Full Server Ciphersuite Order Preference Detection

[faldridge]

In order to verify certain aspects of a given server's TLS configuration, e.g., full Forward Secrecy support, sslyze should be able to detect a server's full cipher suite order preference, for those that have them.

[Jacopo]

I have some C code that does this, would sslyze be open to integrating it?

[faldridge]

I have a PR with a green build up for this, #339, but I haven't been able to get any feedback on it.

[nabla-c0d3]

Sorry, I haven't had time to look at this yet.

[nabla-c0d3]

I'm hoping to finally get to this on the next release. For now I've removed the "preferred cipher suite" functionality as it was too buggy.

When implementing cipher suite order detection, the following behavior will have to be considered: https://github.com/nabla-c0d3/sslyze/issues/456.

[nabla-c0d3]

I got asked about this recently, so here's an update : I've kind of given up on adding server cipher order preference, for a couple reasons:

• AFAIK testing for it requires opening a lot of connections to the server being tested, and is a very messy process overall as it requires recursion (see "Algorithm for testing preference" in https://www.exploresecurity.com/testing-for-cipher-suite-preference/ ). SSLyze is optimised for fast, reliable, mass-scanning of servers; the "algorithm for testing preference" will be very slow (much slower than running all other plugins together), noisy, and possibly unreliable.
• The security benefit of knowing the server's preference seems tiny to me.