Cipher Suites (sorted by strength as the server has no preference; deprecated and SSL 2 suites at the end)
TLS_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128
I’ve managed to track this down further for anyone curious. It’s an issue with OpenSSL. 1.0.x seems to work and 1.1.x seems to not. it looks like there’s a change where the weak ciphers and other such stuff is making it hard fail without actually connecting. Still looking into what I can do about this (aside from doing everything in a VM or downgrading openssl)
I suspect this may be related to https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html. Unfortunately, SSL_CTX_set_security_level is not even exposed in cryptography yet, so attempting a fix isn’t entirely trivial. One would need to add SSL_CTX_set_security_level to cryptography here, recompile cryptography, and then call set_security_level in mitmproxy somewhere around here to check if this is the actual root cause. Of course, downgrading OpenSSL is easier.
I could definitely see that helping in some cases. I finally got it working by using an older openssl as it appears the 1.1.0 shipped with debian is nerfed at compile time to not allow it to connect to a site configured like that. The way I went was to setup python 3.6 with pyenv on Debian Jessie without jessie-backports. I think this’ll be such a niche problem that it’s not worth time to try to work around in the project. Nobody sane should be running a site like they do (it uses FRAMES for gods sake… ). Now I’ve just got to write a tool to dump things into a directory structure like I want now that I’ve got all the data I need to make a proper offline manual.
). Now I’ve just got to write a tool to dump things into a directory structure like I want now that I’ve got all the data I need to make a proper offline manual.