Auteur Sujet: La banque LCL ne supporte pas TLS 1.2  (Lu 25853 fois)

0 Membres et 1 Invité sur ce sujet

vivien

  • Administrateur
  • *
  • Messages: 47 086
    • Twitter LaFibre.info
La banque LCL ne supporte pas TLS 1.2
« Réponse #48 le: 03 février 2019 à 17:25:00 »
Chez moi aussi, j'ai du tls 1.2 sur https://particuliers.secure.lcl.fr avec Firefox

Pourtant les différents outils d'analyse ne voient pas le TLS 1.2 :
- https://tls.imirhil.fr/https/particuliers.secure.lcl.fr
- https://www.ssllabs.com/ssltest/analyze.html?d=particuliers.secure.lcl.fr

(J'ai vidé le cache)

buddy

  • Expert
  • Abonné Free fibre
  • *
  • Messages: 15 098
  • Alpes Maritimes (06)
La banque LCL ne supporte pas TLS 1.2
« Réponse #49 le: 03 février 2019 à 17:35:45 »
Chez moi ça reste en TLS 1.0 sous firefox 65.0 64 Bits...
Si je désactive TLS 1.0 j'ai un message d'erreur
Citer
Une erreur est survenue pendant une connexion à particuliers.secure.lcl.fr. Le pair utilise une version non gérée du protocole de sécurité. Code d’erreur : SSL_ERROR_UNSUPPORTED_VERSION

ça fonctionne toujours chez vous si vous désactiver TLS 1.0 dans la config de firefox ? https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/#FF

lechercheur123

  • AS2027 MilkyWan
  • Expert
  • *
  • Messages: 1 296
  • Montauban (82)
    • AS208261 - Pomme Télécom
La banque LCL ne supporte pas TLS 1.2
« Réponse #50 le: 03 février 2019 à 17:38:28 »
Moi aussi j'ai uniquement droit au TLSv1 (sous Firefox 65.0) :

lechercheur123

  • AS2027 MilkyWan
  • Expert
  • *
  • Messages: 1 296
  • Montauban (82)
    • AS208261 - Pomme Télécom
La banque LCL ne supporte pas TLS 1.2
« Réponse #51 le: 03 février 2019 à 17:55:41 »
Chez moi aussi, j'ai du tls 1.2 sur https://particuliers.secure.lcl.fr avec Firefox

Pourtant les différents outils d'analyse ne voient pas le TLS 1.2 :
- https://tls.imirhil.fr/https/particuliers.secure.lcl.fr
- https://www.ssllabs.com/ssltest/analyze.html?d=particuliers.secure.lcl.fr

(J'ai vidé le cache)

Étrange tout ça. Le TTL de particuliers.secure.lcl.fr est à 10min, sommes-nous sûrs de tous nous connecter au même serveur ? (le mien a pour IP 158.191.169.222)

Sinon, via openssl :

paul@paul-TERRA-MOBILE-1542:~$ openssl s_client -connect particuliers.secure.lcl.fr:443 -tls1_2
CONNECTED(00000005)
140304432968768:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 58 bytes and written 236 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1549212586
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Alors que :
paul@paul-TERRA-MOBILE-1542:~$ openssl s_client -connect particuliers.secure.lcl.fr:443 -tls1                             
CONNECTED(00000005)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
verify return:1
depth=0 serialNumber = 954 509 741 00011, jurisdictionC = FR, businessCategory = Private Organization, C = FR, postalCode = 69002, ST = RHONE, L = LYON, street = 18 RUE DE LA REPUBLIQUE, O = CREDIT LYONNAIS SA, OU = PRT/SQ, OU = COMODO EV SSL, CN = particuliers.secure.lcl.fr
verify return:1
---
Certificate chain
 0 s:serialNumber = 954 509 741 00011, jurisdictionC = FR, businessCategory = Private Organization, C = FR, postalCode = 69002, ST = RHONE, L = LYON, street = 18 RUE DE LA REPUBLIQUE, O = CREDIT LYONNAIS SA, OU = PRT/SQ, OU = COMODO EV SSL, CN = particuliers.secure.lcl.fr
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
 3 s:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHHDCCBgSgAwIBAgIQQwOJqE+tJcNG8HB2h9CJdDANBgkqhkiG9w0BAQsFADCB
kjELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxODA2BgNV
BAMTL0NPTU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVy
IENBMB4XDTE4MTAyNjAwMDAwMFoXDTE5MTAyNjIzNTk1OVowggEZMRowGAYDVQQF
ExE5NTQgNTA5IDc0MSAwMDAxMTETMBEGCysGAQQBgjc8AgEDEwJGUjEdMBsGA1UE
DxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xCzAJBgNVBAYTAkZSMQ4wDAYDVQQREwU2
OTAwMjEOMAwGA1UECBMFUkhPTkUxDTALBgNVBAcTBExZT04xIDAeBgNVBAkTFzE4
IFJVRSBERSBMQSBSRVBVQkxJUVVFMRswGQYDVQQKExJDUkVESVQgTFlPTk5BSVMg
U0ExDzANBgNVBAsTBlBSVC9TUTEWMBQGA1UECxMNQ09NT0RPIEVWIFNTTDEjMCEG
A1UEAxMacGFydGljdWxpZXJzLnNlY3VyZS5sY2wuZnIwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDPXJJ1V9P1U/zml4tBI3CD6/QdYoA4+JPdH+Or1MKa
eRWu2lcYwq9rXfnDOHndM7auyTw9iatHsHE1IvnpcRQwGADm4SD9KKU8HaXlKZ+f
AtNl6q4qlZlhNNcyqE7QZkfmmpL8qYqq/68aad+zDHO8sPqjZpL/ECPKqmrdklYa
o+Mnv6ii8ab3yiAYmqKbVDFaIN4wHpF3TQwPcy5HR5/m5/EVNtgBJKOqEbVL835x
SD1sq+SgJz3KtPQoD5tB98JT4kBDGpz5GZ9l/ozY/ULAEv9JvMh0uAMMq/SZtc+2
AVvozZKijrr/icuBWNefRGjCSrcbHo5+9lo8EYwrlfiXAgMBAAGjggLiMIIC3jAf
BgNVHSMEGDAWgBQ52v/KKBSKqHQTCLnkDqnS+n6daTAdBgNVHQ4EFgQUnRthgj1U
nwQ13+3RFfl5P9bf3XIwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOwYMKwYBBAGy
MQECAQUBMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20v
Q1BTMAcGBWeBDAEBMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwuY29tb2Rv
Y2EuY29tL0NPTU9ET1JTQUV4dGVuZGVkVmFsaWRhdGlvblNlY3VyZVNlcnZlckNB
LmNybDCBhwYIKwYBBQUHAQEEezB5MFEGCCsGAQUFBzAChkVodHRwOi8vY3J0LmNv
bW9kb2NhLmNvbS9DT01PRE9SU0FFeHRlbmRlZFZhbGlkYXRpb25TZWN1cmVTZXJ2
ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAl
BgNVHREEHjAcghpwYXJ0aWN1bGllcnMuc2VjdXJlLmxjbC5mcjCCAQMGCisGAQQB
1nkCBAIEgfQEgfEA7wB1AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQ
AAABZq4CHJYAAAQDAEYwRAIgMPK4dUjvmgtOKz98WcPGEPFOyXt1d9PGlfC+sRhj
95gCIBlrGqSqvX2LbwXFCiCdMEN2zscAdfR4tMIBw3i+ERWjAHYAVYHUwhaQNgFK
6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAFmrgIbjwAABAMARzBFAiAZ9/PvoQRG
LOHgGEfddur1MEGm4klvq0igZ7UUgvQ4ogIhAIs1TC/ryJ0pHh8GvyNtggp3XmhY
e1lI4pj3DSNmrWmDMA0GCSqGSIb3DQEBCwUAA4IBAQBfLurUGrMLYbcqS/e8YI3Y
WL+GDsGmcENdlCqtG0sER/aGxoDXrxWLLJarxo6gJGAIhWYWAu6OsGH7Z8qxNYA3
j+Yzy620DDgYGHdomH839DHKIu/jiloBwN5HNQB6TRfYB2PX74lBml4QYxER6a3c
pD1YNxcGyY1UrYRr7/kYcU7Sc0d/pimuxuQAs7hBBXH5QL4LAEaqoQ0UBehHmWhR
iSXLkQnuXfpdjLSRcKPzHC7QD3CFibNpwbTeTKfPd1z3J8obVYW1CSmU7ERwV0mL
yvs5BZNOVvY214fC5tQog1/baIGvUD+JLqtMJAgktid2OlU6FV/I/3iNCBQukbXW
-----END CERTIFICATE-----
subject=serialNumber = 954 509 741 00011, jurisdictionC = FR, businessCategory = Private Organization, C = FR, postalCode = 69002, ST = RHONE, L = LYON, street = 18 RUE DE LA REPUBLIQUE, O = CREDIT LYONNAIS SA, OU = PRT/SQ, OU = COMODO EV SSL, CN = particuliers.secure.lcl.fr

issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: MD5-SHA1
Peer signature type: RSA
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 6779 bytes and written 337 bytes
Verification: OK
---
New, SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 5D8624C8A732E854D08CEB1F04D7046F33090270A9E8F615A383EF70095869F1
    Session-ID-ctx:
    Master-Key: F12BE82024B9032F3B00DE2B2DA1346928F4004E0DF5F892F206711FF790EBE34C0072750B094EE727E2D26E6E315ABF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 82 cc c5 11 f0 3b 93 eb-ea 33 1b b2 03 c6 09 22   .....;...3....."
    0010 - 4d 79 5c 6c de 3d db 8f-ef 3c 8b 5e 57 55 b4 85   My\l.=...<.^WU..
    0020 - 7d bd 02 70 cd 75 4b ee-3a ca 68 c5 ab a6 c6 85   }..p.uK.:.h.....
    0030 - 58 c3 2c 60 1f 2e d4 ad-0e 27 9d c3 fd c8 f3 dd   X.,`.....'......
    0040 - 55 06 e4 de ad 0f a2 15-1d da 05 0c 8d 66 ad 44   U............f.D
    0050 - eb 2d da 39 8f 8d 93 ed-b8 9b bf e6 f9 de e5 60   .-.9...........`
    0060 - 53 fd 74 5e 85 d5 e6 6b-86 a8 e2 81 75 12 17 6a   S.t^...k....u..j
    0070 - 09 dd a7 4f ae 61 fe ca-0c 62 c8 26 0f f0 cb 97   ...O.a...b.&....
    0080 - 5b d5 95 fb 44 d4 59 51-dd e7 da d3 1e 4e 7f 1c   [...D.YQ.....N..
    0090 - 0d 26 78 35 9a 8c c1 5b-ef dc 5f c3 df 3c 9b b6   .&x5...[.._..<..
    00a0 - 1c ed be eb 5f 49 5d 94-97 00 95 cb 3c 11 18 7d   ...._I].....<..}
    00b0 - 48 17 1f a0 83 06 5e 3a-25 db c9 94 59 f4 5c a0   H.....^:%...Y.\.
    00c0 - 01 92 27 99 00 c7 eb ab-40 86 45 3c bf b0 62 d8   ..'.....@.E<..b.
    00d0 - c3 64 19 a6 06 5a b7 08-af a4 65 e0 59 5b fa a0   .d...Z....e.Y[..

    Start Time: 1549212565
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

vivien

  • Administrateur
  • *
  • Messages: 47 086
    • Twitter LaFibre.info
La banque LCL ne supporte pas TLS 1.2
« Réponse #52 le: 03 février 2019 à 18:02:15 »
Avec OpenSSL 1.1.1 c'est bon en TLS 1.2 avec l'IP 158.191.169.222 (pas d'IPv6 et une seule IPv4 dans le DNS)

$ openssl version
OpenSSL 1.1.1  11 Sep 2018

$ openssl s_client -connect 158.191.169.222:443 -tls1_2
CONNECTED(00000005)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
verify return:1
depth=0 serialNumber = 954 509 741 00011, jurisdictionC = FR, businessCategory = Private Organization, C = FR, postalCode = 69002, ST = RHONE, L = LYON, street = 18 RUE DE LA REPUBLIQUE, O = CREDIT LYONNAIS SA, OU = PRT/SQ, OU = COMODO EV SSL, CN = particuliers.secure.lcl.fr
verify return:1
---
Certificate chain
 0 s:serialNumber = 954 509 741 00011, jurisdictionC = FR, businessCategory = Private Organization, C = FR, postalCode = 69002, ST = RHONE, L = LYON, street = 18 RUE DE LA REPUBLIQUE, O = CREDIT LYONNAIS SA, OU = PRT/SQ, OU = COMODO EV SSL, CN = particuliers.secure.lcl.fr
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
 3 s:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHHDCCBgSgAwIBAgIQQwOJqE+tJcNG8HB2h9CJdDANBgkqhkiG9w0BAQsFADCB
kjELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxODA2BgNV
BAMTL0NPTU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVy
IENBMB4XDTE4MTAyNjAwMDAwMFoXDTE5MTAyNjIzNTk1OVowggEZMRowGAYDVQQF
ExE5NTQgNTA5IDc0MSAwMDAxMTETMBEGCysGAQQBgjc8AgEDEwJGUjEdMBsGA1UE
DxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xCzAJBgNVBAYTAkZSMQ4wDAYDVQQREwU2
OTAwMjEOMAwGA1UECBMFUkhPTkUxDTALBgNVBAcTBExZT04xIDAeBgNVBAkTFzE4
IFJVRSBERSBMQSBSRVBVQkxJUVVFMRswGQYDVQQKExJDUkVESVQgTFlPTk5BSVMg
U0ExDzANBgNVBAsTBlBSVC9TUTEWMBQGA1UECxMNQ09NT0RPIEVWIFNTTDEjMCEG
A1UEAxMacGFydGljdWxpZXJzLnNlY3VyZS5sY2wuZnIwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDPXJJ1V9P1U/zml4tBI3CD6/QdYoA4+JPdH+Or1MKa
eRWu2lcYwq9rXfnDOHndM7auyTw9iatHsHE1IvnpcRQwGADm4SD9KKU8HaXlKZ+f
AtNl6q4qlZlhNNcyqE7QZkfmmpL8qYqq/68aad+zDHO8sPqjZpL/ECPKqmrdklYa
o+Mnv6ii8ab3yiAYmqKbVDFaIN4wHpF3TQwPcy5HR5/m5/EVNtgBJKOqEbVL835x
SD1sq+SgJz3KtPQoD5tB98JT4kBDGpz5GZ9l/ozY/ULAEv9JvMh0uAMMq/SZtc+2
AVvozZKijrr/icuBWNefRGjCSrcbHo5+9lo8EYwrlfiXAgMBAAGjggLiMIIC3jAf
BgNVHSMEGDAWgBQ52v/KKBSKqHQTCLnkDqnS+n6daTAdBgNVHQ4EFgQUnRthgj1U
nwQ13+3RFfl5P9bf3XIwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOwYMKwYBBAGy
MQECAQUBMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20v
Q1BTMAcGBWeBDAEBMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwuY29tb2Rv
Y2EuY29tL0NPTU9ET1JTQUV4dGVuZGVkVmFsaWRhdGlvblNlY3VyZVNlcnZlckNB
LmNybDCBhwYIKwYBBQUHAQEEezB5MFEGCCsGAQUFBzAChkVodHRwOi8vY3J0LmNv
bW9kb2NhLmNvbS9DT01PRE9SU0FFeHRlbmRlZFZhbGlkYXRpb25TZWN1cmVTZXJ2
ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAl
BgNVHREEHjAcghpwYXJ0aWN1bGllcnMuc2VjdXJlLmxjbC5mcjCCAQMGCisGAQQB
1nkCBAIEgfQEgfEA7wB1AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQ
AAABZq4CHJYAAAQDAEYwRAIgMPK4dUjvmgtOKz98WcPGEPFOyXt1d9PGlfC+sRhj
95gCIBlrGqSqvX2LbwXFCiCdMEN2zscAdfR4tMIBw3i+ERWjAHYAVYHUwhaQNgFK
6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAFmrgIbjwAABAMARzBFAiAZ9/PvoQRG
LOHgGEfddur1MEGm4klvq0igZ7UUgvQ4ogIhAIs1TC/ryJ0pHh8GvyNtggp3XmhY
e1lI4pj3DSNmrWmDMA0GCSqGSIb3DQEBCwUAA4IBAQBfLurUGrMLYbcqS/e8YI3Y
WL+GDsGmcENdlCqtG0sER/aGxoDXrxWLLJarxo6gJGAIhWYWAu6OsGH7Z8qxNYA3
j+Yzy620DDgYGHdomH839DHKIu/jiloBwN5HNQB6TRfYB2PX74lBml4QYxER6a3c
pD1YNxcGyY1UrYRr7/kYcU7Sc0d/pimuxuQAs7hBBXH5QL4LAEaqoQ0UBehHmWhR
iSXLkQnuXfpdjLSRcKPzHC7QD3CFibNpwbTeTKfPd1z3J8obVYW1CSmU7ERwV0mL
yvs5BZNOVvY214fC5tQog1/baIGvUD+JLqtMJAgktid2OlU6FV/I/3iNCBQukbXW
-----END CERTIFICATE-----
subject=serialNumber = 954 509 741 00011, jurisdictionC = FR, businessCategory = Private Organization, C = FR, postalCode = 69002, ST = RHONE, L = LYON, street = 18 RUE DE LA REPUBLIQUE, O = CREDIT LYONNAIS SA, OU = PRT/SQ, OU = COMODO EV SSL, CN = particuliers.secure.lcl.fr

issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6571 bytes and written 344 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E637B6698B8CEC120FDB824BC68972A83278AABFCF8E995251B470D261E9F8D2
    Session-ID-ctx:
    Master-Key: 5488CC26FA0508AE6299685431752F46D6587FD5EDB17A32CF9853703B4192E6F578BA8EE70D3638A8AB81FD6BC0ADEB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 9a 8e b5 0b 8f 3f b8 70-4d ed 90 52 56 e6 9a 36   .....?.pM..RV..6
    0010 - d0 3b 78 6c 7e 8d b3 38-57 a1 ef 90 69 56 67 8e   .;xl~..8W...iVg.
    0020 - e3 b3 ba f4 8d ef ca 25-7d 1c 73 93 80 92 02 6d   .......%}.s....m
    0030 - 12 da 76 25 c2 9f 9c ae-a3 73 9f 28 9e 63 3d 97   ..v%.....s.(.c=.
    0040 - e7 21 5f b2 81 be e2 83-96 1d a7 96 f6 21 8f 31   .!_..........!.1
    0050 - 17 53 50 96 e4 1f 9c 8a-98 ec bd 5d 43 6c 7f 17   .SP........]Cl..
    0060 - 58 06 f6 3d 18 fc f9 b6-bf dd 23 10 b3 b2 2b 42   X..=......#...+B
    0070 - 68 f5 f1 5b d7 f0 45 3d-47 55 af f3 47 70 36 78   h..[..E=GU..Gp6x
    0080 - b9 d0 e6 09 5c a6 f1 eb-fa dd 72 ca 8e 3e fb 70   ....\.....r..>.p
    0090 - ee 8b fd ea 8f 44 d8 cb-c1 41 0d b9 ac bf 46 1e   .....D...A....F.
    00a0 - 3a bf aa e2 1f 45 c8 f6-7c 3d 12 77 1c aa e2 c4   :....E..|=.w....
    00b0 - 03 74 90 ba 09 32 0b 41-0d 3e 49 2f e6 cd af 9e   .t...2.A.>I/....
    00c0 - 48 10 9c 69 4f b1 90 91-a4 ee 0a df ef 7f c7 3d   H..iO..........=

    Start Time: 1549213355
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Cela marche aussi avec le nom de domaine...

Si je force TLS 1.3 là cela ne marche pas :
$ openssl s_client -connect 158.191.169.222:443 -tls1_3
CONNECTED(00000005)
140127430669376:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 239 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Note : j'utilise Ubuntu 18.10


Je viens de tester avec Ubuntu 16.04 (avec OpenSSL 1.0.2g  1 Mar 2016), c'est aussi ok pour TLS 1.2.

lechercheur123

  • AS2027 MilkyWan
  • Expert
  • *
  • Messages: 1 296
  • Montauban (82)
    • AS208261 - Pomme Télécom
La banque LCL ne supporte pas TLS 1.2
« Réponse #53 le: 03 février 2019 à 18:25:25 »
Testé sous kubuntu 18.10, avec OpenSSL 1.1.1  11 Sep 2018, sur mon PC (à Montréal).

paul@paul-TERRA-MOBILE-1542:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="18.10 (Cosmic Cuttlefish)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.10"
VERSION_ID="18.10"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=cosmic
UBUNTU_CODENAME=cosmic
paul@paul-TERRA-MOBILE-1542:~$ openssl version
OpenSSL 1.1.1  11 Sep 2018
paul@paul-TERRA-MOBILE-1542:~$ openssl s_client -connect particuliers.secure.lcl.fr:443 -tls1_2
CONNECTED(00000005)
140200384615488:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 58 bytes and written 236 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1549214474
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Sur mon serveur sous Debian 9, avec OpenSSL 1.1.1a  20 Nov 2018 (en France, chez moi):

paul@host1:~$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
paul@host1:~$ openssl version
OpenSSL 1.1.1a  20 Nov 2018
paul@host1:~$ openssl s_client -connect particuliers.secure.lcl.fr:443 -tls1_2
CONNECTED(00000003)
139926593349184:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1940:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 58 bytes and written 236 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1549214621
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Je comprends pas...

Harvester

  • Abonné Free fibre
  • *
  • Messages: 344
  • Freebox Révolution - Limours (91)
    • Site perso
La banque LCL ne supporte pas TLS 1.2
« Réponse #54 le: 03 février 2019 à 19:15:28 »
Nmap avec le script ssl-enum-ciphers (https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html) liste bien TLS 1.2 comme supporté, avec la bonne adresse IP :

nmap --script ssl-enum-ciphers -p 443 particuliers.secure.lcl.fr

Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-03 19:11 CET
Nmap scan report for particuliers.secure.lcl.fr (158.191.169.222)
Host is up (0.012s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 5.10 seconds

Et je me connecte bien en TLS 1.2 avec OpenSSL 1.1.1, même sans le flag -tls1_2

lechercheur123

  • AS2027 MilkyWan
  • Expert
  • *
  • Messages: 1 296
  • Montauban (82)
    • AS208261 - Pomme Télécom
La banque LCL ne supporte pas TLS 1.2
« Réponse #55 le: 03 février 2019 à 19:45:39 »
Toujours pareil pour moi :

paul@paul-TERRA-MOBILE-1542:~$ nmap --script ssl-enum-ciphers -p 443 particuliers.secure.lcl.fr

Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-03 13:40 EST
Nmap scan report for particuliers.secure.lcl.fr (158.191.169.222)
Host is up (0.11s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Broken cipher RC4 is deprecated by RFC 7465
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: D

Nmap done: 1 IP address (1 host up) scanned in 6.88 seconds

C'est pareil, que je passe par le nom de domaine ou par l'adresse IP. Et pour OpenSSL sans -tls1_2, c'est toujours pareil :

paul@paul-TERRA-MOBILE-1542:~$ openssl s_client -connect particuliers.secure.lcl.fr:443
CONNECTED(00000005)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
verify return:1
depth=0 serialNumber = 954 509 741 00011, jurisdictionC = FR, businessCategory = Private Organization, C = FR, postalCode = 69002, ST = RHONE, L = LYON, street = 18 RUE DE LA REPUBLIQUE, O = CREDIT LYONNAIS SA, OU = PRT/SQ, OU = COMODO EV SSL, CN = particuliers.secure.lcl.fr
verify return:1
---
Certificate chain
 0 s:serialNumber = 954 509 741 00011, jurisdictionC = FR, businessCategory = Private Organization, C = FR, postalCode = 69002, ST = RHONE, L = LYON, street = 18 RUE DE LA REPUBLIQUE, O = CREDIT LYONNAIS SA, OU = PRT/SQ, OU = COMODO EV SSL, CN = particuliers.secure.lcl.fr
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
 3 s:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHHDCCBgSgAwIBAgIQQwOJqE+tJcNG8HB2h9CJdDANBgkqhkiG9w0BAQsFADCB
kjELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxODA2BgNV
BAMTL0NPTU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVy
IENBMB4XDTE4MTAyNjAwMDAwMFoXDTE5MTAyNjIzNTk1OVowggEZMRowGAYDVQQF
ExE5NTQgNTA5IDc0MSAwMDAxMTETMBEGCysGAQQBgjc8AgEDEwJGUjEdMBsGA1UE
DxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xCzAJBgNVBAYTAkZSMQ4wDAYDVQQREwU2
OTAwMjEOMAwGA1UECBMFUkhPTkUxDTALBgNVBAcTBExZT04xIDAeBgNVBAkTFzE4
IFJVRSBERSBMQSBSRVBVQkxJUVVFMRswGQYDVQQKExJDUkVESVQgTFlPTk5BSVMg
U0ExDzANBgNVBAsTBlBSVC9TUTEWMBQGA1UECxMNQ09NT0RPIEVWIFNTTDEjMCEG
A1UEAxMacGFydGljdWxpZXJzLnNlY3VyZS5sY2wuZnIwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDPXJJ1V9P1U/zml4tBI3CD6/QdYoA4+JPdH+Or1MKa
eRWu2lcYwq9rXfnDOHndM7auyTw9iatHsHE1IvnpcRQwGADm4SD9KKU8HaXlKZ+f
AtNl6q4qlZlhNNcyqE7QZkfmmpL8qYqq/68aad+zDHO8sPqjZpL/ECPKqmrdklYa
o+Mnv6ii8ab3yiAYmqKbVDFaIN4wHpF3TQwPcy5HR5/m5/EVNtgBJKOqEbVL835x
SD1sq+SgJz3KtPQoD5tB98JT4kBDGpz5GZ9l/ozY/ULAEv9JvMh0uAMMq/SZtc+2
AVvozZKijrr/icuBWNefRGjCSrcbHo5+9lo8EYwrlfiXAgMBAAGjggLiMIIC3jAf
BgNVHSMEGDAWgBQ52v/KKBSKqHQTCLnkDqnS+n6daTAdBgNVHQ4EFgQUnRthgj1U
nwQ13+3RFfl5P9bf3XIwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOwYMKwYBBAGy
MQECAQUBMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20v
Q1BTMAcGBWeBDAEBMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwuY29tb2Rv
Y2EuY29tL0NPTU9ET1JTQUV4dGVuZGVkVmFsaWRhdGlvblNlY3VyZVNlcnZlckNB
LmNybDCBhwYIKwYBBQUHAQEEezB5MFEGCCsGAQUFBzAChkVodHRwOi8vY3J0LmNv
bW9kb2NhLmNvbS9DT01PRE9SU0FFeHRlbmRlZFZhbGlkYXRpb25TZWN1cmVTZXJ2
ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAl
BgNVHREEHjAcghpwYXJ0aWN1bGllcnMuc2VjdXJlLmxjbC5mcjCCAQMGCisGAQQB
1nkCBAIEgfQEgfEA7wB1AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQ
AAABZq4CHJYAAAQDAEYwRAIgMPK4dUjvmgtOKz98WcPGEPFOyXt1d9PGlfC+sRhj
95gCIBlrGqSqvX2LbwXFCiCdMEN2zscAdfR4tMIBw3i+ERWjAHYAVYHUwhaQNgFK
6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAFmrgIbjwAABAMARzBFAiAZ9/PvoQRG
LOHgGEfddur1MEGm4klvq0igZ7UUgvQ4ogIhAIs1TC/ryJ0pHh8GvyNtggp3XmhY
e1lI4pj3DSNmrWmDMA0GCSqGSIb3DQEBCwUAA4IBAQBfLurUGrMLYbcqS/e8YI3Y
WL+GDsGmcENdlCqtG0sER/aGxoDXrxWLLJarxo6gJGAIhWYWAu6OsGH7Z8qxNYA3
j+Yzy620DDgYGHdomH839DHKIu/jiloBwN5HNQB6TRfYB2PX74lBml4QYxER6a3c
pD1YNxcGyY1UrYRr7/kYcU7Sc0d/pimuxuQAs7hBBXH5QL4LAEaqoQ0UBehHmWhR
iSXLkQnuXfpdjLSRcKPzHC7QD3CFibNpwbTeTKfPd1z3J8obVYW1CSmU7ERwV0mL
yvs5BZNOVvY214fC5tQog1/baIGvUD+JLqtMJAgktid2OlU6FV/I/3iNCBQukbXW
-----END CERTIFICATE-----
subject=serialNumber = 954 509 741 00011, jurisdictionC = FR, businessCategory = Private Organization, C = FR, postalCode = 69002, ST = RHONE, L = LYON, street = 18 RUE DE LA REPUBLIQUE, O = CREDIT LYONNAIS SA, OU = PRT/SQ, OU = COMODO EV SSL, CN = particuliers.secure.lcl.fr

issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: MD5-SHA1
Peer signature type: RSA
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 6779 bytes and written 526 bytes
Verification: OK
---
New, SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: FD44E9F698E559E79861CF3DE36273CCC2B208CD4D1C972E90B5BDE48AD287C5
    Session-ID-ctx:
    Master-Key: 7274EF0766B6E806B09F0C075BEB7F10F0686095FEB1FD326A0AB78C7E41A1265962FD005FC75FFA685ADB388E4C69C4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 82 cc c5 11 f0 3b 93 eb-ea 33 1b b2 03 c6 09 22   .....;...3....."
    0010 - f8 cb 31 24 8f f2 46 01-7d e5 8a 93 69 fe 36 76   ..1$..F.}...i.6v
    0020 - de 6d ba c6 a2 95 8a f1-19 21 09 9d 93 67 19 58   .m.......!...g.X
    0030 - 07 45 81 3b 7a a1 ad 32-fc e3 ee 01 53 cc 7c 89   .E.;z..2....S.|.
    0040 - 30 78 0c 1e 5b 02 25 5e-e6 c5 45 dd 32 fc 96 4f   0x..[.%^..E.2..O
    0050 - b7 f0 f0 2c 14 96 d3 07-9e ef a5 3f 8f 31 3d 77   ...,.......?.1=w
    0060 - a1 58 e1 ea b3 af 3a 5f-bf c5 3c 28 61 6e ec 5b   .X....:_..<(an.[
    0070 - fe c9 4f 89 4b 1e 3c 65-15 de aa da 5a 8f d1 d3   ..O.K.<e....Z...
    0080 - 86 09 e8 ec e9 93 21 9e-96 83 72 c8 31 da 8b ba   ......!...r.1...
    0090 - e2 8c 8f 2a 32 9f 63 52-8c 76 ec 97 4f 2c 72 2e   ...*2.cR.v..O,r.
    00a0 - af 6a ed eb 1c 08 95 66-5d 20 ec d2 4c 41 61 5b   .j.....f] ..LAa[
    00b0 - 88 6d e2 6d 89 be eb 89-f6 ee f0 bc ee 2d 33 f2   .m.m.........-3.
    00c0 - e7 f0 bb ac c0 96 0d d4-7d 98 5c f7 85 90 35 cb   ........}.\...5.
    00d0 - 80 63 25 96 d2 79 c0 ed-79 c5 91 a7 7f b3 1f 11   .c%..y..y.......

    Start Time: 1549219459
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Et pourquoi on voit ça :

New, SSLv3, Cipher is DHE-RSA-AES256-SHA
Alors que :

SSL-Session:
    Protocol  : TLSv1

lechercheur123

  • AS2027 MilkyWan
  • Expert
  • *
  • Messages: 1 296
  • Montauban (82)
    • AS208261 - Pomme Télécom
La banque LCL ne supporte pas TLS 1.2
« Réponse #56 le: 03 février 2019 à 19:59:27 »
Idem sur Windows sur le même PC (j'ai un dual boot), je n'ai que TLS 1.0 de disponible (testé avec Firefox 65.0 et Chrome 72.0.3626.81).

vivien

  • Administrateur
  • *
  • Messages: 47 086
    • Twitter LaFibre.info
La banque LCL ne supporte pas TLS 1.2
« Réponse #57 le: 03 février 2019 à 20:13:48 »
FAI Orange : TLS 1.0

$ lsb_release -d
Description: Ubuntu 18.04.1 LTS
$ openssl version
OpenSSL 1.1.0g  2 Nov 2017
$ openssl s_client -connect 158.191.169.222:443 -tls1_2
CONNECTED(00000003)
139974363558336:error:1417118C:SSL routines:tls_process_server_hello:version too low:../ssl/statem/statem_clnt.c:917:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 58 bytes and written 183 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1549220613
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

FAI Bouygues Telecom : TLS 1.2

$ lsb_release -d
Description: Ubuntu 18.04.1 LTS
vgu@ubuntu:~$ openssl version
OpenSSL 1.1.0g  2 Nov 2017
vgu@ubuntu:~$ openssl s_client -connect 158.191.169.222:443 -tls1_2
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
verify return:1
depth=0 serialNumber = 954 509 741 00011, jurisdictionC = FR, businessCategory = Private Organization, C = FR, postalCode = 69002, ST = RHONE, L = LYON, street = 18 RUE DE LA REPUBLIQUE, O = CREDIT LYONNAIS SA, OU = PRT/SQ, OU = COMODO EV SSL, CN = particuliers.secure.lcl.fr
verify return:1
---
Certificate chain
 0 s:/serialNumber=954 509 741 00011/jurisdictionC=FR/businessCategory=Private Organization/C=FR/postalCode=69002/ST=RHONE/L=LYON/street=18 RUE DE LA REPUBLIQUE/O=CREDIT LYONNAIS SA/OU=PRT/SQ/OU=COMODO EV SSL/CN=particuliers.secure.lcl.fr
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
[...]

SFR et d'autres FAI sont en TLS 1.2

Donc je pense qu'il y a deux serveurs distincts qui répondent à la même IP, en fonction de la provenance des paquets.

Mathieu76

  • Abonné Free vdsl
  • *
  • Messages: 88
  • Rouen (76) @MrMatex
La banque LCL ne supporte pas TLS 1.2
« Réponse #58 le: 03 février 2019 à 20:29:46 »
Chez Free avec un Ubuntu 18.10

openssl s_client -connect 158.191.169.222:443 -tls1_2
CONNECTED(00000005)
140668014806080:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 58 bytes and written 225 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1549221974
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Sur Chrome pareil, TLS 1.0 uniquement

darkmoon

  • Abonné Free fibre
  • *
  • Messages: 730
  • ↓ 5 Gbps | ↑ 700Mbps (SGL 69)
La banque LCL ne supporte pas TLS 1.2
« Réponse #59 le: 03 février 2019 à 20:34:16 »
Ben, je suis chez Orange :

root@Freeze:[~] > tcptraceroute 158.191.169.222 80
Selected device enp0s3, address 192.168.0.12, port 57695 for outgoing packets
Tracing the path to 158.191.169.222 on TCP port 80 (http), 30 hops max
 1  192.168.0.1  0.932 ms  0.793 ms  0.644 ms
 2  80.10.xxx.xxx  2.595 ms  1.857 ms  1.705 ms
 3  ae108-0.nclyo201.Lyon3eArrondissement.francetelecom.net (193.253.87.194)  6.547 ms  1.737 ms  2.044 ms
 4  ae42-0.nrlyo201.Lyon3eArrondissement.francetelecom.net (193.252.101.234)  2.517 ms  2.768 ms  1.432 ms
 5  ae42-0.nridf101.Paris3eArrondissement.francetelecom.net (193.252.101.214)  7.962 ms  8.426 ms  7.741 ms
 6  ae42-0.ncidf103.Puteaux.francetelecom.net (193.252.98.93)  8.507 ms  7.726 ms  7.865 ms
 7  lag-1.nmidf105.Puteaux.francetelecom.net (193.249.212.1)  7.684 ms  8.199 ms  7.938 ms
 8  193.252.137.222  7.644 ms  8.271 ms  8.174 ms
 9  * * *
10  * * *
11  90.81.45.254  10.664 ms  10.503 ms  9.340 ms
12  37-93.83-90.static-ip.oleane.fr (90.83.93.37)  19.045 ms  57.126 ms  14.731 ms
13  * * *
14  158.191.172.3  10.288 ms  10.006 ms  9.805 ms
15  158.191.169.222 [open]  10.070 ms * 10.173 ms

moon@Freeze:[~] > openssl version
OpenSSL 1.1.1a  20 Nov 2018

Et pourtant :
moon@Freeze:[~] > openssl s_client -connect 158.191.169.222:443 -tls1_2
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
verify return:1
depth=0 serialNumber = 954 509 741 00011, jurisdictionC = FR, businessCategory = Private Organization, C = FR, postalCode = 69002, ST = RHONE, L = LYON, street = 18 RUE DE LA REPUBLIQUE, O = CREDIT LYONNAIS SA, OU = PRT/SQ, OU = COMODO EV SSL, CN = particuliers.secure.lcl.fr
verify return:1
---
Certificate chain
 0 s:serialNumber = 954 509 741 00011, jurisdictionC = FR, businessCategory = Private Organization, C = FR, postalCode = 69002, ST = RHONE, L = LYON, street = 18 RUE DE LA REPUBLIQUE, O = CREDIT LYONNAIS SA, OU = PRT/SQ, OU = COMODO EV SSL, CN = particuliers.secure.lcl.fr
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
 3 s:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHHDCCBgSgAwIBAgIQQwOJqE+tJcNG8HB2h9CJdDANBgkqhkiG9w0BAQsFADCB
kjELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxODA2BgNV
BAMTL0NPTU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVy