search

drwetter / testssl.sh

Testing TLS/SSL encryption anywhere on any port
https://testssl.sh
GNU General Public License v2.0
7.93k stars 1.02k forks source link

[Feature request] New Cipher suites RFC 8998 etc. #2285

Open drwetter opened 1 year ago

drwetter commented 1 year ago

Which version are you referring to maybe both

Describe your feature request (if it's a technical feature) Add ciphersuites, possibly:

  CipherSuite TLS_SM4_GCM_SM3 = 0x00, 0xC6;
  CipherSuite TLS_SM4_CCM_SM3 = 0x00, 0xC7;

  CipherSuite TLS_ECCPWD_WITH_AES_128_GCM_SHA256 = 0xC0,0xB0;
  CipherSuite TLS_ECCPWD_WITH_AES_256_GCM_SHA384 = 0xC0,0xB1;
  CipherSuite TLS_ECCPWD_WITH_AES_128_CCM_SHA256 = 0xC0,0xB2;
  CipherSuite TLS_ECCPWD_WITH_AES_256_CCM_SHA384 = 0xC0,0xB3;

  TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L    =  0xC1,x03
  TLS_GOSTR341112_256_WITH_MAGMA_MGM_L         =  0xC1,x04
  TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S    =  0xC1,x05
  TLS_GOSTR341112_256_WITH_MAGMA_MGM_S         =  0xC1,x06

Just stumbled over this https://github.com/nmap/nmap/blob/master/nselib/tls.lua . Needs to be checked whether it makes sense to add them to etc/cipher-mapping.txt or to openssl-iana.mapping.html only.

dcooper16 commented 1 year ago

Hi Dirk,

I started looking into adding these new codepoints some time ago (see #1207). I did some work on it a while ago, but didn't bother to create a PR, since I have no way to test against any server that supports any of the new codepoints. I just posted the work that I've done so far to https://github.com/dcooper16/testssl.sh/tree/new_codepoints. It has been a long time since I looked at this, so I can't really remember what I had done and what was still left to do.

drwetter commented 1 year ago

Hi David.

totally forgot #1207.

IMO all we can do is a best effort here. Maybe censys e.g. has info where those codepoints are being used -- assuming they use it while scanning.

Mind a PR? (Your change seems newer than #1207).

Cheers, Dirk

dcooper16 commented 1 year ago

Mind a PR? (Your change seems newer than https://github.com/drwetter/testssl.sh/issues/1207).

Since I haven't looked at this work in a long time, I'd like to review it before submitting a PR. I just made a quick update to it to note that some documents listed as drafts are now RFCs, to add the new cipher suites to etc/cipher-mapping.txt, and to add two new cipher suites that are listed in the IANA registry: TLS_AEGIS_256_SHA384 and TLS_AEGIS_128L_SHA256.

I don't have much time to look at this now, but hopefully will be able to in early January.