Cloudflare trying to use SSLv3?

Security
#1

the domain https://1.s.paste.loltek.net/ is proxied through cloudflare, the target server doesn’t even have port 443 open (only port 80/http), and… cloudflare try to use SSLv3 when browsers try to connect to it? (notably default curl compilations haven’t supported sslv3 for years, and my curl binary does not have sslv3 enabled) here’s what happens when i try to curl it:

$ curl -v 'https://1.s.paste.loltek.net/'
* STATE: INIT => CONNECT handle 0x800083ef8; line 1654 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0x800083ef8; line 1700 (connection #0)
* family0 == v4, family1 == v6
*   Trying 172.67.209.195:443...
* STATE: WAITRESOLVE => WAITCONNECT handle 0x800083ef8; line 1782 (connection #0)
* Connected to 1.s.paste.loltek.net (172.67.209.195) port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x800083ef8; line 1845 (connection #0)
* Marked for [keep alive]: HTTP default
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x800083ef8; line 1866 (connection #0)
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Marked for [closure]: Failed HTTPS connection
* multi_done
* The cache now contains 0 members
* Closing connection 0
* Expire cleared (transfer 0x800083ef8)
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

… and i build a curl binary with sslv3 support (using the instructions here https://stackoverflow.com/a/56394968/1067003 ), that didn’t work either,

[email protected]:/temp/curl/curl/src# ./curl https://1.s.paste.loltek.net -v
*   Trying 172.67.209.195:443...
* Connected to 1.s.paste.loltek.net (172.67.209.195) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
[email protected]:/temp/curl/curl/src# ./curl --sslv3 https://1.s.paste.loltek.net -v
*   Trying 172.67.209.195:443...
* Connected to 1.s.paste.loltek.net (172.67.209.195) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3 (OUT), TLS handshake, Client hello (1):
* SSLv3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

so… what’s going on here?

Digitalocean CDN, custom domain and Cloudflare SSL
#2

It looks like your ‘curl’ command is trying to connect with SSLv3, and failing. Why do you think Cloudflare is trying to use SSLv3?

#3

when i connect with curl i get a sslv3 error in curl; when i connect with firefox i get SSL_ERROR_NO_CYPHER_OVERLAP which basically means “server didn’t offer any tls versions supported by firefox”; when i connect with Chrome i get

**1.s.paste.loltek.net** uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.

which means basically the same thing; seems it’s using some version not supported by Chrome nor Firefox, and curl spout some sslv3 errors when trying to connect to it;

screenshot: https://i.imgur.com/nWY8vWs.png

#4

even when i try to connect to cloudflare’s ip directly, https://172.67.209.195/ , i get the same error =/ so it’s not just my domain then?

#5
#6

hmm

  1. Certificates will only cover a single level of subdomains (.example.com, but not *…example.com):

yup that’s the problem, 1.s.paste.loltek.net is 3 subdomains deep, seems that’s not supported by cloudflare proxy? ok, thanks (ideally the control panel should have given a warning about this when trying to create it z.z )

1 Like
#7

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.