Re: [Urgent] Help with testing TLS 1.2 support

Thu, 04 Jul 2019 12:55:49 -0700 

Actually super easy, barely an inconvenience ;-)

just set the tls version:
curl -v https://netbeans.org/ -o /dev/null --tls-max 1.1 2&>
/tmp/netbeans_org_tls1.1.log

As you can see in the logs it's working as intended, tested with curl
7.64.0:
alied@development:~$ curl --version
curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 OpenSSL/1.1.1c
zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0
nghttp2/1.36.0 librtmp/2.3
Release-Date: 2019-02-06
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

from Debian testing.

On 7/4/19 8:08 AM, Jiří Kovalský wrote:
> Hi NetCATters,
>
>    turning lights off is way easier than turning netbeans.org domain
> off and so the latter is a step-by-step process. You all surely know
> that we have migrated all the critical content to the new website
> https://netbeans.apache.org which is running TLS 1.2 already and now
> we want to disable old TLS 1.0/1.1 security standards on former
> https://netbeans.org as the step #2 before step #3 i.e.
> decommissioning. The two dated protocols will be turned off tomorrow -
> July 5th PDT.
>
> For that we are looking for volunteers who will quickly verify after
> the change that:
>
> 1. https://netbeans.org continues serving content via TLS 1.2 ciphering
> 2. https://netbeans.org does no longer serve content via TLS 1.0/1.1
> ciphering
>
> If you don't know how to control version of TLS for your browser,
> please read here:
>
> https://knowledge.digicert.com/generalinformation/INFO3299.html
>
> In particular I am afraid of disappeared http://plugins.netbeans.org
> which is only running on HTTP protocol but let's hope for the best. :)
>
> Is anyone willing to help with this test in your country on such a
> short notice?
>
> Thanks a lot,
> -Jirka
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>


* Expire in 0 ms for 6 (transfer 0x55c97b23dd00)
* Expire in 1 ms for 1 (transfer 0x55c97b23dd00)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Expire in 0 ms for 1 (transfer 0x55c97b23dd00)

===Stripped for sanity===

*   Trying 137.254.56.49...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55c97b23dd00)
* Connected to netbeans.org (137.254.56.49) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [87 bytes data]

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2777 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=Redwood City; O=Oracle Corporation; CN=*.netbeans.org
*  start date: Jan 31 00:00:00 2019 GMT
*  expire date: Mar 31 12:00:00 2020 GMT
*  subjectAltName: host "netbeans.org" matched cert's "netbeans.org"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
} [5 bytes data]
> GET / HTTP/1.1
> Host: netbeans.org
> User-Agent: curl/7.64.0
> Accept: */*
> 
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Thu, 04 Jul 2019 19:33:57 GMT
< Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.2n mod_perl/2.0.7 Perl/v5.14.2
< Set-Cookie: PHPSESSID=3efm4q2mt3aho3rlr3o334fgj7; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html
< 
{ [1025 bytes data]

100 16326    0 16326    0     0  12349      0 --:--:--  0:00:01 --:--:-- 12349
* Connection #0 to host netbeans.org left intact
* Expire in 0 ms for 6 (transfer 0x55c97b23dd00)
* Expire in 1 ms for 1 (transfer 0x55c97b23dd00)
* Expire in 0 ms for 1 (transfer 0x55c97b23dd00)
* Expire in 1 ms for 1 (transfer 0x55c97b23dd00)
* Expire in 0 ms for 1 (transfer 0x55c97b23dd00)
* Expire in 0 ms for 1 (transfer 0x55c97b23dd00)
* Expire in 0 ms for 1 (transfer 0x55c97b23dd00)
*   Trying 0.0.0.2...
* TCP_NODELAY set
* Immediate connect fail for 0.0.0.2: Invalid argument
* Closing connection 1
curl: (7) Couldn't connect to server

* Expire in 0 ms for 6 (transfer 0x560a865acd00)
* Expire in 1 ms for 1 (transfer 0x560a865acd00)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Expire in 0 ms for 1 (transfer 0x560a865acd00)

===Stripped for sanity===

*   Trying 137.254.56.49...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x560a865acd00)
* Connected to netbeans.org (137.254.56.49) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, internal error (592):
} [2 bytes data]
* error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available
* Expire in 0 ms for 6 (transfer 0x560a865acd00)
* Expire in 1 ms for 1 (transfer 0x560a865acd00)
* Expire in 0 ms for 1 (transfer 0x560a865acd00)
* Expire in 1 ms for 1 (transfer 0x560a865acd00)
* Expire in 0 ms for 1 (transfer 0x560a865acd00)
* Expire in 0 ms for 1 (transfer 0x560a865acd00)
* Expire in 0 ms for 1 (transfer 0x560a865acd00)
*   Trying 0.0.0.2...
* TCP_NODELAY set
* Immediate connect fail for 0.0.0.2: Invalid argument
* Closing connection 1
curl: (7) Couldn't connect to server

Attachment: 0xBC145E315122EAC4.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to