SSL problems on car2go.com preventing use of API

56 views
Skip to first unread message

Matt Caywood

unread,
Jun 18, 2015, 8:28:34 AM6/18/15
to car2go-...@googlegroups.com

Hi,

As of yesterday 2015.06.11, the SSL on car2go.com is set up incorrectly and calls using the very common CURL library will fail

> curl https://car2go.com
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

(this is curl 7.38.0)

if you look at SSLLabs for car2go.com

You now see a C grade and a number of failures.

Please fix it ASAP so we can use your data. Thank you.

mathias.goeppel

unread,
Jun 24, 2015, 8:09:19 AM6/24/15
to car2go-...@googlegroups.com, cay...@gmail.com

Hi Matt,

 

thanks for checking this out. The conclusion you take are related but the one is not the reason the other fails.

 

It is true we have only a grade C rating on sslabs. We are currently taking steps to get ourselves to a A rating.

However, to achieve that, we need a new certificate that includes different ciphers and various other tweaks. To get such a “perfect” certificate takes some time.

However, we did switch off SSLv3 support on all our Loadbalancers, according to current industry best practice:

https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack

 

Also, curl can have problems, if you don’t specify the ciphers, or set the CURLOPTS variable differently to the capabilities of your endpoint.

A good description can be found here: http://blog.techstacks.com/2010/03/3-common-causes-of-unknown-ssl-protocol-errors-with-curl.html

Best is to check on SSLLabs which protocol/cipher combination is supported.

 

That’s why the standard curl could fail, like in this example, as NULL or ANONYMOUS is not supported/allowed:

$ curl -tlsv1.2 --ciphers NULL https://car2go.com

curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

 

But if you specify a supported cypher…:

$ curl -tlsv1.2 --ciphers RC4-SHA https://car2go.com

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>302 Found</title>

</head><body>

<h1>Found</h1>

<p>The document has moved <a href="https://www.car2go.com/">here</a>.</p>

<hr>

<address>IBM_HTTP_Server at car2go.com Port 80</address>

</body></html>

 

Our goal is to transition to a banking-like cipher set in the near future:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072 bits RSA)   FS

128

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)   FS

128

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)   FS

128

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)

128

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)

128

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)

128

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH 256 bits (eq. 3072 bits RSA)   FS

256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072 bits RSA)   FS

256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)   FS

256

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)

256

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)

256

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)

256

 

Good luck.

Reply all
Reply to author
Forward
0 new messages