Hi not sure if this is the right place to ask this but someone may have had experience of it.
I am trying to run drone behind a squid caching proxy (on git.local-domain:3128). I have it set up using ssl_bump with a self signed certificate (CA_crt.pem) however it fails to pull images from docker repository with:
Error response from daemon: Get https://registry-1.docker.io/v2/: remote error: tls: handshake failure
I know my self signed certificate works in other contexts eg I can get yarn to use it with
cafile "/CA_crt.pem"
proxy "http://git.local-domain:3128"
if I run docker:dind container without getting it to trust self signed ca and pull then i get tls error (as expected) and running openssl showcerts indicates the problem (CN = MyCA) shows the certificate is my proxy’s NOT dockers and it’s not trusted.
$ docker run -d --privileged -e HTTPS_PROXY=http://git.local-domain:3128 -e HTTP_PROXY=http://git.local-domain:3128 docker:dind
59a275cbbf8ed04e824d5be3ac14e9f3257eedb5a1b8b92399a006de6c1ff1cb
$ docker exec 59a275cbbf8ed04e824d5be3ac14e9f3257eedb5a1b8b92399a006de6c1ff1cb docker pull hello-world
Using default tag: latest
Error response from daemon: Get https://registry-1.docker.io/v2/: remote error: tls: handshake failure
$ docker exec 59a275cbbf8ed04e824d5be3ac14e9f3257eedb5a1b8b92399a006de6c1ff1cb openssl s_client -proxy git.local-domain:3128 -connect registry-1.docker.io:443 -showcerts
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Mountain View, O = Google, OU = Enterprise, CN = MyCA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = US, ST = California, L = Mountain View, O = Google, OU = Enterprise, CN = MyCA
verify return:1
depth=0 CN = registry-1.docker.io
verify return:1
DONE
---
Certificate chain
0 s:CN = registry-1.docker.io
i:C = US, ST = California, L = Mountain View, O = Google, OU = Enterprise, CN = MyCA
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIUD0I1DQsyfMgS+2qL6xh9vopHM6QwDQYJKoZIhvcNAQEL
BQAwbzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
DU1vdW50YWluIFZpZXcxDzANBgNVBAoTBkdvb2dsZTETMBEGA1UECxMKRW50ZXJw
cmlzZTENMAsGA1UEAxMETXlDQTAeFw0yMDA4MDYwMjI2NDNaFw0yMjAzMjkwMjI2
NDNaMB8xHTAbBgNVBAMMFHJlZ2lzdHJ5LTEuZG9ja2VyLmlvMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0RSN3+zpdCViFytyfCdB+SyJg7y/4B5ZW2Ix
/gzZK3VvsBftHBgbBoETpe/RdIgRUkpGUS+SUKYDFxvqq1KIt/DCjHBsIZKafTFI
E6kPi6sCK7uPCHC24/+NFDa5hWzLZTxZoAYsTciNW1x0L9E/4+sR3ytPBGduIyCK
QPA8SMXuLpEQ5S5MCiujm87wel2GBcVZwjEYInJNX36fbLJY7R2an/sMpuQLkjS5
/uG31BtgFUJY8YULj9kwSGLtGeat4XjN0tk+jumekxCHsWDm7DBcEXjAgcIhg9Lk
6fh0RLGbO1Sokh/coaNvRnYismosriQ+40xwuxMDiCNHJy9QQwIDAQABoyMwITAf
BgNVHREEGDAWghRyZWdpc3RyeS0xLmRvY2tlci5pbzANBgkqhkiG9w0BAQsFAAOC
AQEAoVlSXi1hlM0+UOFTtS8FC2FzBEp262uiZOQlG9tQNgnp5KSCPBj6B0PDT8Yj
FrInW1xQQbcE89X9GoW1WkAZ0wumVxc45akmPPABzYgxKCXtNX2p63f9dB1/kl/O
zwI5hmI8UXfLfLwhk9duNZkPMnxD2VRJIZgzcQd3qzTKhU8jMx3L/yDr0KDyiTfn
GHwVgJpA3S3UUpT26NC1RpHnd9oBUcDaPKcwBef03/TeOZCVgUGCK/8fOs5qkUyS
67rIqLtb30kUpfz8qBUVzohBzcFQYey2Tp3Gu5xdvEgPX681D9Z+e3FU4fbTpqxo
EnkyX+4IZVP34XF8KGUrWtGrgQ==
-----END CERTIFICATE-----
1 s:C = US, ST = California, L = Mountain View, O = Google, OU = Enterprise, CN = MyCA
i:C = US, ST = California, L = Mountain View, O = Google, OU = Enterprise, CN = MyCA
-----BEGIN CERTIFICATE-----
MIIDiTCCAnGgAwIBAgIUfJ9JASZztK3P6SfvHNwxGUWklVEwDQYJKoZIhvcNAQEL
BQAwbzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
DU1vdW50YWluIFZpZXcxDzANBgNVBAoTBkdvb2dsZTETMBEGA1UECxMKRW50ZXJw
cmlzZTENMAsGA1UEAxMETXlDQTAeFw0yMDA4MDYwMjI2NDNaFw0yMjAzMjkwMjI2
NDNaMG8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQKEwZHb29nbGUxEzARBgNVBAsTCkVudGVy
cHJpc2UxDTALBgNVBAMTBE15Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDRFI3f7Ol0JWIXK3J8J0H5LImDvL/gHllbYjH+DNkrdW+wF+0cGBsGgROl
79F0iBFSSkZRL5JQpgMXG+qrUoi38MKMcGwhkpp9MUgTqQ+LqwIru48IcLbj/40U
NrmFbMtlPFmgBixNyI1bXHQv0T/j6xHfK08EZ24jIIpA8DxIxe4ukRDlLkwKK6Ob
zvB6XYYFxVnCMRgick1ffp9ssljtHZqf+wym5AuSNLn+4bfUG2AVQljxhQuP2TBI
Yu0Z5q3heM3S2T6O6Z6TEIexYObsMFwReMCBwiGD0uTp+HREsZs7VKiSH9yho29G
diKyaiyuJD7jTHC7EwOII0cnL1BDAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
VR0PBAQDAgH+MA0GCSqGSIb3DQEBCwUAA4IBAQAUCCM299ICycFx/NM1yxt4cgGs
8sbIvvhfWsdfub+vtz0Ru/Uf1mXj1OuDTUkp+y1XEvjDiWKPS8HnxjQnGZj8j+cZ
XfMYHzMto8cOkMIVLXLwt+Xt/6aYmOF5FJoubZsdCtvc4PXJHVZhSyZZHLvo8aEp
Jz5/fu4pSeNjc6YGiilmU9nmicZJ2a0pAV0cVhteF1tpH9MfczZYXYCUADYxMbjR
W4y6pnMB//CsvHZMR/SEmEpOoiRjZW8Hg/MgZLPyscZhEpSk73/7pBsMWW7zvVxV
oUXkyrOv6OFX+8+HRXfLwOFUviDiW5D/R/u8BezJmhVFcOxbf+UcyaZjp1cF
-----END CERTIFICATE-----
---
Server certificate
subject=CN = registry-1.docker.io
issuer=C = US, ST = California, L = Mountain View, O = Google, OU = Enterprise, CN = MyCA
---
No client certificate CA names sent
---
SSL handshake has read 2110 bytes and written 681 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: 51E1530A1181D8CD4DD2DCCCC2B5C85705DD69426E4370FE77D296791312CF5E
Session-ID-ctx:
Master-Key: B453B6DFF9B306A254333F067DC5B995AF1051D574FCBF75C7E936B6DA6049508EF52C2BC8323BB1DFEB4F6A14B26C27
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - fd 36 42 79 01 81 48 0e-04 94 d7 e3 b2 86 55 09 .6By..H.......U.
0010 - 16 27 e4 49 20 31 e8 f7-87 eb 2d 7c 06 31 5d 41 .'.I 1....-|.1]A
0020 - b5 04 aa a2 73 15 49 cf-8f 58 ac 87 36 70 93 d8 ....s.I..X..6p..
0030 - 5e a1 d9 66 70 ba b9 a0-97 08 df 08 62 46 3f a0 ^..fp.......bF?.
0040 - d7 17 b3 a8 fe 3c 30 06-2a da c8 46 d3 d3 73 37 .....<0.*..F..s7
0050 - 34 8b 13 dc 90 19 7c 13-7d 75 cf 07 4e 11 e3 86 4.....|.}u..N...
0060 - 3d ad 27 d4 3c e1 ef 48-2e e7 e1 65 e2 9a 57 06 =.'.<..H...e..W.
0070 - 97 84 3d 91 57 be 5d 2f-bb 3f 61 57 31 1d 3c 33 ..=.W.]/.?aW1.<3
0080 - f2 cc 3b 74 55 e7 c6 f3-04 c1 46 6f 2a c9 cb d5 ..;tU.....Fo*...
0090 - 13 2b 79 24 01 53 0d 0d-29 a6 7d 44 a7 49 aa 1e .+y$.S..).}D.I..
00a0 - 3f 1e 2d 7c c4 f4 9c b1-18 a3 1d f8 38 f0 8e 7c ?.-|........8..|
Start Time: 1596698241
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
So I build an image that should trust the certificate with the following Dockerfile:
FROM docker:dind
COPY CA_crt.pem /usr/local/share/ca-certificates/CA_crt.crt
RUN update-ca-certificates
now with the above commands docker still fails to pull with a tls failure but openssl is indicating that the certificate IS trusted. It seems that docker isn’t picking up the trust I established with update-ca-certificates
here’s what I get running with my new image:
$ docker run -d --privileged -e HTTPS_PROXY=http://git.local-domain:3128 -e HTTP_PROXY=http://git.local-domain:3128 new:image4
fc767d7029dc8477def8e335c69ae39490433f5e65e9bce6da86d6854ff4a2e3
$ docker exec fc767d7029dc8477def8e335c69ae39490433f5e65e9bce6da86d6854ff4a2e3 openssl s_client -proxy git.local-domain:3128 -connect registry-1.docker.io:443 -showcerts
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Mountain View, O = Google, OU = Enterprise, CN = MyCA
verify return:1
depth=0 CN = registry-1.docker.io
verify return:1
---
Certificate chain
0 s:CN = registry-1.docker.io
i:C = US, ST = California, L = Mountain View, O = Google, OU = Enterprise, CN = MyCA
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIUD0I1DQsyfMgS+2qL6xh9vopHM6QwDQYJKoZIhvcNAQEL
BQAwbzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
DU1vdW50YWluIFZpZXcxDzANBgNVBAoTBkdvb2dsZTETMBEGA1UECxMKRW50ZXJw
cmlzZTENMAsGA1UEAxMETXlDQTAeFw0yMDA4MDYwMjI2NDNaFw0yMjAzMjkwMjI2
NDNaMB8xHTAbBgNVBAMMFHJlZ2lzdHJ5LTEuZG9ja2VyLmlvMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0RSN3+zpdCViFytyfCdB+SyJg7y/4B5ZW2Ix
/gzZK3VvsBftHBgbBoETpe/RdIgRUkpGUS+SUKYDFxvqq1KIt/DCjHBsIZKafTFI
E6kPi6sCK7uPCHC24/+NFDa5hWzLZTxZoAYsTciNW1x0L9E/4+sR3ytPBGduIyCK
QPA8SMXuLpEQ5S5MCiujm87wel2GBcVZwjEYInJNX36fbLJY7R2an/sMpuQLkjS5
/uG31BtgFUJY8YULj9kwSGLtGeat4XjN0tk+jumekxCHsWDm7DBcEXjAgcIhg9Lk
6fh0RLGbO1Sokh/coaNvRnYismosriQ+40xwuxMDiCNHJy9QQwIDAQABoyMwITAf
BgNVHREEGDAWghRyZWdpc3RyeS0xLmRvY2tlci5pbzANBgkqhkiG9w0BAQsFAAOC
AQEAoVlSXi1hlM0+UOFTtS8FC2FzBEp262uiZOQlG9tQNgnp5KSCPBj6B0PDT8Yj
FrInW1xQQbcE89X9GoW1WkAZ0wumVxc45akmPPABzYgxKCXtNX2p63f9dB1/kl/O
zwI5hmI8UXfLfLwhk9duNZkPMnxD2VRJIZgzcQd3qzTKhU8jMx3L/yDr0KDyiTfn
GHwVgJpA3S3UUpT26NC1RpHnd9oBUcDaPKcwBef03/TeOZCVgUGCK/8fOs5qkUyS
67rIqLtb30kUpfz8qBUVzohBzcFQYey2Tp3Gu5xdvEgPX681D9Z+e3FU4fbTpqxo
DONE
EnkyX+4IZVP34XF8KGUrWtGrgQ==
-----END CERTIFICATE-----
1 s:C = US, ST = California, L = Mountain View, O = Google, OU = Enterprise, CN = MyCA
i:C = US, ST = California, L = Mountain View, O = Google, OU = Enterprise, CN = MyCA
-----BEGIN CERTIFICATE-----
MIIDiTCCAnGgAwIBAgIUfJ9JASZztK3P6SfvHNwxGUWklVEwDQYJKoZIhvcNAQEL
BQAwbzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
DU1vdW50YWluIFZpZXcxDzANBgNVBAoTBkdvb2dsZTETMBEGA1UECxMKRW50ZXJw
cmlzZTENMAsGA1UEAxMETXlDQTAeFw0yMDA4MDYwMjI2NDNaFw0yMjAzMjkwMjI2
NDNaMG8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQKEwZHb29nbGUxEzARBgNVBAsTCkVudGVy
cHJpc2UxDTALBgNVBAMTBE15Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDRFI3f7Ol0JWIXK3J8J0H5LImDvL/gHllbYjH+DNkrdW+wF+0cGBsGgROl
79F0iBFSSkZRL5JQpgMXG+qrUoi38MKMcGwhkpp9MUgTqQ+LqwIru48IcLbj/40U
NrmFbMtlPFmgBixNyI1bXHQv0T/j6xHfK08EZ24jIIpA8DxIxe4ukRDlLkwKK6Ob
zvB6XYYFxVnCMRgick1ffp9ssljtHZqf+wym5AuSNLn+4bfUG2AVQljxhQuP2TBI
Yu0Z5q3heM3S2T6O6Z6TEIexYObsMFwReMCBwiGD0uTp+HREsZs7VKiSH9yho29G
diKyaiyuJD7jTHC7EwOII0cnL1BDAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
VR0PBAQDAgH+MA0GCSqGSIb3DQEBCwUAA4IBAQAUCCM299ICycFx/NM1yxt4cgGs
8sbIvvhfWsdfub+vtz0Ru/Uf1mXj1OuDTUkp+y1XEvjDiWKPS8HnxjQnGZj8j+cZ
XfMYHzMto8cOkMIVLXLwt+Xt/6aYmOF5FJoubZsdCtvc4PXJHVZhSyZZHLvo8aEp
Jz5/fu4pSeNjc6YGiilmU9nmicZJ2a0pAV0cVhteF1tpH9MfczZYXYCUADYxMbjR
W4y6pnMB//CsvHZMR/SEmEpOoiRjZW8Hg/MgZLPyscZhEpSk73/7pBsMWW7zvVxV
oUXkyrOv6OFX+8+HRXfLwOFUviDiW5D/R/u8BezJmhVFcOxbf+UcyaZjp1cF
-----END CERTIFICATE-----
---
Server certificate
subject=CN = registry-1.docker.io
issuer=C = US, ST = California, L = Mountain View, O = Google, OU = Enterprise, CN = MyCA
---
No client certificate CA names sent
---
SSL handshake has read 2110 bytes and written 681 bytes
Verification: OK
---
New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: 1BBB73CCDA9BBC3D831D777BD1BA9DED25FEBEC23242C713401069D3705275D1
Session-ID-ctx:
Master-Key: E6C3C6F34AE6845239B1DCE4D185085474BAB54058FDBF8C86A6B0A0A419FAB4E7ABBC16B98C1DD257233A1C9745F4B3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - fd 36 42 79 01 81 48 0e-04 94 d7 e3 b2 86 55 09 .6By..H.......U.
0010 - 17 38 dd 92 70 1e 15 18-16 14 0e c9 6c de 74 3a .8..p.......l.t:
0020 - 71 07 da 5a 39 cf 5e 5f-8c 9c 31 e4 15 e1 53 61 q..Z9.^_..1...Sa
0030 - 8a ce db c8 93 f9 26 04-3e eb 18 fa d0 a2 b2 24 ......&.>......$
0040 - 15 a5 49 1b 46 b8 85 67-fc 94 20 7a c1 4b c6 21 ..I.F..g.. z.K.!
0050 - f8 e6 7a 67 4b 04 21 05-b1 10 72 ef 92 60 53 9c ..zgK.!...r..`S.
0060 - 0e 7e d4 70 a8 33 25 73-01 a0 be 50 56 b3 92 2e .~.p.3%s...PV...
0070 - 48 6f 93 6d 1f 05 91 0c-e9 7d 6c d9 d4 37 c7 e4 Ho.m.....}l..7..
0080 - dc 4a da fb e4 ce 94 4c-c2 06 e2 51 cd e7 3e 7e .J.....L...Q..>~
0090 - 9b fd cb d4 d0 8c 36 98-14 5f e8 65 f7 4a 56 ff ......6.._.e.JV.
00a0 - 9c d4 c2 72 6d f9 da dc-6c ec 8d 5d 97 b9 fe 5c ...rm...l..]...\
Start Time: 1596698736
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
why can’t I get docker to trust the self signed ca for the proxy?
a bit more info - when I configure my browser to use proxy (with pem converted to der) and point it at https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html I get the following protocols:
Protocol Features
Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
Cipher Suites (in order of preference)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Forward Secrecy 256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) WEAK 256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) WEAK 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) WEAK 256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) WEAK 256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0xa3) Forward Secrecy2 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) Forward Secrecy 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) WEAK 256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x6a) WEAK 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) WEAK 256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38) WEAK 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) WEAK 256
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x87) WEAK 256
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032) 256
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e) 256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a) WEAK 256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026) WEAK 256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) WEAK 256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) WEAK 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) WEAK 128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) WEAK 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) WEAK 128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) WEAK 128
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0xa2) Forward Secrecy2 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) Forward Secrecy 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) WEAK 128
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x40) WEAK 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) WEAK 128
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32) WEAK 128
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a) WEAK 128
TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x99) WEAK 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) WEAK 128
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x44) WEAK 128
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031) 128
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d) 128
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029) WEAK 128
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) WEAK 128
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) WEAK 128
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) WEAK 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_SEED_CBC_SHA (0x96) WEAK 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK 128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) INSECURE 128
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) INSECURE 128
TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) INSECURE 128
TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) INSECURE 128
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) WEAK 112
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) WEAK 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) WEAK 112
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13) WEAK 112
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) WEAK 112
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) WEAK 112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff)