[openssl-users] Getting info on the ciphers supported by a client

Christian Georg christian.georg at cologne-intelligence.de
Mon Mar 9 08:35:55 UTC 2015


Hi Steve,

thanks for the feedback. I was trying this again this morning and noticed a mistake I made. Not sure if this is intended behaviour. 
When combining the -www and -brief option in one call -brief does not create any output to stdout.

So when using this:	/usr/local/openssl-1.0.2/bin/openssl  s_server -brief  -key server.pem -cert server.pem -accept 6011
I got the expected output on stdout (including the unknown ciphers)

When using this: /usr/local/openssl-1.0.2/bin/openssl  s_server -brief -www  -key server.pem -cert server.pem -accept 6011
I am not getting the output expected from -brief on stdout and the unknown ciphersuites are also not showing up. I thought that by using -www I would getting back a proper http response (with an info page) and in addition all output on the server. This does not seem to be the case.

As I do not need both outputs at the same time I can open separate servers for output to browser based systems and Apps calling a webservice

Cheers
Chris

-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: openssl-users [mailto:openssl-users-bounces at openssl.org] Im Auftrag von Dr. Stephen Henson
Gesendet: Freitag, 6. März 2015 21:05
An: openssl-users at openssl.org
Betreff: Re: [openssl-users] Getting info on the ciphers supported by a client

On Fri, Mar 06, 2015, Christian Georg wrote:

> 
> Any recommendations on how I can solve my issues without changing the openssl code and add this manually?
> 

I'm not sure OpenSSL can do exactly what you want: 1.0.2 has an option to return the raw ciphersuite list sent by the client. The s_server utility will print this out if you set the -brief option. Ciphersuites OpenSSL doesn't recognise are then printed out in hex form.

For example a recent version of Chrome shows:

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:0xCC14:0xCC13:0xCC15:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA:SCSV

The three hex values correspond to:

   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   = {0xcc, 0x13}
   TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = {0xcc, 0x14}
   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 =     {0xcc, 0x15}

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org _______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list