Reconsider naming scheme for ciphers 0xCC13-0xCC15

[drwetter]

There are new ciphers in 1.1.0 which carry the same OpenSSL name (0xCCAA-0xCCAE).

@PeterMosmans : any suggestion?

See https://github.com/drwetter/testssl.sh/blob/master/etc/mapping.txt (I already renamed to them there *OLD but I don't know whether this is common or there's a common naming)

[PeterMosmans]

Hmmm, that's a good one. The implementation differs slightly, as the 1.0.2-chacha implementation has the "old" nonce implementation. This version received the following designators in draft-agl-tls-chacha20poly1305 (I used the latest version, 04):

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   = {0xcc, 0x13}
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = {0xcc, 0x14}
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 =     {0xcc, 0x15}

To prevent confusion, I added the _2013 suffix (the year of the memo). Would that work with you @drwetter ?) By the way, the most recent draft-ietf-tls-chacha20-poly1305 (latest version, 04) states the following names (check the _SHA256 suffix):

xCCA8 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xCCA9 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 xCCAA TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xCCAB TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 xCCAC TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 xCCAD TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 xCCAE TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256

I changed the mapping file to reflect this and added a pull request.

Cheers,

Peter

[drwetter]

Ok, now that we have the RFC/IANA names changed would like to propose a change for your branch open openssl. Those names still have a conflict (1st current 1.1.0 version)

dirk@laptop:/data/tmp/openssl.git|1%  LD_LIBRARY_PATH=$PWD apps/openssl ciphers -V | grep CHACHA       
          0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0xCC,0xA8 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0xCC,0xAA - DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0xCC,0xAE - RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0xCC,0xAD - DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0xCC,0xAC - ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0xCC,0xAB - PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
dirk@laptop:/daata/tmp/openssl.git|%                       

CCA8-CCAA names (openssl ones) are still the same as in your branch.

See also https://github.com/PeterMosmans/openssl/issues/43 and https://github.com/PeterMosmans/openssl/issues/38 .

PS: I would love to change the mapping to s/2013/OLD/g.

Cheers, Dirk

[drwetter]

Hi @PeterMosmans,

I prefered this, so I change that accordingly, see 1fae394. With the change in openssl it would looks like this (I need to add one column):

dirks@laptop:~/testssl|130% ./testssl.sh -q -e --openssl=/tmp/openssl google.com

 Start 2016-06-13 21:36:24    -->> 216.58.213.238:443 (google.com) <<--

 further IP addresses:   2a00:1450:4005:80a::200e
 rDNS (216.58.213.238):  ham04s01-in-f14.1e100.net.
 Service detected:       HTTP

 Testing all 179 locally available ciphers against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits        Cipher Suite Name (RFC)
--------------------------------------------------------------------------------------------------------------------------
 xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH 256   ChaCha20   256         TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD   
 xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH 256   AESGCM     256         TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             
 xc028   ECDHE-RSA-AES256-SHA384        ECDH 256   AES        256         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             
 xc014   ECDHE-RSA-AES256-SHA           ECDH 256   AES        256         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                
 x9d     AES256-GCM-SHA384              RSA        AESGCM     256         TLS_RSA_WITH_AES_256_GCM_SHA384                   
 x3d     AES256-SHA256                  RSA        AES        256         TLS_RSA_WITH_AES_256_CBC_SHA256                   
 x35     AES256-SHA                     RSA        AES        256         TLS_RSA_WITH_AES_256_CBC_SHA                      
 xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH 256   AESGCM     128         TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             
 xc027   ECDHE-RSA-AES128-SHA256        ECDH 256   AES        128         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256             
 xc013   ECDHE-RSA-AES128-SHA           ECDH 256   AES        128         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                
^C

dirks@laptop:~/testssl|130% 

I'll leave this open for clarifying the OpenSSL naming scheme.

Cheers, Dirk

[drwetter]

note to self: don't know whether I should go with the SSLlabs naming, all RFC names start with TLS or SSL. Feels inconsistent.

[drwetter]

There's an overlap, see https://api.dev.ssllabs.com/api/v3/getClients and #375. So I rather leave the IANA/RFC names like SSLlabs.

[drwetter]

Current status:

dirks@laptop:~/testssl|0% ./testssl.sh -q -e --show-each --openssl=/tmp/openssl google.com

 Start 2016-06-15 21:33:43    -->> 216.58.213.206:443 (google.com) <<--

 further IP addresses:   2a00:1450:4005:803::200e
 rDNS (216.58.213.206):  ham02s15-in-f14.1e100.net.
 Service detected:       HTTP

 Testing all 179 locally available ciphers against the server, ordered by encryption strength

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits     Cipher Suite Name (RFC)
---------------------------------------------------------------------------------------------------------------------------
 xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH       ChaCha20  256      OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  not a/v
 xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH 256   ChaCha20  256      OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256    available
 xcc15   DHE-RSA-CHACHA20-POLY1305-OLD     DH         ChaCha20  256      OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256      not a/v
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM    256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              available
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH       AESGCM    256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            not a/v
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES       256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              available
 xc024   ECDHE-ECDSA-AES256-SHA384         ECDH       AES       256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384            not a/v
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES       256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 available
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH       AES       256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA               not a/v
^C

dirks@laptop:~/testssl|130%

``

[0x686578]

@PeterMosmans : Are there plans to merge the ciphers 0xCCA8-0xCCAE from OpenSSL 1.1.0 into your fork any time soon, or perhaps to create a new branch for a fork of version 1.1.0?

[PeterMosmans]

Hi @0x686578 - no, I have no plans at this moment to incorporate the 'newer' ChaCha versions onto 1.0.2-chacha. The 1.1.0 version of OpenSSL contains a lot less insecure ciphers, so a fork will mean a lot of extra modifications in order to use it for testing purposes.

[0x686578]

Hi @PeterMosmans - that's a pity. Yeah, I suppose creating a new fork will require you to make all the modifications again. But I was hoping at least the newer ciphers would be merged. Because, I'm not just using testssl to test for vulnerabilities, but also to check which ciphers a website actually supports. And I do see sites popping up that have the newer ChaCha ciphers enabled (those behind Akamai, for instance).

[drwetter]

Pull the latest 2.9dev ;-)

Sent from my mobile. Excuse my brevity&typos+the phone's autocorrection

[0x686578]

Hi @drwetter - I've tried the 2.9dev version, it does not detect the newer ChaCha ciphers.

[dcooper16]

The code that @drwetter was referring to was only added to 2.9dev three days ago, and it only affects the "-e" option:

     -e, --each-cipher             checks each local cipher remotely

In addition to using the latest 2.9dev, you need to have the cipher-mapping.txt file. If you run "testssl.sh -e" with the current 2.9dev, does it still not detect the ChaCha ciphers? Do the results indicate that 359 ciphers were tested? If so, could you tell me the DNS name for the server, so that I can test it out myself?

Here is what I get for google.com with the latest 2.9dev:

 Testing 359 ciphers via sockets against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  Encryption Bits     Cipher Suite Name (RFC)
---------------------------------------------------------------------------------------------------------------------------
 xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH 253   ChaCha20  256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD  
 xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH 253   ChaCha20  256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD    
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM    256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 253   AESGCM    256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES       256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 253   AES       256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384            
 xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES       256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES       256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA               
 xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20  256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256      
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20  256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        
 x9d     AES256-GCM-SHA384                 RSA        AESGCM    256      TLS_RSA_WITH_AES_256_GCM_SHA384                    
 x3d     AES256-SHA256                     RSA        AES       256      TLS_RSA_WITH_AES_256_CBC_SHA256                    
 x35     AES256-SHA                        RSA        AES       256      TLS_RSA_WITH_AES_256_CBC_SHA                       
 x16b7   -                                 CECPQ1     ChaCha20  256      TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256       
 x16b9   -                                 CECPQ1     AESGCM    256      TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384             
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM    128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 253   AESGCM    128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256            
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES       128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 253   AES       128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256            
 xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES       128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES       128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA               
 x9c     AES128-GCM-SHA256                 RSA        AESGCM    128      TLS_RSA_WITH_AES_128_GCM_SHA256                    
 x3c     AES128-SHA256                     RSA        AES       128      TLS_RSA_WITH_AES_128_CBC_SHA256                    
 x2f     AES128-SHA                        RSA        AES       128      TLS_RSA_WITH_AES_128_CBC_SHA                       
 x0a     DES-CBC3-SHA                      RSA        3DES      168      TLS_RSA_WITH_3DES_EDE_CBC_SHA

[0x686578]

Ok, so I was using some flags, but not the "-e" flag. Yes, "-e" does work! However, I am particularly interested in the cipher order, for which the openssl binary is used, which obviously does not detect it. Guess I'll need to be a bit more patient then. ;)

[drwetter]

Am 16. November 2016 08:48:00 MEZ, schrieb 0x686578 notifications@github.com:

Hi @PeterMosmans - that's a pity. Yeah, I suppose creating a new fork will require you to make all the modifications again. But I was hoping at least the newer ciphers would be merged. Because, I'm not just using testssl to test for vulnerabilities, but also to check which ciphers a website actually supports. And I do see sites popping up that have the newer ChaCha ciphers enabled (those behind Akamai, for instance).

I can't speak for Peter but to me -- as far as the fork is concerned -- it looks like it's less work to to backport CCM and new chacha ciphers.

Still then it doesn't support TLS 1.3 yet. The general idea of testssl.sh is to compensate this by using sockets.

David Cooper did a very good job on this in the past, present and I guess in the future too..

Cheers, Dirk

Sent from my mobile. Excuse my brevity&typos+the phone's autocorrection

[0x686578]

Well, you guys have done a great job already, so all I want to say is keep up the good work!

[PeterMosmans]

I'll put it on the "future work" list to backport the features, but, be forewarned, it's immediately going to the backburner :wink: These things take time. You can follow https://github.com/PeterMosmans/openssl/issues/38 for the progress.

Cheers, thanks,

Peter