Problem with SSL/TLS negotiation - missing ciphers in suite

POP Peeper: Tech support, suggestions, discussion, etc.
Post Reply
rlotter
Posts: 3
Joined: Sat Oct 10, 2020 12:05 pm

Problem with SSL/TLS negotiation - missing ciphers in suite

Post by rlotter »

Hello:

Long time listener, first time caller, love the show - err: long time POP Peeper user, first time PP forum poster, please forgive any gaffes! :)

I noticed when I upgraded to POP Peeper 5.0 - a nice upgrade, completely worth the price! - that I was having problems on a couple of my RSS feeds. Some of them returned errors every time, no matter what, so I finally dug into it this week.

(FYI: I have worked in corporate IT security for a... umm long time and have a fair background in encryption.)

What I did was use Wireshark to take a packet capture on my computer when POP Peeper was checking messages/RSS feeds. Then I went into one of the feeds that was throwing errors and copied the feed URL:
I looked at the SSL Client Hello where the client proposes the cipher suite for the TLS session, and found that the server was responding with a fatal error: handshake failure. So I checked the list of ciphers the client put in it's proposal to the server, and compared it against the SSL Labs analysis of the site https://www.ssllabs.com/ssltest/analyze ... ecomic.com, and confirmed that the site only accepts two ciphers for TLS 1.2, and three for TLS 1.3, and they are not listed in POP Peeper's proposal, i.e. the SSL library that is being currently used - or the POP Peeper configuration used to call it - needs to be updated or enhanced to provide proper compatibility.

TLS negotiation.jpg

Specifically, POP Peeper needs to support ECDHE using RSA in Galois/Counter mode, with SHA256 or SHA384 hashes:

https://ciphersuite.info/cs/TLS_ECDHE_R ... CM_SHA256/
https://ciphersuite.info/cs/TLS_ECDHE_R ... CM_SHA384/

According to the SSLLabs report, this has been supported since Android 4.x, Chrome 49 in XP, Firefox 47 in XP, etc. so it is not a super-recent cipher. How can we get this change added into POP Peeper, or if it is a configuration case, configure POP Peeper to do so?

Thank you,


Rick
Reggorf
Posts: 18
Joined: Mon Oct 21, 2019 12:27 pm

Re: Problem with SSL/TLS negotiation - missing ciphers in suite

Post by Reggorf »

I'm guessing it has to do with what Windows offers, specifically through its IE-related components.

I think only Windows 10 provides all the "latest" ciphers, but maybe not even that.
User avatar
spc3rd
Moderator
Posts: 853
Joined: Tue Aug 30, 2011 5:45 pm

Re: Problem with SSL/TLS negotiation - missing ciphers in suite

Post by spc3rd »

rlotter wrote: Sat Oct 10, 2020 12:53 pm Long time listener, first time caller, love the show - err: long time POP Peeper user, first time PP forum poster, please forgive any gaffes! :)
Welcome to the Esumsoft Forums, Rick :)

You're forgiven. Thank you for your inquiry and comments which will be reviewed further by Jeff and other members of The Esumsoft Team.

In the interim, as our newest member, we ask that you please review the following Sticky topic:

Information for new users and forum members

The article contains important, helpful information which all members should be aware of. If you have any questions or comments, feel free to let us know.

Thank you & welcome aboard!
Image
Global Moderator
User avatar
Jeff
Admin / Developer
Posts: 9227
Joined: Sat Sep 08, 2001 9:46 pm

Re: Problem with SSL/TLS negotiation - missing ciphers in suite

Post by Jeff »

Reggorf is right, it depends on what your version of IE supports (it's not really "IE" but IE uses the same system-provided technology that POP Peeper uses). I've seen cases where the relevant options were disabled, so make sure that you've enabled the appropriate settings:
- In the Windows Start menu, type and open: Internet options (or: Control Panel / Network and Internet / Internet Options)
- Click on the "Advanced tab"
- Scroll the list to the very bottom and you should see several options for "Use TLS v1.x"
In general, TLS 1.1 and 1.2 should be enabled; 1.3 is listed as "experimental" and is usually not enabled by default.

If you have older Windows you may not see these options. I believe TLS 1.2 was added in Win7, but I've read that there are ways to get it to work in Vista. If you have XP, then I'm afraid you're probably out of luck.
User avatar
Sampei.Nihira
Posts: 13
Joined: Tue Sep 08, 2020 2:00 pm

Re: Problem with SSL/TLS negotiation - missing ciphers in suite

Post by Sampei.Nihira »

Why would we XP users be out of luck? :D

As you can see my XP OS supports TLS 1.2:
100.JPG
And few browsers in modern OS are set up similar to my New Moon 28:
100a.JPG
User avatar
Jeff
Admin / Developer
Posts: 9227
Joined: Sat Sep 08, 2001 9:46 pm

Re: Problem with SSL/TLS negotiation - missing ciphers in suite

Post by Jeff »

I found several search results leading to this page:
https://sockettools.com/kb/support-for- ... indows-xp/
and of most relevance:
"Microsoft had previously released an update for Windows Embedded POSReady 2009 which could be installed on Windows XP, adding support for TLS 1.2. However, it required making a permanent change to the operating system and most importantly, it did not include updated cipher suites."

I've checked my own XP in a VM, and it only has TLS 1.0; and, as that article confirms, TLS 1.2 wasn't added into the OS until Win 7.

So, even though your XP may say it supports "TLS 1.2", it does not have the sufficient ciphers, as you originally reported. Mozilla uses their own libraries, which is why they can support TLS 1.2 on XP. Sorry, but unless there's some other way to hack XP to include additional cipher suites, certain websites are simply inaccessible on XP using the system-provided libraries (and that includes esumsoft.com).

It wouldn't surprise me if there's a web service out there that allows you to access any RSS feed via http.... (I'm not saying that one exists, I'm just saying that it shouldn't be that hard to implement and there are certainly still use-cases for it since some people really like holding on to XP for whatever reason :wink: ).
rlotter
Posts: 3
Joined: Sat Oct 10, 2020 12:05 pm

Re: Problem with SSL/TLS negotiation - missing ciphers in suite

Post by rlotter »

So, even though your XP may say it supports "TLS 1.2", it does not have the sufficient ciphers, as you originally reported. Mozilla uses their own libraries, which is why they can support TLS 1.2 on XP. Sorry, but unless there's some other way to hack XP to include additional cipher suites, certain websites are simply inaccessible on XP using the system-provided libraries (and that includes esumsoft.com).

It wouldn't surprise me if there's a web service out there that allows you to access any RSS feed via http.... (I'm not saying that one exists, I'm just saying that it shouldn't be that hard to implement and there are certainly still use-cases for it since some people really like holding on to XP for whatever reason :wink: ).
There were a few replies to this topic, but I am only quoting the most recent. First, I did not include all of the supplementary information. Per POP Peeper's plugin screen:

Plugins.jpg

The file libssh-1_1.dll is part of the OpenSSL libraries, which is the crypto library that PP5 apparently uses:

openssl_info.jpg

Shown is the information from PP5, which includes 1.1.1.7, i.e. 1.1.1g, a previous version. The latest/current version is 1.1.1.8, internal version 1.1.1h. Regardless, both versions of the OpenSSL library support the two cipher suites listed in the previous SSLLabs report (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384). You can check this by running OpenSSL CLI as shown here:

supported_ciphers.jpg

So, according to this output, OpenSSL - the library PP5 is using - supports the cipher suite, but the application is not configuring the OpenSSL library it is using to use it, per the sniff I previously provided showing the SSL Client Hello.

So, when you roll this together, either the default build of the OpenSSL binary included - or how the program is calling it - is apparently not fully utilizing all the supported cipher suites, which is causing errors handling some of the RSS feeds via sites that have stringent requirements. You can find more information about programmatically controlling the OpenSSL library via this article on OpenSSL's site.

Hopefully this helps clarify things a bit. If you can update the configuration/calling of the OpenSSL library into PP5 you should have 100% coverage independent of operating system. Please let me know if you have any additional questions, etc.

Thank you,


Rick
User avatar
Jeff
Admin / Developer
Posts: 9227
Joined: Sat Sep 08, 2001 9:46 pm

Re: Problem with SSL/TLS negotiation - missing ciphers in suite

Post by Jeff »

As I alluded to above, POP Peeper uses the system's API for http/https calls, that's why you need the OS's support for RSS feeds. The SSL plugin is used for IMAP, POP3 and SMTP.
rlotter
Posts: 3
Joined: Sat Oct 10, 2020 12:05 pm

Re: Problem with SSL/TLS negotiation - missing ciphers in suite

Post by rlotter »

Jeff wrote: Wed Oct 14, 2020 1:42 pm As I alluded to above, POP Peeper uses the system's API for http/https calls, that's why you need the OS's support for RSS feeds. The SSL plugin is used for IMAP, POP3 and SMTP.
Hmm, sorry, I missed that... unfortunate, but understandable. I have some updates to do, I will confirm after then.

Thank you!


Rick
Post Reply