From 68895b06916fa6d745173ef1d5b918241cdbe7f0 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Sun, 15 Sep 2013 15:50:25 +0200 Subject: Update notes, fixing typos and update ciphers list --- notes.txt | 64 +++++++++++++++++++++++++++++++++++---------------------------- 1 file changed, 36 insertions(+), 28 deletions(-) (limited to 'notes.txt') diff --git a/notes.txt b/notes.txt index 046a0a5..ef0f7f3 100644 --- a/notes.txt +++ b/notes.txt @@ -40,8 +40,8 @@ awk 'BEGIN{while(getline<"fail"){if(/ACCEPT/){n=$1}else if(/error/){fails[n]=1}} # convert CipherSuite from RFC to code xsel | ./generate-wireshark-cs | sed s/{/,/ | sort -t, -n -k2,2 | sed s/,/{/ # check for differences between existing ciphers and new ones from X clipboard -ssort(){ sed s/{/,/ | sort -t, -k2,2 | sed s/,/{/; } -grep ,KEX_ packet-ssl-utils.c | ssort > 1;(cat 1; xsel) | sort -t} -u | ssort > 2; colordiff -u 1 2 +ssort(){ sed s/{/,/ | sort -n -t, -k2,2 | sed s/,/{/; } +grep ,KEX_ packet-ssl-utils.c | ssort > 1;(cat 1; xsel) | sort -k1,1 -t} -u | ssort > 2; colordiff -u 1 2 # dump CLIENT_RANDOM for every cipher @@ -58,12 +58,34 @@ rm ok.txt nok.txt;time while read url; do cipher="${url%%.*}";cipher="${cipher## # same test, but using openssl instead of curl for url in $(cat res/ok.txt); do host="${url##*/}"; echo;echo;echo _____ $host;(printf "GET / HTTP/1.1\r\nHost: $host\r\n\r\n";sleep .2) | openssl s_client -connect "$host" -CApath /etc/nginx/certs; done 2>&1 | tee s_client-all-res-ok.txt -# filter non-working ciphers (missing certs) -grep -vE '^(PSK|SRP|DHE-DSS|ECDHE-ECDSA|ECDH)-' -Non-working ciphers can be grouped into: -- DHE-DSS, EDH-DSS, EXP-EDH-DSS -- ECDHE-ECDSA +The following OpenSSL cipher suites do not connect to nginx: +EXP-EDH-DSS-DES-CBC-SHA +EXP-EDH-RSA-DES-CBC-SHA +PSK-RC4-SHA +PSK-3DES-EDE-CBC-SHA +PSK-AES128-CBC-SHA +PSK-AES256-CBC-SHA +ECDH-RSA-RC4-SHA +ECDH-RSA-DES-CBC3-SHA +ECDH-RSA-AES128-SHA +ECDH-RSA-AES256-SHA +SRP-RSA-3DES-EDE-CBC-SHA +SRP-DSS-3DES-EDE-CBC-SHA +SRP-RSA-AES-128-CBC-SHA +SRP-DSS-AES-128-CBC-SHA +SRP-RSA-AES-256-CBC-SHA +SRP-DSS-AES-256-CBC-SHA +ECDH-RSA-AES128-SHA256 +ECDH-RSA-AES256-SHA384 +ECDH-RSA-AES128-GCM-SHA256 +ECDH-RSA-AES256-GCM-SHA384 + +Groupable to: +- EXP-EDH-{DSS,RSA} +- PSK +- ECDH-RSA +- SRP Not supported by GnuTLS (source: http://backreference.org/2009/11/18/openssl-vs-gnutls-cipher-names/) @@ -71,27 +93,13 @@ http://backreference.org/2009/11/18/openssl-vs-gnutls-cipher-names/) - PSK (Pre-Shared Key) - ECDH-{RSA,ECDSA} (not ECDHE-RSA) (source: wikipedia) - -Missing support: -- GCM -0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384 -0x00,0x9F DHE-RSA-AES256-GCM-SHA384 -0x00,0x9D AES256-GCM-SHA384 -0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256 -0x00,0x9E DHE-RSA-AES128-GCM-SHA256 -0x00,0x9C AES128-GCM-SHA256 -- ECDHE-RSA -0xC0,0x13 ECDHE-RSA-AES128-SHA -0xC0,0x14 ECDHE-RSA-AES256-SHA -0xC0,0x12 ECDHE-RSA-DES-CBC3-SHA - -(not tested: DSS) -- cipher suites from `RFC 5246 - TLS 1.2` are verified with the script -- cipher suites 150-155 are taken from: RFC 4162 - SEED for TLS -- cipher suites 156-167 are taken from: RFC 5288 - AES-GCM Cipher suites -- cipher suites 49153-49177 are taken from: RFC 4492 - ECC for TLS -- cipher suites 49195-49202 are taken from RFC 5289 - ECC with - SHA256/384 and AES GCM +Missing cipher suite support (from +http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4): +- SRP +- KRB5 +- PSK +- ARIA +- mode CCM # Generate RSA stuff openssl genrsa -out server.pem -- cgit v1.2.1