OWASP / O-Saft

O-Saft - OWASP SSL advanced forensic tool
GNU General Public License v2.0
373 stars 86 forks source link

all IANA cipher suites #135

Open kylak opened 4 months ago

kylak commented 4 months ago

Hello, does O-Saft uses all IANA cipher suites ?

Thanks.

EnDe commented 4 months ago

Hi,

o-saft.pl ciphers -V lib/Ciphers.pm dump

Does this answer your question?

Please keep in mind that the list of ciphers with their attributes is compiled manually. The (current) list of IANA can be found in lib/Ciphers.pm, see @cipher_iana_recomended there.

This does not restrict to test for ciphers not listed (see dump above), you always may check for the complete range with: o-saft.pl demo +cipher --cipher-range=huge or even: o-saft.pl demo +cipher --cipher-range=full

EnDe commented 4 months ago

just check the IANA list (didn't change since ages). It's now possible to do: o-saft.pl demo +cipher --cipher-range=iana The list is now defined in lib/Ocfg.pm; I'll remove @cipher_iana_recomended ...

Am I right that your test purpose is to check if non-IANA ciphers are supported?

kylak commented 4 months ago

No actually, I want to test any possible cipher suite on each TLS/SSL protocol version to see which cipher suite is permitted by the server and hence which TLS/SSL protocol version is permited also. A brute force technique. So the tool I would need, has to have all the cipher suite that could be used on a TLS/SSL communication, it includes therefore the IANA cipher suites and the non-IANA cipher suites, in total I found 376 cipher suites that could be used (but maybe I forgot some?). hello_tls makes what I want but it only used the IANA cipher suites and doesn't check for the SSLv2 protocol. Do you know if O-Saft could help me to reach my goal ?

EnDe commented 4 months ago

yes for sure: o-saft.pl your.tld +cipher --cipher-range=huge or even: o-saft.pl your.tld +cipher --cipher-range=full The Total number ... line at end of the output will show the number of checked and accepted ciphers.

Add the --trace option and you see the complete list of cipher suite keys to be tested (be prepared for huge, huge, ... output then;-)

However, I rarely found a target which responded to ciphers not in --cipher-range=rfc (which is the default). Please let me know, if you find other ciphers.

If you're testing targets with a proprietry SSL/TLS-stack, we know of some strange and unexpected behaviours. Then you need to look at the more advanced options for --ssl-*: o-saft.pl --help=opts | egrep ssl-

kylak commented 4 months ago

Ok. I'm going to try that, thanks.