"error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol"
what is the correct configuration ?
---------UPDATE
I don't know if it is of any relevance but i tried a tool to check the ftp server and i got this; i really don't know what any of this means
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 not offered
TLS 1.3 not offered
You should not proceed as no protocol was detected. If you still really really want to, say "YES" --> YES
NPN/SPDY not offered
ALPN/HTTP2 http/1.1 (offered)
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK)
Triple DES Ciphers / IDEA not offered
Obsolete: SEED + 128+256 Bit CBC cipher not offered
Strong encryption (AEAD ciphers) not offered
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
Cipher mapping not available, doing a fallback to openssl
Local problem: You only have 1 PFS ciphers on the client side
Testing server preferences
Has server cipher order? no (NOT ok)
Negotiated protocol TLSv1.2
Negotiated cipher ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) (limited sense as client will pick)
Negotiated cipher per proto (limited sense as client will pick)
(SSLv2: Local problem: /usr/bin/openssl doesn't support "s_client -ssl2")
ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2
No further cipher order check has been done as order is determined by the client
Error setting TLSv1.3 ciphersuites
140630432556352:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Testing server defaults (Server Hello)
TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "application layer protocol negotiation/#16"
Session Ticket RFC 5077 hint no -- no lifetime advertised
SSL Session ID support yes
Session Resumption Tickets no, ID: yes
TLS clock skew Random values, no fingerprinting possible
Client problem, shouldn't happen: Host certificate found but we can't continue with "server defaults".
Testing HTTP header response @ "/"
HTTP Status Code 403 Forbidden
HTTP clock skew 0 sec from localtime
Strict Transport Security not offered
Public Key Pinning --
Server banner Apache
Application banner --
Cookie(s) (none issued at "/") -- maybe better try target URL of 30x
Security headers --
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension
ROBOT Error setting TLSv1.3 ciphersuites
140275162178880:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140324905874752:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
139742720451904:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140133308515648:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140251683521856:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140392466134336:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140019500512576:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
139707582891328:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
139892042757440:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140262622430528:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140130529056064:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
not vulnerable (OK)
Secure Renegotiation (RFC 5746) supported (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) test failed (couldn't connect)
BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support
TLS_FALLBACK_SCSV (RFC 7507) test failed (couldn't connect)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=EB4B836B43825246B82235A5E6851DEE642977E8714EA8C7D9F28BF907928B9C could help you to find out
LOGJAM (CVE-2015-4000), experimental Error setting TLSv1.3 ciphersuites
140009947899200:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1
LUCKY13 (CVE-2013-0169), experimental Error setting TLSv1.3 ciphersuites
140314971432256:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
RC4 (CVE-2013-2566, CVE-2015-2808) Local problem: No RC4 Ciphers configured in /usr/bin/openssl
Testing all 1 locally available ciphers against the server, ordered by encryption strength
Cipher mapping not available, doing a fallback to openssl
Hexcode Cipher Suite Name (IANA/RFC) KeyExch. Encryption Bits Cipher Suite Name (OpenSSL)
Local problem: couldn't find client simulation data in /home/user/etc/client-simulation.txt
–
–
–
Hexcode Cipher Suite Name (IANA/RFC) KeyExch. Encryption Bits Cipher Suite Name (OpenSSL)
In case you need to convert IANA names, OpenSSL names or hexadecimal codepoints:
There is a simple way to convert any OpenSSL (or GnuTLS, NSS, etc.) cipher name into IANA/standard/RFC cipher names by using tls-map library in ruby:
require 'tls_map'
tm = TLSmap::App.new
# OpenSSL -> IANA
tm.search(:openssl, 'AES128-SHA', :iana) #=> {:iana=>"TLS_RSA_WITH_AES_128_CBC_SHA"}
# Hexadecimal codepoint to all (including OpenSSL & IANA)
tm.search(:codepoint, '1303') #=> {:codepoint=>"1303", :iana=>"TLS_CHACHA20_POLY1305_SHA256", :openssl=>"TLS_CHACHA20_POLY1305_SHA256", :gnutls=>"CHACHA20_POLY1305_SHA256", :nss=>"TLS_CHACHA20_POLY1305_SHA256"}
It's also available as a CLI tool:
$ tls-map search openssl AES128-SHA -o iana
iana: TLS_RSA_WITH_AES_128_CBC_SHA
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.