Closed drwetter closed 8 years ago
Hmmm, that's a good one. The implementation differs slightly, as the 1.0.2-chacha implementation has the "old" nonce implementation. This version received the following designators in draft-agl-tls-chacha20poly1305 (I used the latest version, 04):
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xcc, 0x13}
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = {0xcc, 0x14}
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xcc, 0x15}
To prevent confusion, I added the _2013 suffix (the year of the memo). Would that work with you @drwetter ?) By the way, the most recent draft-ietf-tls-chacha20-poly1305 (latest version, 04) states the following names (check the _SHA256 suffix):
xCCA8 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xCCA9 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 xCCAA TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xCCAB TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 xCCAC TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 xCCAD TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 xCCAE TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
I changed the mapping file to reflect this and added a pull request.
Cheers,
Peter
Ok, now that we have the RFC/IANA names changed would like to propose a change for your branch open openssl. Those names still have a conflict (1st current 1.1.0 version)
dirk@laptop:/data/tmp/openssl.git|1% LD_LIBRARY_PATH=$PWD apps/openssl ciphers -V | grep CHACHA
0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xA8 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xAA - DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xAE - RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xAD - DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xAC - ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xAB - PSK-CHACHA20-POLY1305 TLSv1.2 Kx=PSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
dirk@laptop:/daata/tmp/openssl.git|%
CCA8-CCAA names (openssl ones) are still the same as in your branch.
See also https://github.com/PeterMosmans/openssl/issues/43 and https://github.com/PeterMosmans/openssl/issues/38 .
PS: I would love to change the mapping to s/2013/OLD/g.
Cheers, Dirk
Hi @PeterMosmans,
I prefered this, so I change that accordingly, see 1fae394. With the change in openssl it would looks like this (I need to add one column):
dirks@laptop:~/testssl|130% ./testssl.sh -q -e --openssl=/tmp/openssl google.com
Start 2016-06-13 21:36:24 -->> 216.58.213.238:443 (google.com) <<--
further IP addresses: 2a00:1450:4005:80a::200e
rDNS (216.58.213.238): ham04s01-in-f14.1e100.net.
Service detected: HTTP
Testing all 179 locally available ciphers against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
--------------------------------------------------------------------------------------------------------------------------
xcc13 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH 256 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
^C
dirks@laptop:~/testssl|130%
I'll leave this open for clarifying the OpenSSL naming scheme.
Cheers, Dirk
note to self: don't know whether I should go with the SSLlabs naming, all RFC names start with TLS or SSL. Feels inconsistent.
There's an overlap, see https://api.dev.ssllabs.com/api/v3/getClients and #375. So I rather leave the IANA/RFC names like SSLlabs.
Current status:
dirks@laptop:~/testssl|0% ./testssl.sh -q -e --show-each --openssl=/tmp/openssl google.com
Start 2016-06-15 21:33:43 -->> 216.58.213.206:443 (google.com) <<--
further IP addresses: 2a00:1450:4005:803::200e
rDNS (216.58.213.206): ham02s15-in-f14.1e100.net.
Service detected: HTTP
Testing all 179 locally available ciphers against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
---------------------------------------------------------------------------------------------------------------------------
xcc14 ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
xcc13 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH 256 ChaCha20 256 OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 available
xcc15 DHE-RSA-CHACHA20-POLY1305-OLD DH ChaCha20 256 OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 available
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 not a/v
xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 available
xc024 ECDHE-ECDSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 not a/v
xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA available
xc00a ECDHE-ECDSA-AES256-SHA ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA not a/v
^C
dirks@laptop:~/testssl|130%
``
@PeterMosmans : Are there plans to merge the ciphers 0xCCA8-0xCCAE from OpenSSL 1.1.0 into your fork any time soon, or perhaps to create a new branch for a fork of version 1.1.0?
Hi @0x686578 - no, I have no plans at this moment to incorporate the 'newer' ChaCha versions onto 1.0.2-chacha. The 1.1.0 version of OpenSSL contains a lot less insecure ciphers, so a fork will mean a lot of extra modifications in order to use it for testing purposes.
Hi @PeterMosmans - that's a pity. Yeah, I suppose creating a new fork will require you to make all the modifications again. But I was hoping at least the newer ciphers would be merged. Because, I'm not just using testssl to test for vulnerabilities, but also to check which ciphers a website actually supports. And I do see sites popping up that have the newer ChaCha ciphers enabled (those behind Akamai, for instance).
Sent from my mobile. Excuse my brevity&typos+the phone's autocorrection
Hi @drwetter - I've tried the 2.9dev version, it does not detect the newer ChaCha ciphers.
The code that @drwetter was referring to was only added to 2.9dev three days ago, and it only affects the "-e" option:
-e, --each-cipher checks each local cipher remotely
In addition to using the latest 2.9dev, you need to have the cipher-mapping.txt file. If you run "testssl.sh -e" with the current 2.9dev, does it still not detect the ChaCha ciphers? Do the results indicate that 359 ciphers were tested? If so, could you tell me the DNS name for the server, so that I can test it out myself?
Here is what I get for google.com with the latest 2.9dev:
Testing 359 ciphers via sockets against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
---------------------------------------------------------------------------------------------------------------------------
xcc14 ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD
xcc13 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
xc024 ECDHE-ECDSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
xc00a ECDHE-ECDSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
x16b7 - CECPQ1 ChaCha20 256 TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256
x16b9 - CECPQ1 AESGCM 256 TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
xc009 ECDHE-ECDSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
Ok, so I was using some flags, but not the "-e" flag. Yes, "-e" does work! However, I am particularly interested in the cipher order, for which the openssl binary is used, which obviously does not detect it. Guess I'll need to be a bit more patient then. ;)
Am 16. November 2016 08:48:00 MEZ, schrieb 0x686578 notifications@github.com:
Hi @PeterMosmans - that's a pity. Yeah, I suppose creating a new fork will require you to make all the modifications again. But I was hoping at least the newer ciphers would be merged. Because, I'm not just using testssl to test for vulnerabilities, but also to check which ciphers a website actually supports. And I do see sites popping up that have the newer ChaCha ciphers enabled (those behind Akamai, for instance).
I can't speak for Peter but to me -- as far as the fork is concerned -- it looks like it's less work to to backport CCM and new chacha ciphers.
Still then it doesn't support TLS 1.3 yet. The general idea of testssl.sh is to compensate this by using sockets.
David Cooper did a very good job on this in the past, present and I guess in the future too..
Cheers, Dirk
Sent from my mobile. Excuse my brevity&typos+the phone's autocorrection
Well, you guys have done a great job already, so all I want to say is keep up the good work!
I'll put it on the "future work" list to backport the features, but, be forewarned, it's immediately going to the backburner :wink: These things take time. You can follow https://github.com/PeterMosmans/openssl/issues/38 for the progress.
Cheers, thanks,
Peter
There are new ciphers in 1.1.0 which carry the same OpenSSL name (0xCCAA-0xCCAE).
@PeterMosmans : any suggestion?
See https://github.com/drwetter/testssl.sh/blob/master/etc/mapping.txt (I already renamed to them there *OLD but I don't know whether this is common or there's a common naming)