Somos SaaS & Proveedor de IaaS que utiliza predominantemente Windows 2012 (R2) para el alojamiento. Comenzamos a evaluar el sistema operativo Windows 2016 y notamos que nuestros sitios ya no son accesibles a través de Chrome / Firefox (funciona a través de IE / Edge). Lanza:
No se puede acceder a este sitio
La página web en enlace podría estar temporalmente fuera de servicio o haberse movido permanentemente a un nuevo dirección web. ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY
A continuación se muestra la salida de Fiddler:
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
Random: F6 42 DD 5A 96 11 36 5C DD 6C 85 43 1D 9C 29 48 D4 E5 62 05 66 A6 14 6F 4B B8 D7 C4 02 2B 86 85
"Time": 23/04/2018 12:20:38 PM
SessionID: D2 44 00 00 BF 88 16 FA BC 63 84 AC DD 57 4C 7E A0 15 AA 84 9A BA DF DD 03 0C E6 FC E1 D3 F1 E9
Extensions:
0xdada empty
renegotiation_info 00
server_name gemini-ci.dev.company.com.au
extended_master_secret empty
SessionTicket empty
signature_algs sha256_ecdsa, Unknown[0x8]_Unknown[0x4], sha256_rsa, sha384_ecdsa, Unknown[0x8]_Unknown[0x5], sha384_rsa, Unknown[0x8]_Unknown[0x6], sha512_rsa, sha1_rsa
status_request OCSP - Implicit Responder
SignedCertTimestamp (RFC6962) empty
ALPN h2, http/1.1
channel_id(GoogleDraft) empty
ec_point_formats uncompressed [0x0]
elliptic_curves unknown [0x4A4A), unknown [0x1D), secp256r1 [0x17], secp384r1 [0x18]
0x5a5a 00
padding 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Ciphers:
[FAFA] Unrecognized cipher - See http://www.iana.org/assignments/tls-parameters/
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[CCA9] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
[CCA8] TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
[C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[009C] TLS_RSA_WITH_AES_128_GCM_SHA256
[009D] TLS_RSA_WITH_AES_256_GCM_SHA384
[002F] TLS_RSA_AES_128_SHA
[0035] TLS_RSA_AES_256_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
Compression:
[00] NO_COMPRESSION
y
This is a CONNECT tunnel, through which encrypted HTTPS traffic flows.
To view the encrypted sessions inside this tunnel, enable the Tools > Options > HTTPS > Decrypt HTTPS traffic option.
A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
SessionID: D2 44 00 00 BF 88 16 FA BC 63 84 AC DD 57 4C 7E A0 15 AA 84 9A BA DF DD 03 0C E6 FC E1 D3 F1 E9
Random: 59 81 38 EA 88 E4 DA 94 9C 2F 59 86 38 92 D3 42 B8 59 6F F7 F3 08 EF D6 CC 8E 76 CF E3 99 36 EE
Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384 [0x009D]
CompressionSuite: NO_COMPRESSION [0x00]
Extensions:
ALPN h2
extended_master_secret empty
renegotiation_info 00
server_name empty
Todas las configuraciones relevantes para Hashes, algoritmos de intercambio de claves, soporte TLS / SSL, pedidos de Cipher Suite son automáticos y se administran a través de Puppet, que funciona bien en las máquinas virtuales 2012 R2, pero no tanto en el sistema operativo 2016.
A continuación se muestra lo que he hecho hasta ahora:
Disabled PCT 1.0, SSL 2.0, SSL 3.0
Enabled TLS 1.0, TLS 1.1, TLS 1.2
Enabled Ciphers AES 128/128, AES 256/256, Triple DES 168/168
Enabled Hashes MD5, SHA, SHA256, SHA384, SHA512
Enabled Key-Exchange algorithms Diffie-Hellman, PKCS, ECDH
Orden de las suites de cifrado:
'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
'TLS_RSA_WITH_AES_256_GCM_SHA384',
'TLS_RSA_WITH_AES_128_GCM_SHA256',
'TLS_RSA_WITH_AES_256_CBC_SHA256',
'TLS_RSA_WITH_AES_128_CBC_SHA256',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_AES_128_CBC_SHA'
¿Por qué se queja de que extended_master_secret está vacío? Entiendo que es un problema con el pedido de Cipher Suite pero parece que no puedo encontrar un pedido perfecto de confidencialidad. Cualquier sugerencia sería de gran ayuda, gracias.
Karthik