sslscan fails with "ERROR: Could not create CTX object."

Bug #663872 reported by Torsten Streit on 2010-10-20
This bug affects 6 people
Affects Status Importance Assigned to Milestone
sslscan (Ubuntu)

Bug Description

Binary package hint: sslscan

sslscan is listing all supported server cipher(s) but not any data of the certificate.
You can try this out with sslscan any-ssl-enabled-domain.tld, this should (and did in previous ubuntu versions) list up the certificate details.
It doesnt by now.

Errormessage of sslscan output (on top of the output and at bottom):
ERROR: Could not create CTX object.

Installed & related packages:
ii libssl-dev 0.9.8o-1ubuntu4.1
ii libssl0.9.8 0.9.8o-1ubuntu4.1
ii openssl 0.9.8o-1ubuntu4.1
ii sslscan 1.8.2-1

Ubuntu Version:
maverick amd64

Complete Output:
           ___ ___| |___ ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2
        Copyright Ian Ventura-Whiting 2009
ERROR: Could not create CTX object.

Testing SSL server hidden.tld on port 443

  Supported Server Cipher(s):
    Rejected SSLv3 256 bits ADH-AES256-SHA
    Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
    Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
    Accepted SSLv3 256 bits AES256-SHA
    Rejected SSLv3 128 bits ADH-AES128-SHA
    Rejected SSLv3 128 bits DHE-RSA-AES128-SHA
    Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
    Accepted SSLv3 128 bits AES128-SHA
    Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
    Rejected SSLv3 56 bits ADH-DES-CBC-SHA
    Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
    Rejected SSLv3 128 bits ADH-RC4-MD5
    Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
    Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
    Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
    Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
    Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
    Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
    Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
    Accepted SSLv3 168 bits DES-CBC3-SHA
    Rejected SSLv3 56 bits DES-CBC-SHA
    Rejected SSLv3 40 bits EXP-DES-CBC-SHA
    Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
    Accepted SSLv3 128 bits RC4-SHA
    Accepted SSLv3 128 bits RC4-MD5
    Rejected SSLv3 40 bits EXP-RC4-MD5
    Rejected SSLv3 0 bits NULL-SHA
    Rejected SSLv3 0 bits NULL-MD5
    Rejected TLSv1 256 bits ADH-AES256-SHA
    Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
    Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
    Accepted TLSv1 256 bits AES256-SHA
    Rejected TLSv1 128 bits ADH-AES128-SHA
    Rejected TLSv1 128 bits DHE-RSA-AES128-SHA
    Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
    Accepted TLSv1 128 bits AES128-SHA
    Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
    Rejected TLSv1 56 bits ADH-DES-CBC-SHA
    Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
    Rejected TLSv1 128 bits ADH-RC4-MD5
    Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
    Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
    Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
    Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
    Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
    Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
    Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
    Accepted TLSv1 168 bits DES-CBC3-SHA
    Rejected TLSv1 56 bits DES-CBC-SHA
    Rejected TLSv1 40 bits EXP-DES-CBC-SHA
    Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
    Accepted TLSv1 128 bits RC4-SHA
    Accepted TLSv1 128 bits RC4-MD5
    Rejected TLSv1 40 bits EXP-RC4-MD5
    Rejected TLSv1 0 bits NULL-SHA
    Rejected TLSv1 0 bits NULL-MD5

  Prefered Server Cipher(s):
ERROR: Could not create CTX object.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: sslscan 1.8.2-1
ProcVersionSignature: Ubuntu 2.6.35-22.35-generic
Uname: Linux 2.6.35-22-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Wed Oct 20 14:47:58 2010
 PATH=(custom, user)
SourcePackage: sslscan

Torsten Streit (ts-tstreit) wrote :

This is probably because, afaik, recent Ubuntu versions ship openssl without SSLv2 support. By default, sslscan will try SSLv2, SSLv3, and TLSv1. However, sslscan isn't expecting SSLv2 to be not available at all.

To use sslscan on recent Ubuntu versions, use the --ssl3 or --tls1 options to sslscan.

Note that you should be very careful about testing remote servers for SSLv2 support when using an Ubuntu client, including with "openssl s_client -ssl2 -connect somehost:443". Using an Ubuntu client, you may incorrectly determine that the remote server doesn't support SSLv2 when in fact it really does, it's just your client that doesn't support SSLv2.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sslscan (Ubuntu):
status: New → Confirmed
FriedChicken (domlyons) wrote :

On Xenial this not only fails for SSLv2 but also SSLv3.

tags: added: xenial
Changed in sslscan (Ubuntu):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers