search

drwetter / testssl.sh

Testing TLS/SSL encryption anywhere on any port
https://testssl.sh
GNU General Public License v2.0
7.94k stars 1.02k forks source link

all IANA cipher suites #2526

Closed kylak closed 3 months ago

kylak commented 3 months ago

Which version are you referring to The lastest.

Hello, does testssl.sh uses all IANA cipher suites ?

Thanks.

drwetter commented 3 months ago

I just encountered a déjà vu. Why do you ask the same question twice?

And you asked the same question also at cipherscan. What's the reason, I am just curious.

-- Sent from my mobile. Apologize for my brevity and typos/autocorrection

kylak commented 3 months ago

Here's the answer : https://github.com/OWASP/O-Saft/issues/135#issuecomment-2230758138

drwetter commented 3 months ago

Yeah, I remember having a discussion with EnDe a looong time back why testssl.sh doesn´t do that and scanning for every possible cipher suite. Conclusion was: Our tools have just different goals.

You can however try to scan with an undocumented feature like ./testssl.sh -q --devel 03 "cc,a8, cc,a9, cc,aa, cc,ab, cc,ac" blog.cloudflare.com and use all IANA suites. ;-)

There's another issue why I believe in general the result maybe not reliable: for some cipher suites you would need to provide TLS extensions or specific values in those extensions, otherwise the server won't possibly accept the ClientHello, see e.g. https://github.com/drwetter/testssl.sh/issues/1207#issuecomment-468298835

kylak commented 3 months ago

There's another issue why I believe in general the result maybe not reliable: for some cipher suites you would need to provide TLS extensions or specific values in those extensions, otherwise the server won't possibly accept the ClientHello, see e.g. https://github.com/drwetter/testssl.sh/issues/1207#issuecomment-468298835

Just opened an issue here to know if O-Saft handles these scenarios.