Open kylak opened 4 months ago
Hi,
o-saft.pl ciphers -V
lib/Ciphers.pm dump
Does this answer your question?
Please keep in mind that the list of ciphers with their attributes is compiled manually.
The (current) list of IANA can be found in lib/Ciphers.pm
, see @cipher_iana_recomended
there.
This does not restrict to test for ciphers not listed (see dump above), you always may check for the complete range with:
o-saft.pl demo +cipher --cipher-range=huge
or even:
o-saft.pl demo +cipher --cipher-range=full
just check the IANA list (didn't change since ages). It's now possible to do:
o-saft.pl demo +cipher --cipher-range=iana
The list is now defined in lib/Ocfg.pm
; I'll remove @cipher_iana_recomended
...
Am I right that your test purpose is to check if non-IANA ciphers are supported?
No actually, I want to test any possible cipher suite on each TLS/SSL protocol version to see which cipher suite is permitted by the server and hence which TLS/SSL protocol version is permited also. A brute force technique. So the tool I would need, has to have all the cipher suite that could be used on a TLS/SSL communication, it includes therefore the IANA cipher suites and the non-IANA cipher suites, in total I found 376 cipher suites that could be used (but maybe I forgot some?). hello_tls makes what I want but it only used the IANA cipher suites and doesn't check for the SSLv2 protocol. Do you know if O-Saft could help me to reach my goal ?
yes for sure:
o-saft.pl your.tld +cipher --cipher-range=huge
or even:
o-saft.pl your.tld +cipher --cipher-range=full
The Total number ...
line at end of the output will show the number of checked and accepted ciphers.
Add the --trace
option and you see the complete list of cipher suite keys to be tested (be prepared for huge, huge, ... output then;-)
However, I rarely found a target which responded to ciphers not in --cipher-range=rfc
(which is the default).
Please let me know, if you find other ciphers.
If you're testing targets with a proprietry SSL/TLS-stack, we know of some strange and unexpected behaviours. Then you need to look at the more advanced options for --ssl-*:
o-saft.pl --help=opts | egrep ssl-
Ok. I'm going to try that, thanks.
Hello, does O-Saft uses all IANA cipher suites ?
Thanks.