Update notes, fixing typos and update ciphers list

1 files changed, 36 insertions, 28 deletions

diff --git a/notes.txt b/notes.txt
index 046a0a5..ef0f7f3 100644
--- a/notes.txt
+++ b/notes.txt
@@ -40,8 +40,8 @@ awk 'BEGIN{while(getline<"fail"){if(/ACCEPT/){n=$1}else if(/error/){fails[n]=1}}
 # convert CipherSuite from RFC to code
 xsel | ./generate-wireshark-cs | sed s/{/,/ | sort -t, -n -k2,2 | sed s/,/{/
 # check for differences between existing ciphers and new ones from X clipboard
-ssort(){ sed s/{/,/ | sort -t, -k2,2 | sed s/,/{/; }
-grep ,KEX_ packet-ssl-utils.c | ssort > 1;(cat 1; xsel) | sort -t} -u | ssort > 2; colordiff -u 1 2
+ssort(){ sed s/{/,/ | sort -n -t, -k2,2 | sed s/,/{/; }
+grep ,KEX_ packet-ssl-utils.c | ssort > 1;(cat 1; xsel) | sort -k1,1 -t} -u | ssort > 2; colordiff -u 1 2
 
 
 # dump CLIENT_RANDOM for every cipher
@@ -58,12 +58,34 @@ rm ok.txt nok.txt;time while read url; do cipher="${url%%.*}";cipher="${cipher##
 # same test, but using openssl instead of curl
 for url in $(cat res/ok.txt); do host="${url##*/}"; echo;echo;echo _____ $host;(printf "GET / HTTP/1.1\r\nHost: $host\r\n\r\n";sleep .2) | openssl s_client -connect "$host" -CApath /etc/nginx/certs; done 2>&1 | tee s_client-all-res-ok.txt
 
-# filter non-working ciphers (missing certs)
-grep -vE '^(PSK|SRP|DHE-DSS|ECDHE-ECDSA|ECDH)-'
 
-Non-working ciphers can be grouped into:
-- DHE-DSS, EDH-DSS, EXP-EDH-DSS
-- ECDHE-ECDSA
+The following OpenSSL cipher suites do not connect to nginx:
+EXP-EDH-DSS-DES-CBC-SHA
+EXP-EDH-RSA-DES-CBC-SHA
+PSK-RC4-SHA
+PSK-3DES-EDE-CBC-SHA
+PSK-AES128-CBC-SHA
+PSK-AES256-CBC-SHA
+ECDH-RSA-RC4-SHA
+ECDH-RSA-DES-CBC3-SHA
+ECDH-RSA-AES128-SHA
+ECDH-RSA-AES256-SHA
+SRP-RSA-3DES-EDE-CBC-SHA
+SRP-DSS-3DES-EDE-CBC-SHA
+SRP-RSA-AES-128-CBC-SHA
+SRP-DSS-AES-128-CBC-SHA
+SRP-RSA-AES-256-CBC-SHA
+SRP-DSS-AES-256-CBC-SHA
+ECDH-RSA-AES128-SHA256
+ECDH-RSA-AES256-SHA384
+ECDH-RSA-AES128-GCM-SHA256
+ECDH-RSA-AES256-GCM-SHA384
+
+Groupable to:
+- EXP-EDH-{DSS,RSA}
+- PSK
+- ECDH-RSA
+- SRP
 
 Not supported by GnuTLS (source:
 http://backreference.org/2009/11/18/openssl-vs-gnutls-cipher-names/)
@@ -71,27 +93,13 @@ http://backreference.org/2009/11/18/openssl-vs-gnutls-cipher-names/)
 - PSK (Pre-Shared Key)
 - ECDH-{RSA,ECDSA} (not ECDHE-RSA) (source: wikipedia)
 
-
-Missing support:
-- GCM
-0xC0,0x30    ECDHE-RSA-AES256-GCM-SHA384
-0x00,0x9F      DHE-RSA-AES256-GCM-SHA384
-0x00,0x9D              AES256-GCM-SHA384
-0xC0,0x2F    ECDHE-RSA-AES128-GCM-SHA256
-0x00,0x9E      DHE-RSA-AES128-GCM-SHA256
-0x00,0x9C              AES128-GCM-SHA256
-- ECDHE-RSA
-0xC0,0x13           ECDHE-RSA-AES128-SHA
-0xC0,0x14           ECDHE-RSA-AES256-SHA
-0xC0,0x12         ECDHE-RSA-DES-CBC3-SHA
-
-(not tested: DSS)
-- cipher suites from `RFC 5246 - TLS 1.2` are verified with the script
-- cipher suites 150-155 are taken from: RFC 4162 - SEED for TLS
-- cipher suites 156-167 are taken from: RFC 5288 - AES-GCM Cipher suites
-- cipher suites 49153-49177 are taken from: RFC 4492 - ECC for TLS
-- cipher suites 49195-49202 are taken from RFC 5289 - ECC with
-  SHA256/384 and AES GCM
+Missing cipher suite support (from
+http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4):
+- SRP
+- KRB5
+- PSK
+- ARIA
+- mode CCM
 
 # Generate RSA stuff
 openssl genrsa -out server.pem