[openssl-users] Getting info on the ciphers supported by a client

Ivan Ristic ivan.ristic at gmail.com
Fri Mar 6 19:19:57 UTC 2015


On Fri, Mar 6, 2015 at 2:05 PM, Christian Georg <
christian.georg at cologne-intelligence.de> wrote:

>  Hi all,
>

Christian,

I might be able to save you some time.

I wrote an SSL/TLS client test for the SSL Labs web site; you can find it
here: https://dev.ssllabs.com/ssltest/viewMyClient.html If you can visit
this page from the client/device and examine the output, you'll find there
everything you need to know. There are a couple of other similar services.
I keep a list here:
https://github.com/ssllabs/research/wiki/Assessment-Tools (look under
Client Assessment).

If you can't do that, you can install my Apache module called mod_sslhaf,
which will dump contents of ClientHello to the server log. This approach
isn't as good as the previous one, but might be good enough for your use
case. You can find the module here: https://github.com/ssllabs/sslhaf


 I am trying to get detailed info on the protocols and cipher suites
> supported by a client app. Main goal is to verify that the constraints on
> protocols versions and cipher suites we are using within an app are working
> correctly. (so it is not about the cipher suites that are theoretically
> available on a mobile device)
>
> I was planning to use openssl s_server for this task. I am opening
> s_server on different ports each with a specific protocol version (-ssl2,
> -ssl3, -tls1…). On some of the ports a handshake should be successful on
> others not.
>
>
>
> The tricky part are the supported cipher suites. When using the –www
> option I can return a website to the client showing the cipher suites that
> provide a match, which gets pretty close to what I want in a browser. Now
> here are my challenges.
>
>
>
> Challenge 1: Getting a list of ALL Ciphersuites
>
> I would like to get info on all cipher suites supported (preferred) by the
> client . The –www option does only show the cipher suites with a match. So
> any cipher suite not supported by openssl will not be listed. When checking
> my browser with qualys SSl Lab I noticed that the following three
> ciphersuites are showing up on the qualys report but not on the s_server
> page.
>
>
>
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
>
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
>
>
>
> I do not see them as a risk, but what if some exotic weak ciphers are
> enabled within the app. It is my understanding that during a handshake a
> list of all preferred ciphers is send from the client to the server. How
> can I get access to this info?
>
>
>
> Challenge 2: How do I get the info into a log file on the server rather
> than sending it back as a website?
>
> The approach described above is working fine for browsers but what about
> consuming webservices? I am able to redirect the webservices to my openssl
> s_server and perform the handshake (even so the SOAP or REST Interface will
> then throw an error). But I could not find an option on getting the info
> written into the Logfile (in a human readable way) even with all logging I
> found enabled (-state -debug -msg –tlsextdebug -trace) I could not find the
> info in a human readable way.
>
>
>
> Any recommendations on how I can solve my issues without changing the
> openssl code and add this manually?
>
>
>
> Cheers
>
>
> Chris
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>


-- 
Ivan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150306/420a86d8/attachment.html>


More information about the openssl-users mailing list