search

mozilla / cipherscan

A very simple way to find out which SSL ciphersuites are supported by a target.
Mozilla Public License 2.0
1.97k stars 266 forks source link

CHACHA20 not listed #188

Open agniveshadhikari opened 2 years ago

agniveshadhikari commented 2 years ago

First I tried just running the cipherscan script on it's own ( I copied just this file from this repo, and ran it).

$ ./cs redacted
...../cs: line 1589: ./cscan.sh: No such file or directory

Target: redacted

prio  ciphersuite                  protocols  pubkey_size  signature_algoritm       trusted  ticket_hint  ocsp_staple  npn          pfs
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2    2048         sha384WithRSAEncryption  True     None         False        h2,http/1.1  X25519,253bits  None
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2    2048         sha384WithRSAEncryption  True     None         False        h2,http/1.1  X25519,253bits  None
3     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2    2048         sha384WithRSAEncryption  True     None         False        h2,http/1.1  X25519,253bits  None

OCSP stapling: not supported
Cipher ordering: server
Curves ordering: unknown - fallback: no
Renegotiation test error
Supported compression methods test error

TLS Tolerance: no
Fallbacks required:
big-SSLv3 config not supported, connection failed
big-TLSv1.0 config not supported, connection failed
big-TLSv1.1 config not supported, connection failed
big-TLSv1.2 config not supported, connection failed
small-SSLv3 config not supported, connection failed
small-TLSv1.0 config not supported, connection failed
small-TLSv1.1 config not supported, connection failed
small-TLSv1.2 config not supported, connection failed
v2-big-TLSv1.2 config not supported, connection failed
v2-small-SSLv3 config not supported, connection failed
v2-small-TLSv1.0 config not supported, connection failed
v2-small-TLSv1.1 config not supported, connection failed
v2-small-TLSv1.2 config not supported, connection failed

Then I cloned the whole repo and ran the same command.

$ ./cipherscan redacted
............
Target: redacted
prio  ciphersuite                  protocols  pfs                 curves
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2    ECDH,P-256,256bits  prime256v1,secp521r1,secp384r1
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2    ECDH,P-256,256bits  prime256v1,secp521r1,secp384r1

Certificate: trusted, 2048 bits, sha384WithRSAEncryption signature
TLS ticket lifetime hint: None
NPN protocols: h2,http/1.1
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes

Intolerance to:
 SSL 3.254           : absent
 TLS 1.0             : PRESENT
 TLS 1.1             : PRESENT
 TLS 1.2             : absent
 TLS 1.3             : absent
 TLS 1.4             : absent

As you can see, CHACHA disappeared from the list. I know CHACHA does work with this server. (Tested with openssl s_client)

q2dg commented 1 year ago

Maybe it's because this project seems abandoned...

tomato42 commented 1 year ago

not abandoned, but definitely not actively developed; the listed ciphers depend on the used openssl version. if it doesn't support Chacha20, then the test won't list chacha20 as available

janbrasna commented 9 months ago

@agniveshadhikari The difference may be related to #179 — using your OpenSSL version vs. the bundled one?