[Pidgin] #17014: Need info about what ciphers I should anable to connect to Lync/Skype for Business server

Wed May 18 12:33:29 EDT 2016

#17014: Need info about what ciphers I should anable to connect to Lync/Skype for
Business server
-------------------------+----------------------
 Reporter:  Gannet       |      Owner:  EionRobb
     Type:  enhancement  |     Status:  new
Milestone:  2.10.13      |  Component:  plugins
  Version:  2.10.12      |   Keywords:
-------------------------+----------------------
 I'm trying to connect to corporate Skype for Business server
 (XEUCCWeb01.bpglobal.com:443) but it seems it uses only TLS1 to connect
 and also some specific Cipher, but how can I identify what exact Cipher
 should I enable in NSS plugin to connect to it?

 {{{
 $ openssl s_client -connect XEUCCWeb01.bpglobal.com:443 -state -tls1
 CONNECTED(00000003)
 SSL_connect:before/connect initialization
 SSL_connect:unknown state
 SSL_connect:unknown state
 depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref.
 (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net
 Certification Authority (2048)
 verify return:1
 depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms,
 OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust
 Certification Authority - L1K
 verify return:1
 depth=0 C = GB, ST = NA, L = Uxbridge, O = BP p.l.c., CN =
 XEUCCWeb01.bpglobal.com
 verify return:1
 SSL_connect:unknown state
 SSL_connect:unknown state
 SSL_connect:unknown state
 SSL_connect:unknown state
 SSL_connect:unknown state
 SSL_connect:unknown state
 SSL_connect:unknown state
 ---
 Certificate chain
  0 s:/C=GB/ST=NA/L=Uxbridge/O=BP p.l.c./CN=XEUCCWeb01.bpglobal.com
    i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012
 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority
 - L1K
  1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012
 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority
 - L1K
    i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
 liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification
 Authority (2048)
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
 MIIFHzCCBAegAwIBAgIEUNJK9jANBgkqhkiG9w0BAQsFADCBujELMAkGA1UEBhMC
 VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
 cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVudHJ1c3Qs
 IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwGA1UEAxMlRW50cnVz
 dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0xNDEwMzAxMzM5NDFa
 Fw0xNjEwMjkyMTIyNDZaMGMxCzAJBgNVBAYTAkdCMQswCQYDVQQIEwJOQTERMA8G
 A1UEBxMIVXhicmlkZ2UxEjAQBgNVBAoTCUJQIHAubC5jLjEgMB4GA1UEAxMXWEVV
 Q0NXZWIwMS5icGdsb2JhbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
 AoIBAQDR9fNeU4Q3i+FNimiCyGwYCQFoqxnqM1E8I+QYA/xyXf9fnRBKvV2vqBBp
 Ot3Ezr8bdtLm9NvYyppwENToN4aUScpjsQwHNAFgrEFvO3Xfr2RQkFeQoNafenIr
 3RLMweVwqkvnON3kAHdNbYil9pC1VkvFKBmoqfSoQ5l/d483vzeFAl52PVQwj3ld
 MO+j47GyqLx86+Jp0tVHXwl1aGFQf1Cky43no/87ATpvcfaZOyZJLeNCiLjmFTpY
 bCPiU7HwuSDkCs0XSJ9SZk3kDlAVgLCLOGR9aEzFjpAQ01ENeKpw7+E3uTLmF3WE
 i5kTgi1nfJGZzniXJh0pG21UTmO1AgMBAAGjggGBMIIBfTALBgNVHQ8EBAMCBaAw
 EwYDVR0lBAwwCgYIKwYBBQUHAwEwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2Ny
 bC5lbnRydXN0Lm5ldC9sZXZlbDFrLmNybDBLBgNVHSAERDBCMDYGCmCGSAGG+mwK
 AQUwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEwCAYG
 Z4EMAQICMGgGCCsGAQUFBwEBBFwwWjAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Au
 ZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9haWEuZW50cnVzdC5uZXQv
 bDFrLWNoYWluMjU2LmNlcjAiBgNVHREEGzAZghdYRVVDQ1dlYjAxLmJwZ2xvYmFs
 LmNvbTAfBgNVHSMEGDAWgBSConB03bxTP8971PfNf6dgxgpMvzAdBgNVHQ4EFgQU
 SZh8MnsV1FBQDx0HMQT0+PZ2KpYwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOC
 AQEAEKD/SmYG9bkwkToFq4DnosgWRIEgPLBizBM4VjlaiDr5vYAYhNW78bXm8gOv
 j3CrPIitUtUcrn+sJbQxwsy0HRnaM3RbYSV+rYRj5j2QrNJO9YB5XvTBUxDMqSQD
 vLel7wiw1JEZBVhGHoSe0i8wiksvrU9+i1Z5UjAxEF53pPFpiej0I1oHzrdz+7mE
 7dnl1kn2o/UKybAieVUlMaUfVtjmHTL9B9SUMA4XdX575C5j2H3mMM36k2gdo1Fz
 e5gXdwTmL/9sN6dArUHPkSu7aQ6zwFF935GgxTVHPShcBf6NgWj8xClN1HA84tV6
 fSHXLGCTATHgxtaznftT+PTHsA==
 -----END CERTIFICATE-----
 subject=/C=GB/ST=NA/L=Uxbridge/O=BP p.l.c./CN=XEUCCWeb01.bpglobal.com
 issuer=/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c)
 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification
 Authority - L1K
 ---
 No client certificate CA names sent
 ---
 SSL handshake has read 2751 bytes and written 515 bytes
 ---
 New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
 Server public key is 2048 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
 No ALPN negotiated
 SSL-Session:
     Protocol  : TLSv1
     Cipher    : DES-CBC3-SHA
     Session-ID:
 CC12000081D4F90EC536A8AD1E9E7251F750C2B8522570D34B345DC435C6D126
     Session-ID-ctx:
     Master-Key:
 D2F66718593EC008A932E39D8AE3C2A0C71E938AD7B599CC6B896AECEDEA656C6963D52494A2358E6730238567426C8B
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1463588513
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
 ---
 q
 HTTP/1.1 400 Bad Request ( The data is invalid.  )
 Connection: close
 Pragma: no-cache
 Cache-Control: no-cache
 Content-Type: text/html
 Content-Length: 1946

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 <HTML dir=ltr><HEAD><TITLE>The page cannot be displayed</TITLE>
 <STYLE id=L_defaultr_1>A:link {
         FONT: 8pt/11pt verdana; COLOR: #ff0000
 }
 A:visited {
         FONT: 8pt/11pt verdana; COLOR: #4e4e4e
 }
 </STYLE>

 <META content=NOINDEX name=ROBOTS>
 <META http-equiv=Content-Type content="text-html; charset=UTF-8">

 <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD>
 <BODY bgColor=#ffffff>
 <TABLE cellSpacing=5 cellPadding=3 width=410>
   <TBODY>
   <TR>
     <TD vAlign=center align=left width=360>
       <H1 id=L_defaultr_2 style="FONT: 13pt/15pt verdana; COLOR:
 #000000"><ID id=L_defaultr_3><!--Problem-->The page cannot be displayed
 </ID></H1></TD></TR>
   <TR>
     <TD width=400 colSpan=2><FONT id=L_defaultr_4
       style="FONT: 8pt/11pt verdana; COLOR: #000000"><ID
 id=L_defaultr_5><B>Explanation: </B>There is a problem with the page you
 are trying to reach and it cannot be displayed.</ID></FONT></TD></TR>
   <TR>
     <TD width=400 colSpan=2><FONT id=L_defaultr_6
       style="FONT: 8pt/11pt verdana; COLOR: #000000">
       <HR color=#c0c0c0 noShade>

       <P id=L_defaultr_7><B>Try the following:</B></P>
       <UL>
         <LI id=L_defaultr_8><B>Refresh page:</B> Search for the page again
 by clicking the Refresh button. The timeout may have occurred due to
 Internet congestion.
 <LI id=L_defaultr_9><B>Check spelling:</B> Check that you typed the Web
 page address correctly. The address may have been mistyped.
 <LI id=L_defaultr_10><B>Access from a link:</B> If there is a link to the
 page you are looking for, try accessing the page from that link.

       </UL>
       <HR color=#c0c0c0 noShade>

       <P id=L_defaultr_11>Technical Information (for support
 personnel)</P>
       <UL>
         <LI id=L_defaultr_12>Error Code: 400 Bad Request. The data is
 invalid. (13)

         </UL></FONT></TD></TR></TBODY></TABLE></BODY></HTML>

 read:errno=0
 SSL3 alert write:warning:close notify
 }}}

 So, as seen above we've got:
 >TLSv1/SSLv3, Cipher is DES-CBC3-SHA

 But what ciphers should I enable in NSS Preferences plugin that
 corresponds to DES-CBC3-SHA to be able to connect?

 Also when I'm trying to connect I'm getting several еrrors along with the
 main 'Server is disconnected'. Please see attachment.

--
Ticket URL: <https://developer.pidgin.im/ticket/17014>
Pidgin <https://pidgin.im>
Pidgin