Hi Matt,
thanks for checking this out. The conclusion you take are related but the one is not the reason the other fails.
It is true we have only a grade C rating on sslabs. We are currently taking steps to get ourselves to a A rating.
However, to achieve that, we need a new certificate that includes different ciphers and various other tweaks. To get such a “perfect” certificate takes some time.
However, we did switch off SSLv3 support on all our Loadbalancers, according to current industry best practice:
https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
Also, curl can have problems, if you don’t specify the ciphers, or set the CURLOPTS variable differently to the capabilities of your endpoint.
A good description can be found here: http://blog.techstacks.com/2010/03/3-common-causes-of-unknown-ssl-protocol-errors-with-curl.html
Best is to check on SSLLabs which protocol/cipher combination is supported.
That’s why the standard curl could fail, like in this example, as NULL or ANONYMOUS is not supported/allowed:
$ curl -tlsv1.2 --ciphers NULL https://car2go.com
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
But if you specify a supported cypher…:
$ curl -tlsv1.2 --ciphers RC4-SHA https://car2go.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.car2go.com/">here</a>.</p>
<hr>
<address>IBM_HTTP_Server at car2go.com Port 80</address>
</body></html>
Our goal is to transition to a banking-like cipher set in the near future:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS |
128 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS |
128 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS |
128 |
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) |
128 |
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) |
128 |
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) |
128 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS |
256 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS |
256 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS |
256 |
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) |
256 |
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) |
256 |
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) |
256 |
Good luck.