in the normal way if you
> > > really need to - read the docs.
> >
> > I did get a cert-invalid error with GnuTLS, but OpenSSL didn't get even
> that
> > far. The connection breaks down during the handshake phase.
> >
> > Packet capture shows the client sent Client Hello and then the connection
> > was immediately torn down by the server (TCP FIN). The Hello was:
> >
> > SSL Record Layer: Handshake Protocol: Client Hello
> > Content Type: Handshake (22)
> > Version: TLS 1.0 (0x0301)
> > Length: 312
> > Handshake Protocol: Client Hello
> > Handshake Type: Client Hello (1)
> > Length: 308
> > Version: TLS 1.2 (0x0303)
> > Random
> > Session ID Length: 0
> > Cipher Suites Length: 170
> > Cipher Suites (85 suites)
> > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
> > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> (0xc02c)
> > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
> > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> (0xc024)
> > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
> > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
> > Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5)
> > Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
> > Cipher Suite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1)
> > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
> > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
> > Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
> > Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069)
> > Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068)
> > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
> > Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
> > Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)
> > Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)
> > Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
> > Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
> > Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086)
> > Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085)
> > Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
> > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
> (0xc02e)
> > Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
> > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> (0xc026)
> > Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
> > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
> > Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
> > Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
> > Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
> > Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
> > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
> > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> (0xc02b)
> > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
> > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> (0xc023)
> > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
> > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
> > Cipher Suite: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4)
> > Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
> > Cipher Suite: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0)
> > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
> > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
> > Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
> > Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f)
> > Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e)
> > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
> > Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
> > Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)
> > Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)
> > Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
> > Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
> > Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)
> > Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)
> > Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
> > Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
> > Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043)
> > Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042)
> > Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
> > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
> (0xc02d)
> > Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
> > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> (0xc025)
> > Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
> > Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
> > Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
> > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
> > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> > Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
> > Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
> > Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
> > Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
> > Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
> > Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
> > Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
> > Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
> > Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
> > Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
> > Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
> > Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
> > Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)
> > Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)
> > Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
> > Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
> > Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
> > Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
> > Compression Methods Length: 1
> > Compression Methods (1 method)
> > Compression Method: null (0)
> > Extensions Length: 97
> > Extension: server_name
> > Type: server_name (0x0000)
> > Length: 20
> > Server Name Indication extension
> > Extension: ec_point_formats
> > Type: ec_point_formats (0x000b)
> > Length: 4
> > EC point formats Length: 3
> > Elliptic curves point formats (3)
> > Extension: elliptic_curves
> > Type: elliptic_curves (0x000a)
> > Length: 16
> > Elliptic Curves Length: 14
> > Elliptic curves (7 curves)
> > Elliptic curve: secp256r1 (0x0017)
> > Elliptic curve: secp521r1 (0x0019)
> > Elliptic curve: brainpoolP512r1 (0x001c)
> > Elliptic curve: brainpoolP384r1 (0x001b)
> > Elliptic curve: secp384r1 (0x0018)
> > Elliptic curve: brainpoolP256r1 (0x001a)
> > Elliptic curve: secp256k1 (0x0016)
> > Extension: SessionTicket TLS
> > Type: SessionTicket TLS (0x0023)
> > Length: 0
> > Data (0 bytes)
> > Extension: signature_algorithms
> > Type: signature_algorithms (0x000d)
> > Length: 32
> > Signature Hash Algorithms Length: 30
> > Signature Hash Algorithms (15 algorithms)
> > Extension: Heartbeat
> > Type: Heartbeat (0x000f)
> > Length: 1
> > Mode: Peer allowed to send requests (1)
>
> For reference, the GnuTLS Hello:
>
> TLSv1 Record Layer: Handshake Protocol: Client Hello
> Content Type: Handshake (22)
> Version: TLS 1.0 (0x0301)
> Length: 257
> Handshake Protocol: Client Hello
> Handshake Type: Client Hello (1)
> Length: 253
> Version: TLS 1.2 (0x0303)
> Random
> Session ID Length: 0
> Cipher Suites Length: 114
> Cipher Suites (57 suites)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
> (0xc087)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
> (0xcca9)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CCM (0xc0ad)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
> (0xc073)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
> (0xc086)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CCM (0xc0ac)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
> (0xc072)
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
> Cipher Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
> (0xc08b)
> Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> (0xcca8)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
> Cipher Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
> (0xc077)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
> Cipher Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
> (0xc08a)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
> Cipher Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
> (0xc076)
> Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
> Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 (0xc07b)
> Cipher Suite: TLS_RSA_WITH_AES_256_CCM (0xc09d)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c0)
> Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 (0xc07a)
> Cipher Suite: TLS_RSA_WITH_AES_128_CCM (0xc09c)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
> Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00ba)
> Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
> (0xc07d)
> Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> (0xccaa)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CCM (0xc09f)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
> (0x00c4)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
> (0xc07c)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CCM (0xc09e)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
> (0x00be)
> Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
> Compression Methods Length: 1
> Compression Methods (1 method)
> Compression Method: null (0)
> Extensions Length: 98
> Extension: Extended Master Secret
> Type: Extended Master Secret (0x0017)
> Length: 0
> Extension: encrypt then mac
> Type: encrypt then mac (0x0016)
> Length: 0
> Data (0 bytes)
> Extension: status_request
> Type: status_request (0x0005)
> Length: 5
> Certificate Status Type: OCSP (1)
> Responder ID list Length: 0
> Request Extensions Length: 0
> Extension: server_name
> Type: server_name (0x0000)
> Length: 20
> Server Name Indication extension
> Extension: renegotiation_info
> Type: renegotiation_info (0xff01)
> Length: 1
> Renegotiation Info extension
> Extension: SessionTicket TLS
> Type: SessionTicket TLS (0x0023)
> Length: 0
> Data (0 bytes)
> Extension: elliptic_curves
> Type: elliptic_curves (0x000a)
> Length: 12
> Elliptic Curves Length: 10
> Elliptic curves (5 curves)
> Elliptic curve: secp256r1 (0x0017)
> Elliptic curve: secp384r1 (0x0018)
> Elliptic curve: secp521r1 (0x0019)
> Elliptic curve: secp224r1 (0x0015)
> Elliptic curve: secp192r1 (0x0013)
> Extension: ec_point_formats
> Type: ec_point_formats (0x000b)
> Length: 2
> EC point formats Length: 1
> Elliptic curves point formats (1)
> Extension: signature_algorithms
> Type: signature_algorithms (0x000d)
> Length: 22
> Signature Hash Algorithms Length: 20
> Signature Hash Algorithms (10 algorithms)
>
> --
> Thiago Macieira - thiago.macieira (AT) intel.com
> Software Architect - Intel Open Source Technology Center
>
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/interest
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20170329/6ca3c297/attachment.html>
More information about the Interest
mailing list