--cipher argument does not accept chacha or RSA ciphers.

Hi, when I try to specify the ciphers as follows (I also tried to enter the ciphersuites with/without quotations): --ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA

When I check the client hello in wireshark, I see only one actual cipher which is: Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

Can you please clarify to me how can I specify the ciphers correctly? in particular chacha ciphers?

I could observer the behavior. When I enter this customized list: --ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA"

tls-scan send only 11 out of them (no RSA ciphers included):

            Cipher Suites (12 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
                Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

When I include ChaCha ciphers,

AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA"

tls-scan sends only 8 ciphers (similar to those in --tls-modern)

            Cipher Suites (8 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Can you please help resolving this issue asap? I need to ba able to customized the list as I need to include Chachaciphers in addition to RSA and RC4ciphers which are supported if I do not include the --cipher choice but in a different order that I do not want and with other ciphers that I also do not want.

This is a known issue [1], but unfortunately there is no easy solution to it. In order to support old ciphers and SSL versions, we are using a modified openssl-1.0.2 version (https://github.com/PeterMosmans/openssl), but it does not support new ciphers like CHACHA20-POLY1305. So the right solution is to back-port new ciphers, but that is not a trivial task.

As a workaround, I created a script to build tls-scan with new openssl-1.1.0. It supports all latest ciphers, including what you have requested. But then you loose the ability to enumerate old ciphers (e.g EXP) and SSLv2.

This is less than optimal solution, but as a workaround you may use tls-scan+openssl-1.1.0 for scanning latest ciphers and use the old tls-scan for scanning old ciphers and SSL versions. The results may be combined using json tools. Though this is a little inconvenient, this method can cover possibly all ciphers and TLS versions. If I get some time later (don't know when), I will try to combine these and provide a unified interface.

Here is the script to build new tls-scan: https://github.com/prbinu/tls-scan/blob/master/build-x86-64-openssl-1.1.0.sh

[1] https://github.com/prbinu/tls-scan/issues/4

Thank you for your help. I will test your new script soon. I do not need export-grade, SSLv2, etc. The OpenSSL1.1.0 with enable-weak-ssl-ciphers argument during installation) is just fine with me.

Just in case, can you provide me with a script that runs-tls based on my system's OpenSSL? I run OpenSSL1.1.0g with enable-weak-ssl-ciphers during installation so I can use 3DES fro example, in addition to ChaCha. If not, can you please generate a script for this (bear in mind the enable-weak please).

Can you please let me know if your new script support the following ciphers: RC4, 3DES, RSA and ChaChain addition to 1.1.0 defaults, which I faced difficulties on finding them in tls-scancustomized ciphers? I actually do not need the full 150+ tls-scan default ciphers. I need a customized list. All the ciphers I need are in OpenSSL 1.1.0g (with enable-weak ). Examples (in addition to OpenSSL 1.1.0g defaults):

AES128-SHA,
AES256-SHA,
DES-CBC3-SHA
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-RC4-SHA
ECDHE-RSA-RC4-SHA
RC4-MD5

You likely get all ciphers you need just by running the above script. If you want to change the OpenSSL version, it is easy: https://github.com/prbinu/tls-scan/blob/master/build-x86-64-openssl-1.1.0.sh#L46

To tune cipher support, that is also easy: https://github.com/prbinu/tls-scan/blob/master/build-x86-64-openssl-1.1.0.sh#L81

I will very much appreciate your help in resolving the ciphers issue with me. I edited the script to change the version to 1.1.0g. Then run it. But the compilation seems not successful Here are few lines from the end. Any suggestions?

In file included from /home/e/Downloads/ts-build-root/include/openssl/ct.h:13:0,
                 from /home/e/Downloads/ts-build-root/include/openssl/ssl.h:61,
                 from cert-parser.c:5:
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1638:45: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_client_method(void)) /* TLSv1.2 */
                                             ^
/home/e/Downloads/ts-build-root/include/openssl/opensslconf.h:78:35: note: in definition of macro ‘DECLARE_DEPRECATED’
 # define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
                                   ^
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1638:1: note: in expansion of macro ‘DEPRECATEDIN_1_1_0’
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_client_method(void)) /* TLSv1.2 */
 ^~~~~~~~~~~~~~~~~~
<builtin>: recipe for target 'cert-parser.o' failed
make: *** [cert-parser.o] Error 1

Here is the full output since it started to issue warnings. Please let me know if there is any thing you suggest:

ake[1]: Entering directory '/home/e/Downloads/ts-build-root/build/libevent-x86_64'
  CC       buffer.lo
  CC       bufferevent.lo
  CC       bufferevent_filter.lo
bufferevent_filter.c: In function ‘be_filter_ctrl’:
bufferevent_filter.c:610:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
   if (bevf->underlying &&
      ^
bufferevent_filter.c:616:2: note: here
  case BEV_CTRL_GET_FD:
  ^~~~
  CC       bufferevent_pair.lo
  CC       bufferevent_ratelim.lo
  CC       bufferevent_sock.lo
  CC       event.lo
In file included from minheap-internal.h:36:0,
                 from event-internal.h:40,
                 from event.c:59:
event.c: In function ‘event_callback_activate_nolock_’:
util-internal.h:318:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
   if (EVUTIL_UNLIKELY(!(cond))) {    \
      ^
event.c:2962:3: note: in expansion of macro ‘EVUTIL_ASSERT’
   EVUTIL_ASSERT(0);
   ^~~~~~~~~~~~~
event.c:2963:2: note: here
  case EVLIST_ACTIVE_LATER:
  ^~~~
  CC       evmap.lo
  CC       evthread.lo
  CC       evutil.lo
  CC       evutil_rand.lo
  CC       evutil_time.lo
  CC       listener.lo
  CC       log.lo
  CC       strlcpy.lo
  CC       select.lo
  CC       poll.lo
  CC       epoll.lo
  CC       signal.lo
  CC       evdns.lo
evdns.c: In function ‘evdns_request_transmit’:
evdns.c:2269:11: warning: this statement may fall through [-Wimplicit-fallthrough=]
   retcode = 1;
   ~~~~~~~~^~~
evdns.c:2272:2: note: here
  default:
  ^~~~~~~
  CC       event_tagging.lo
  CC       evrpc.lo
  CC       http.lo
  CCLD     libevent.la
ar: `u' modifier ignored since `D' is the default (see `U')
  CCLD     libevent_core.la
ar: `u' modifier ignored since `D' is the default (see `U')
  CCLD     libevent_extra.la
ar: `u' modifier ignored since `D' is the default (see `U')
  CC       evthread_pthread.lo
  CCLD     libevent_pthreads.la
ar: `u' modifier ignored since `D' is the default (see `U')
  CC       libevent_openssl_la-bufferevent_openssl.lo
  CCLD     libevent_openssl.la
ar: `u' modifier ignored since `D' is the default (see `U')
  CC       sample/dns-example.o
  CCLD     sample/dns-example
  CC       sample/event-read-fifo.o
  CCLD     sample/event-read-fifo
  CC       sample/hello-world.o
  CCLD     sample/hello-world
  CC       sample/http-server.o
  CCLD     sample/http-server
  CC       sample/http-connect.o
  CCLD     sample/http-connect
  CC       sample/signal-test.o
  CCLD     sample/signal-test
  CC       sample/time-test.o
  CCLD     sample/time-test
  CC       sample/le-proxy.o
  CCLD     sample/le-proxy
  CC       sample/https-client.o
  CC       sample/hostcheck.o
  CC       sample/openssl_hostname_validation.o
  CCLD     sample/https-client
  CC       test/bench.o
  CCLD     test/bench
  CC       test/bench_cascade.o
  CCLD     test/bench_cascade
  CC       test/bench_http.o
  CCLD     test/bench_http
  CC       test/bench_httpclient.o
  CCLD     test/bench_httpclient
  CC       test/test-changelist.o
  CCLD     test/test-changelist
  CC       test/test-dumpevents.o
  CCLD     test/test-dumpevents
  CC       test/test-eof.o
  CCLD     test/test-eof
  CC       test/test-closed.o
  CCLD     test/test-closed
  CC       test/test-fdleak.o
  CCLD     test/test-fdleak
  CC       test/test-init.o
  CCLD     test/test-init
  CC       test/test-ratelim.o
  CCLD     test/test-ratelim
  CC       test/test-time.o
  CCLD     test/test-time
  CC       test/test-weof.o
  CCLD     test/test-weof
  CC       test/test_regress-regress.o
  CC       test/test_regress-regress.gen.o
  CC       test/test_regress-regress_buffer.o
  CC       test/test_regress-regress_bufferevent.o
  CC       test/test_regress-regress_dns.o
  CC       test/test_regress-regress_et.o
  CC       test/test_regress-regress_finalize.o
  CC       test/test_regress-regress_http.o
  CC       test/test_regress-regress_listener.o
  CC       test/test_regress-regress_main.o
  CC       test/test_regress-regress_minheap.o
  CC       test/test_regress-regress_rpc.o
  CC       test/test_regress-regress_testutils.o
  CC       test/test_regress-regress_util.o
  CC       test/test_regress-tinytest.o
  CC       test/test_regress-regress_thread.o
  CC       test/test_regress-regress_zlib.o
  CC       test/test_regress-regress_ssl.o
  CCLD     test/regress
make[1]: Leaving directory '/home/e/Downloads/ts-build-root/build/libevent-x86_64'
make  install-am
make[1]: Entering directory '/home/e/Downloads/ts-build-root/build/libevent-x86_64'
make[2]: Entering directory '/home/e/Downloads/ts-build-root/build/libevent-x86_64'
 /bin/mkdir -p '/home/e/Downloads/ts-build-root/bin'
 /usr/bin/install -c event_rpcgen.py '/home/e/Downloads/ts-build-root/bin'
 /bin/mkdir -p '/home/e/Downloads/ts-build-root/lib'
 /bin/bash ./libtool   --mode=install /usr/bin/install -c   libevent.la libevent_core.la libevent_extra.la libevent_pthreads.la libevent_openssl.la '/home/e/Downloads/ts-build-root/lib'
libtool: install: /usr/bin/install -c .libs/libevent.lai /home/e/Downloads/ts-build-root/lib/libevent.la
libtool: install: /usr/bin/install -c .libs/libevent_core.lai /home/e/Downloads/ts-build-root/lib/libevent_core.la
libtool: install: /usr/bin/install -c .libs/libevent_extra.lai /home/e/Downloads/ts-build-root/lib/libevent_extra.la
libtool: install: /usr/bin/install -c .libs/libevent_pthreads.lai /home/e/Downloads/ts-build-root/lib/libevent_pthreads.la
libtool: install: /usr/bin/install -c .libs/libevent_openssl.lai /home/e/Downloads/ts-build-root/lib/libevent_openssl.la
libtool: install: /usr/bin/install -c .libs/libevent.a /home/e/Downloads/ts-build-root/lib/libevent.a
libtool: install: chmod 644 /home/e/Downloads/ts-build-root/lib/libevent.a
libtool: install: ranlib /home/e/Downloads/ts-build-root/lib/libevent.a
libtool: install: /usr/bin/install -c .libs/libevent_core.a /home/e/Downloads/ts-build-root/lib/libevent_core.a
libtool: install: chmod 644 /home/e/Downloads/ts-build-root/lib/libevent_core.a
libtool: install: ranlib /home/e/Downloads/ts-build-root/lib/libevent_core.a
libtool: install: /usr/bin/install -c .libs/libevent_extra.a /home/e/Downloads/ts-build-root/lib/libevent_extra.a
libtool: install: chmod 644 /home/e/Downloads/ts-build-root/lib/libevent_extra.a
libtool: install: ranlib /home/e/Downloads/ts-build-root/lib/libevent_extra.a
libtool: install: /usr/bin/install -c .libs/libevent_pthreads.a /home/e/Downloads/ts-build-root/lib/libevent_pthreads.a
libtool: install: chmod 644 /home/e/Downloads/ts-build-root/lib/libevent_pthreads.a
libtool: install: ranlib /home/e/Downloads/ts-build-root/lib/libevent_pthreads.a
libtool: install: /usr/bin/install -c .libs/libevent_openssl.a /home/e/Downloads/ts-build-root/lib/libevent_openssl.a
libtool: install: chmod 644 /home/e/Downloads/ts-build-root/lib/libevent_openssl.a
libtool: install: ranlib /home/e/Downloads/ts-build-root/lib/libevent_openssl.a
libtool: warning: remember to run 'libtool --finish /usr/local/lib'
 /bin/mkdir -p '/home/e/Downloads/ts-build-root/include'
 /usr/bin/install -c -m 644 include/evdns.h include/event.h include/evhttp.h include/evrpc.h include/evutil.h '/home/e/Downloads/ts-build-root/include'
 /bin/mkdir -p '/home/e/Downloads/ts-build-root/include/event2'
 /usr/bin/install -c -m 644 include/event2/buffer.h include/event2/buffer_compat.h include/event2/bufferevent.h include/event2/bufferevent_compat.h include/event2/bufferevent_ssl.h include/event2/bufferevent_struct.h include/event2/dns.h include/event2/dns_compat.h include/event2/dns_struct.h include/event2/event.h include/event2/event_compat.h include/event2/event_struct.h include/event2/http.h include/event2/http_compat.h include/event2/http_struct.h include/event2/keyvalq_struct.h include/event2/listener.h include/event2/rpc.h include/event2/rpc_compat.h include/event2/rpc_struct.h include/event2/tag.h include/event2/tag_compat.h include/event2/thread.h include/event2/util.h include/event2/visibility.h '/home/e/Downloads/ts-build-root/include/event2'
 /bin/mkdir -p '/home/e/Downloads/ts-build-root/include/event2'
 /usr/bin/install -c -m 644 include/event2/event-config.h '/home/e/Downloads/ts-build-root/include/event2'
 /bin/mkdir -p '/home/e/Downloads/ts-build-root/lib/pkgconfig'
 /usr/bin/install -c -m 644 libevent.pc libevent_core.pc libevent_extra.pc libevent_pthreads.pc libevent_openssl.pc '/home/e/Downloads/ts-build-root/lib/pkgconfig'
make[2]: Leaving directory '/home/e/Downloads/ts-build-root/build/libevent-x86_64'
make[1]: Leaving directory '/home/e/Downloads/ts-build-root/build/libevent-x86_64'
Archive:  /home/e/Downloads/ts-build-root/downloads/master.zip
fa04c0eba14a2033df115bd22c0285d1c4c3c5a8
   creating: tls-scan-master/
  inflating: tls-scan-master/.travis.yml  
  inflating: tls-scan-master/Dockerfile  
  inflating: tls-scan-master/LICENSE.txt  
  inflating: tls-scan-master/Makefile  
  inflating: tls-scan-master/README.md  
  inflating: tls-scan-master/_config.yml  
  inflating: tls-scan-master/build-x86-64.sh  
  inflating: tls-scan-master/ca-bundle.crt  
  inflating: tls-scan-master/cert-parser.c  
  inflating: tls-scan-master/common.c  
   creating: tls-scan-master/include/
  inflating: tls-scan-master/include/cert-parser.h  
  inflating: tls-scan-master/include/common.h  
  inflating: tls-scan-master/include/proto-adapters.h  
  inflating: tls-scan-master/main.c  
   creating: tls-scan-master/man/
  inflating: tls-scan-master/man/tls-scan  
  inflating: tls-scan-master/proto-adapters.c  
TS_DEPDIR path: /home/e/Downloads/ts-build-root
PREFIX (install) path: /usr/local
gcc -I./include -I /home/e/Downloads/ts-build-root/include -Wall -Wundef -Wshadow -Wunreachable-code -Wswitch-default -Wcast-align -pedantic -g -std=c99 -Wl,-rpath,/home/e/Downloads/ts-build-root/lib -D_GNU_SOURCE   -c -o cert-parser.o cert-parser.c
cert-parser.c: In function ‘get_signature_algorithm’:
cert-parser.c:123:35: error: dereferencing pointer to incomplete type ‘X509 {aka const struct x509_st}’
   int sig_nid = OBJ_obj2nid((cert)->sig_alg->algorithm);
                                   ^~
cert-parser.c: In function ‘ts_tls_cert_parse’:
cert-parser.c:356:46: error: dereferencing pointer to incomplete type ‘SSL_SESSION {aka struct ssl_session_st}’
     tls_cert->session_lifetime_hint = session->tlsext_tick_lifetime_hint;
                                              ^~
cert-parser.c: In function ‘ts_tls_get_method’:
cert-parser.c:500:12: warning: implicit declaration of function ‘SSLv2_client_method’; did you mean ‘SSLv3_client_method’? [-Wimplicit-function-declaration]
     return SSLv2_client_method();
            ^~~~~~~~~~~~~~~~~~~
            SSLv3_client_method
cert-parser.c:500:12: warning: return makes pointer from integer without a cast [-Wint-conversion]
     return SSLv2_client_method();
            ^~~~~~~~~~~~~~~~~~~~~
cert-parser.c:502:5: warning: ‘SSLv3_client_method’ is deprecated [-Wdeprecated-declarations]
     return SSLv3_client_method();
     ^~~~~~
In file included from /home/e/Downloads/ts-build-root/include/openssl/ct.h:13:0,
                 from /home/e/Downloads/ts-build-root/include/openssl/ssl.h:61,
                 from cert-parser.c:5:
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1611:45: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_client_method(void)) /* SSLv3 */
                                             ^
/home/e/Downloads/ts-build-root/include/openssl/opensslconf.h:78:35: note: in definition of macro ‘DECLARE_DEPRECATED’
 # define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
                                   ^
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1611:1: note: in expansion of macro ‘DEPRECATEDIN_1_1_0’
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_client_method(void)) /* SSLv3 */
 ^~~~~~~~~~~~~~~~~~
cert-parser.c:504:5: warning: ‘TLSv1_client_method’ is deprecated [-Wdeprecated-declarations]
     return TLSv1_client_method();
     ^~~~~~
In file included from /home/e/Downloads/ts-build-root/include/openssl/ct.h:13:0,
                 from /home/e/Downloads/ts-build-root/include/openssl/ssl.h:61,
                 from cert-parser.c:5:
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1626:45: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_client_method(void)) /* TLSv1.0 */
                                             ^
/home/e/Downloads/ts-build-root/include/openssl/opensslconf.h:78:35: note: in definition of macro ‘DECLARE_DEPRECATED’
 # define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
                                   ^
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1626:1: note: in expansion of macro ‘DEPRECATEDIN_1_1_0’
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_client_method(void)) /* TLSv1.0 */
 ^~~~~~~~~~~~~~~~~~
cert-parser.c:506:5: warning: ‘TLSv1_1_client_method’ is deprecated [-Wdeprecated-declarations]
     return TLSv1_1_client_method();
     ^~~~~~
In file included from /home/e/Downloads/ts-build-root/include/openssl/ct.h:13:0,
                 from /home/e/Downloads/ts-build-root/include/openssl/ssl.h:61,
                 from cert-parser.c:5:
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1632:45: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_client_method(void)) /* TLSv1.1 */
                                             ^
/home/e/Downloads/ts-build-root/include/openssl/opensslconf.h:78:35: note: in definition of macro ‘DECLARE_DEPRECATED’
 # define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
                                   ^
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1632:1: note: in expansion of macro ‘DEPRECATEDIN_1_1_0’
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_client_method(void)) /* TLSv1.1 */
 ^~~~~~~~~~~~~~~~~~
cert-parser.c:508:5: warning: ‘TLSv1_2_client_method’ is deprecated [-Wdeprecated-declarations]
     return TLSv1_2_client_method();
     ^~~~~~
In file included from /home/e/Downloads/ts-build-root/include/openssl/ct.h:13:0,
                 from /home/e/Downloads/ts-build-root/include/openssl/ssl.h:61,
                 from cert-parser.c:5:
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1638:45: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_client_method(void)) /* TLSv1.2 */
                                             ^
/home/e/Downloads/ts-build-root/include/openssl/opensslconf.h:78:35: note: in definition of macro ‘DECLARE_DEPRECATED’
 # define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
                                   ^
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1638:1: note: in expansion of macro ‘DEPRECATEDIN_1_1_0’
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_client_method(void)) /* TLSv1.2 */
 ^~~~~~~~~~~~~~~~~~
<builtin>: recipe for target 'cert-parser.o' failed
make: *** [cert-parser.o] Error 1

I can fix the above error, but i think you should be good with default openssl-1.1.0i.

In case if you want to mess around, here is relevant code (#def): https://github.com/prbinu/tls-scan/commit/cabbb3011f8c4429dbc4bc15b153443287483aec#diff-949ec559c1b22eba71d722e950e5368f

Thanks. I faced similar issue wit 1.1.0i it didn’t work either. I strongly prefer 1.1.0g because I have another python script that runs on OpenSSL. If i changed the system’s OpenSSL version my default python behavior will change. For exsmple, 1.1.0i might offer TLS1.3 in its handshake by default unless I customise thongsfwhich is not the case in my python script, while I do not want this at the moment.

I tried with openssl-1.1.0g, and it worked without any issues (using build-x86-64-openssl-1.1.0.sh):

~/myroot/tmp3/ts-build-root/bin$ ./openssl
OpenSSL> version
OpenSSL 1.1.0g  2 Nov 2017

~/myroot/tmp3/ts-build-root/bin$ ls -ltr
total 7000
-rwxr-xr-x 1 vagrant vagrant 3689424 Aug 21 05:48 openssl
-rwxr-xr-x 1 vagrant vagrant    6260 Aug 21 05:48 c_rehash
-rwxr-xr-x 1 vagrant vagrant   55635 Aug 21 05:50 event_rpcgen.py
-rwxr-xr-x 1 vagrant vagrant 3411864 Aug 21 05:50 tls-scan

~/myroot/tmp3/ts-build-root/bin$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.5 LTS
Release:    16.04
Codename:   xenial

log excerpts: https://gist.github.com/prbinu/3145b2ec4b189ae00d4e5e3b5fe2cfa8

I use Ubuntu 18. Not sure if the issue is relevant to Ubuntu (see here not sure whether it is relevant to my issue) Here is the output when running the script as is (1.1.0i). I prefer 1.1.0g because other programs I need for the same project which might be tricky to tune if 1.1.0i has TLS1.3. I will appreciate your kind help as I have strict time constraints and tls-scan is the right tool for me except this issue.

make[1]: Leaving directory '/home/e/Downloads/ts-build-root/build/libevent-x86_64'
make  install-am
make[1]: Entering directory '/home/e/Downloads/ts-build-root/build/libevent-x86_64'
make[2]: Entering directory '/home/e/Downloads/ts-build-root/build/libevent-x86_64'
 /bin/mkdir -p '/home/e/Downloads/ts-build-root/bin'
 /usr/bin/install -c event_rpcgen.py '/home/e/Downloads/ts-build-root/bin'
 /bin/mkdir -p '/home/e/Downloads/ts-build-root/lib'
 /bin/bash ./libtool   --mode=install /usr/bin/install -c   libevent.la libevent_core.la libevent_extra.la libevent_pthreads.la libevent_openssl.la '/home/e/Downloads/ts-build-root/lib'
libtool: install: /usr/bin/install -c .libs/libevent.lai /home/e/Downloads/ts-build-root/lib/libevent.la
libtool: install: /usr/bin/install -c .libs/libevent_core.lai /home/e/Downloads/ts-build-root/lib/libevent_core.la
libtool: install: /usr/bin/install -c .libs/libevent_extra.lai /home/e/Downloads/ts-build-root/lib/libevent_extra.la
libtool: install: /usr/bin/install -c .libs/libevent_pthreads.lai /home/e/Downloads/ts-build-root/lib/libevent_pthreads.la
libtool: install: /usr/bin/install -c .libs/libevent_openssl.lai /home/e/Downloads/ts-build-root/lib/libevent_openssl.la
libtool: install: /usr/bin/install -c .libs/libevent.a /home/e/Downloads/ts-build-root/lib/libevent.a
libtool: install: chmod 644 /home/e/Downloads/ts-build-root/lib/libevent.a
libtool: install: ranlib /home/e/Downloads/ts-build-root/lib/libevent.a
libtool: install: /usr/bin/install -c .libs/libevent_core.a /home/e/Downloads/ts-build-root/lib/libevent_core.a
libtool: install: chmod 644 /home/e/Downloads/ts-build-root/lib/libevent_core.a
libtool: install: ranlib /home/e/Downloads/ts-build-root/lib/libevent_core.a
libtool: install: /usr/bin/install -c .libs/libevent_extra.a /home/e/Downloads/ts-build-root/lib/libevent_extra.a
libtool: install: chmod 644 /home/e/Downloads/ts-build-root/lib/libevent_extra.a
libtool: install: ranlib /home/e/Downloads/ts-build-root/lib/libevent_extra.a
libtool: install: /usr/bin/install -c .libs/libevent_pthreads.a /home/e/Downloads/ts-build-root/lib/libevent_pthreads.a
libtool: install: chmod 644 /home/e/Downloads/ts-build-root/lib/libevent_pthreads.a
libtool: install: ranlib /home/e/Downloads/ts-build-root/lib/libevent_pthreads.a
libtool: install: /usr/bin/install -c .libs/libevent_openssl.a /home/e/Downloads/ts-build-root/lib/libevent_openssl.a
libtool: install: chmod 644 /home/e/Downloads/ts-build-root/lib/libevent_openssl.a
libtool: install: ranlib /home/e/Downloads/ts-build-root/lib/libevent_openssl.a
libtool: warning: remember to run 'libtool --finish /usr/local/lib'
 /bin/mkdir -p '/home/e/Downloads/ts-build-root/include'
 /usr/bin/install -c -m 644 include/evdns.h include/event.h include/evhttp.h include/evrpc.h include/evutil.h '/home/e/Downloads/ts-build-root/include'
 /bin/mkdir -p '/home/e/Downloads/ts-build-root/include/event2'
 /usr/bin/install -c -m 644 include/event2/buffer.h include/event2/buffer_compat.h include/event2/bufferevent.h include/event2/bufferevent_compat.h include/event2/bufferevent_ssl.h include/event2/bufferevent_struct.h include/event2/dns.h include/event2/dns_compat.h include/event2/dns_struct.h include/event2/event.h include/event2/event_compat.h include/event2/event_struct.h include/event2/http.h include/event2/http_compat.h include/event2/http_struct.h include/event2/keyvalq_struct.h include/event2/listener.h include/event2/rpc.h include/event2/rpc_compat.h include/event2/rpc_struct.h include/event2/tag.h include/event2/tag_compat.h include/event2/thread.h include/event2/util.h include/event2/visibility.h '/home/e/Downloads/ts-build-root/include/event2'
 /bin/mkdir -p '/home/e/Downloads/ts-build-root/include/event2'
 /usr/bin/install -c -m 644 include/event2/event-config.h '/home/e/Downloads/ts-build-root/include/event2'
 /bin/mkdir -p '/home/e/Downloads/ts-build-root/lib/pkgconfig'
 /usr/bin/install -c -m 644 libevent.pc libevent_core.pc libevent_extra.pc libevent_pthreads.pc libevent_openssl.pc '/home/e/Downloads/ts-build-root/lib/pkgconfig'
make[2]: Leaving directory '/home/e/Downloads/ts-build-root/build/libevent-x86_64'
make[1]: Leaving directory '/home/e/Downloads/ts-build-root/build/libevent-x86_64'
Archive:  /home/e/Downloads/ts-build-root/downloads/master.zip
fa04c0eba14a2033df115bd22c0285d1c4c3c5a8
   creating: tls-scan-master/
  inflating: tls-scan-master/.travis.yml  
  inflating: tls-scan-master/Dockerfile  
  inflating: tls-scan-master/LICENSE.txt  
  inflating: tls-scan-master/Makefile  
  inflating: tls-scan-master/README.md  
  inflating: tls-scan-master/_config.yml  
  inflating: tls-scan-master/build-x86-64.sh  
  inflating: tls-scan-master/ca-bundle.crt  
  inflating: tls-scan-master/cert-parser.c  
  inflating: tls-scan-master/common.c  
   creating: tls-scan-master/include/
  inflating: tls-scan-master/include/cert-parser.h  
  inflating: tls-scan-master/include/common.h  
  inflating: tls-scan-master/include/proto-adapters.h  
  inflating: tls-scan-master/main.c  
   creating: tls-scan-master/man/
  inflating: tls-scan-master/man/tls-scan  
  inflating: tls-scan-master/proto-adapters.c  
TS_DEPDIR path: /home/e/Downloads/ts-build-root
PREFIX (install) path: /usr/local
gcc -I./include -I /home/e/Downloads/ts-build-root/include -Wall -Wundef -Wshadow -Wunreachable-code -Wswitch-default -Wcast-align -pedantic -g -std=c99 -Wl,-rpath,/home/e/Downloads/ts-build-root/lib -D_GNU_SOURCE   -c -o cert-parser.o cert-parser.c
cert-parser.c: In function ‘get_signature_algorithm’:
cert-parser.c:123:35: error: dereferencing pointer to incomplete type ‘X509 {aka const struct x509_st}’
   int sig_nid = OBJ_obj2nid((cert)->sig_alg->algorithm);
                                   ^~
cert-parser.c: In function ‘ts_tls_cert_parse’:
cert-parser.c:356:46: error: dereferencing pointer to incomplete type ‘SSL_SESSION {aka struct ssl_session_st}’
     tls_cert->session_lifetime_hint = session->tlsext_tick_lifetime_hint;
                                              ^~
cert-parser.c: In function ‘ts_tls_get_method’:
cert-parser.c:500:12: warning: implicit declaration of function ‘SSLv2_client_method’; did you mean ‘SSLv3_client_method’? [-Wimplicit-function-declaration]
     return SSLv2_client_method();
            ^~~~~~~~~~~~~~~~~~~
            SSLv3_client_method
cert-parser.c:500:12: warning: return makes pointer from integer without a cast [-Wint-conversion]
     return SSLv2_client_method();
            ^~~~~~~~~~~~~~~~~~~~~
cert-parser.c:502:5: warning: ‘SSLv3_client_method’ is deprecated [-Wdeprecated-declarations]
     return SSLv3_client_method();
     ^~~~~~
In file included from /home/e/Downloads/ts-build-root/include/openssl/e_os2.h:13:0,
                 from /home/e/Downloads/ts-build-root/include/openssl/ssl.h:45,
                 from cert-parser.c:5:
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1614:45: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_client_method(void)) /* SSLv3 */
                                             ^
/home/e/Downloads/ts-build-root/include/openssl/opensslconf.h:83:38: note: in definition of macro ‘DECLARE_DEPRECATED’
 #    define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
                                      ^
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1614:1: note: in expansion of macro ‘DEPRECATEDIN_1_1_0’
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_client_method(void)) /* SSLv3 */
 ^~~~~~~~~~~~~~~~~~
cert-parser.c:504:5: warning: ‘TLSv1_client_method’ is deprecated [-Wdeprecated-declarations]
     return TLSv1_client_method();
     ^~~~~~
In file included from /home/e/Downloads/ts-build-root/include/openssl/e_os2.h:13:0,
                 from /home/e/Downloads/ts-build-root/include/openssl/ssl.h:45,
                 from cert-parser.c:5:
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1629:45: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_client_method(void)) /* TLSv1.0 */
                                             ^
/home/e/Downloads/ts-build-root/include/openssl/opensslconf.h:83:38: note: in definition of macro ‘DECLARE_DEPRECATED’
 #    define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
                                      ^
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1629:1: note: in expansion of macro ‘DEPRECATEDIN_1_1_0’
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_client_method(void)) /* TLSv1.0 */
 ^~~~~~~~~~~~~~~~~~
cert-parser.c:506:5: warning: ‘TLSv1_1_client_method’ is deprecated [-Wdeprecated-declarations]
     return TLSv1_1_client_method();
     ^~~~~~
In file included from /home/e/Downloads/ts-build-root/include/openssl/e_os2.h:13:0,
                 from /home/e/Downloads/ts-build-root/include/openssl/ssl.h:45,
                 from cert-parser.c:5:
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1635:45: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_client_method(void)) /* TLSv1.1 */
                                             ^
/home/e/Downloads/ts-build-root/include/openssl/opensslconf.h:83:38: note: in definition of macro ‘DECLARE_DEPRECATED’
 #    define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
                                      ^
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1635:1: note: in expansion of macro ‘DEPRECATEDIN_1_1_0’
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_client_method(void)) /* TLSv1.1 */
 ^~~~~~~~~~~~~~~~~~
cert-parser.c:508:5: warning: ‘TLSv1_2_client_method’ is deprecated [-Wdeprecated-declarations]
     return TLSv1_2_client_method();
     ^~~~~~
In file included from /home/e/Downloads/ts-build-root/include/openssl/e_os2.h:13:0,
                 from /home/e/Downloads/ts-build-root/include/openssl/ssl.h:45,
                 from cert-parser.c:5:
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1641:45: note: declared here
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_client_method(void)) /* TLSv1.2 */
                                             ^
/home/e/Downloads/ts-build-root/include/openssl/opensslconf.h:83:38: note: in definition of macro ‘DECLARE_DEPRECATED’
 #    define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
                                      ^
/home/e/Downloads/ts-build-root/include/openssl/ssl.h:1641:1: note: in expansion of macro ‘DEPRECATEDIN_1_1_0’
 DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_client_method(void)) /* TLSv1.2 */
 ^~~~~~~~~~~~~~~~~~
<builtin>: recipe for target 'cert-parser.o' failed
make: *** [cert-parser.o] Error 1

Hi, I installed in clean state machine. The --ciphers argument works now but it does not allow me to add more than 10 ciphers. It does not raise an error, but just ignore my custom list and in one test it ignores additional ciphers after the 10th, in another list, it sends a list of 44 ciphers (seems the library's default). Try this cipher list, it will not send more than 10 ciphers (I inspect it using wireshark):

--ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA"

Then take the last two for example (or any thing after the 10th cipher above, and they will be sent in the client hello (ignore whether the server will accept or not): --ciphers="RC4-SHA:RC4-MD5:DES-CBC3-SHA"

Can you please clarify?

Luckily it was not a complicated issue. https://github.com/prbinu/tls-scan/commit/623ec7b63e9fa18b969e937e6323477d363ad581

Please rebuild with the new main.c.

./tls-scan -c google.com:443 --pretty --ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA" --cacert=./ca-bundle.crt  -e  --show-unsupported-ciphers

{
  "host": "google.com",
  "ip": "172.217.0.46",
  "port": 443,
  "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD",
  "tempPublicKeyAlg": "X25519",
  "tempPublicKeySize": 253,
  "secureRenego": true,
  "compression": "NONE",
  "expansion": "NONE",
  "sessionLifetimeHint": 100800,
  "cipherSuite": {
    "supported": [
      "ECDHE-ECDSA-AES128-GCM-SHA256",
      "ECDHE-RSA-AES128-GCM-SHA256",
      "ECDHE-ECDSA-CHACHA20-POLY1305",
      "ECDHE-RSA-CHACHA20-POLY1305",
      "ECDHE-ECDSA-AES256-SHA",
      "ECDHE-RSA-AES256-SHA",
      "ECDHE-ECDSA-AES128-SHA",
      "ECDHE-RSA-AES128-SHA",
      "AES128-GCM-SHA256",
      "AES256-SHA",
      "AES128-SHA",
      "DES-CBC3-SHA"
    ],
    "notSupported": [
      "DHE-RSA-AES128-GCM-SHA256",
      "DHE-RSA-CHACHA20-POLY1305",
      "DHE-RSA-AES256-SHA",
      "DHE-RSA-AES128-SHA",
      "ECDHE-ECDSA-RC4-SHA",
      "ECDHE-RSA-RC4-SHA",
      "RC4-SHA",
      "RC4-MD5"
    ]
  },
  "x509ChainDepth": 2,
  "verifyCertResult": true,
  "verifyHostResult": true,
  "ocspStapled": false,
  "certificateChain": [
  {
    "version": 3,
    "subject": "CN=*.google.com; O=Google LLC; L=Mountain View; ST=California; C=US",
    "issuer": "CN=Google Internet Authority G3; O=Google Trust Services; C=US",
    "subjectCN": "*.google.com",
    "subjectAltName": "DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.db833953.google.cn, DNS:*.g.co, DNS:*.gcp.gvt2.com, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gstaticcnapps.cn, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.metric.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.yt.be, DNS:*.ytimg.com, DNS:android.clients.google.com, DNS:android.com, DNS:developer.android.google.cn, DNS:developers.android.google.cn, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:source.android.google.cn, DNS:urchin.com, DNS:www.goo.gl, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com, DNS:yt.be",
    "signatureAlg": "sha256WithRSAEncryption",
    "notBefore": "Aug  7 18:31:57 2018 GMT",
    "notAfter": "Oct 16 18:28:00 2018 GMT",
    "expired": false,
    "serialNo": "2E:D1:A7:71:10:1B:4C:E8",
    "keyUsage": "Digital Signature critical",
    "extKeyUsage": "TLS Web Server Authentication",
    "publicKeyAlg": "ECC prime256v1",
    "publicKeySize": 256,
    "basicConstraints": "CA:FALSE critical",
    "subjectKeyIdentifier": "8E:12:3E:B2:05:91:A7:C1:D7:EC:D8:86:60:46:1C:63:27:6F:91:91",
    "sha1Fingerprint": "76:FB:50:5F:7C:81:7D:89:6B:42:14:24:43:DE:86:E7:3C:D9:85:5F"
  },  {
    "version": 3,
    "subject": "CN=Google Internet Authority G3; O=Google Trust Services; C=US",
    "issuer": "CN=GlobalSign; O=GlobalSign; OU=GlobalSign Root CA - R2",
    "subjectCN": "Google Internet Authority G3",
    "signatureAlg": "sha256WithRSAEncryption",
    "notBefore": "Jun 15 00:00:42 2017 GMT",
    "notAfter": "Dec 15 00:00:42 2021 GMT",
    "expired": false,
    "serialNo": "01:E3:A9:30:1C:FC:72:06:38:3F:9A:53:1D",
    "keyUsage": "Digital Signature, Certificate Sign, CRL Sign critical",
    "extKeyUsage": "TLS Web Server Authentication, TLS Web Client Authentication",
    "publicKeyAlg": "RSA",
    "publicKeySize": 2048,
    "basicConstraints": "CA:TRUE, pathlen:0 critical",
    "subjectKeyIdentifier": "77:C2:B8:50:9A:67:76:76:B1:2D:C2:86:D0:83:A0:7E:A6:7E:BA:4B",
    "sha1Fingerprint": "EE:AC:BD:0C:B4:52:81:95:77:91:1E:1E:62:03:DB:26:2F:84:A3:18"
  } ]
}

<|---------Scan Summary---------|>
 [10588] ciphers             : ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA: (20)
 [10588] dns-lookup          : 1
 [10588] network-error       : 8
 [10588] dns-errcount        : 0
 [10588] remote-close-error  : 0
 [10588] unknown-error       : 0
 [10588] timeout-error       : 0
 [10588] connect-error       : 0
 [10588] tls-handshake       : 1
 [10588] gross-tls-handshake : 13
 [10588] elapsed-time        : 0.171915 secs
<|------------------------------|>

Great! There are two more questions. First, are you aware of these warnings?

proto-adapters.c:203:5: note: ‘snprintf’ output between 8 and 263 bytes into a destination of size 128
     snprintf(ehlo, 128, "EHLO %s\r\n", cli->host);
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

main.c:1427:53: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘uint64_t {aka long unsigned int}’ [-Wformat=]
     fprintf(stderr, " [%d] elapsed-time        : %llu.%llu secs\n",
                                                  ~~~^
                                                  %lu
                                             getpid(),  et/1000000, et%1000000);
                                                        ~~~~~~~~~~
main.c:1427:58: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 5 has type ‘uint64_t {aka long unsigned int}’ [-Wformat=]
     fprintf(stderr, " [%d] elapsed-time        : %llu.%llu secs\n",
                                                       ~~~^
                                                       %lu
                                             getpid(),  et/1000000, et%1000000);
                                                                    ~~~~~~~~~~
main.c:1453:39: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘uint64_t {aka long unsigned int}’ [-Wformat=]
     fprintf(stderr, "elapsed-time: %llu.%llu secs\n", et/1000000, et%1000000);
                                    ~~~^               ~~~~~~~~~~
                                    %lu
main.c:1453:44: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘uint64_t {aka long unsigned int}’ [-Wformat=]
     fprintf(stderr, "elapsed-time: %llu.%llu secs\n", et/1000000, et%1000000);
                                         ~~~^                      ~~~~~~~~~~
                                         %lu
main.c: In function ‘ts_scan_tcp_connect’:
main.c:769:24: warning: ‘%d’ directive writing between 1 and 5 bytes into a region of size between 0 and 255 [-Wformat-overflow=]
   sprintf(ip_port, "%s:%d", cli->ip, cli->port);
                        ^~
main.c:769:3: note: ‘sprintf’ output between 3 and 262 bytes into a destination of size 256
   sprintf(ip_port, "%s:%d", cli->ip, cli->port);
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The second issue, is specific to my case but you may be able to advise from your experience. I need to manually compile OpenSSL 1.1.0 from source to enable weak ciphers because I need to run another python program that needs it. Without Compiling OpenSSL1.1.0g from source and do the following steps, python link to the default OpenSSL that is shipped with Ubuntu 18 which has weak ciphers disabled. So I had to do the steps below. But I suspect they were causing tls-scan not to compile properly (because it worked in a clean device but not in the device with the compiled OpenSSL 1.1.0 from source + the steps).

The steps I follow to enable linking python with non-system OpenSSL is to: 1) install OpenSSL1.1.g from source. 2) in /etc/profile.d I create a file named: openssl.shwith this content:

# /etc/profile.d/openssl.sh
export PATH=$PATH:/usr/local/openssl/bin

3) In etc/ld.so.conf.d, I create a new file named openssl-1.1.0g.conf with this content:

# /etc/ld.so/conf.d/openssl-1.1.0g.conf
/usr/local/openssl/lib

Then restart or logoff. I am reluctant to do these steps again although I need python to link to my manually compiled OpenSSL (not the Ubuntu shipped one which has weak ciphers disabled). Even when I deleted the files, with that device tls-scan does not compile correctly and generates errors. Please advise.

I will fix it later. You may ignore those warnings for now; I do not think it can affect your tests
tls-scan depends on openssl only during build time. There is no run-time dependency for tls-scan on openssl shared libraries. That means once you build tls-scan, you may safely remove or update your openssl library, and it is not going to affect tls-scan.

$ ldd tls-scan 
    linux-vdso.so.1 =>  (0x00007ffff0a72000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f5cd68ac000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f5cd668f000)
    librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f5cd6487000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5cd60bd000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f5cd6ab0000)

In fact you may build tls-scan on one machine and safely copy it to another machine (same OS, vers). BTW, if you build tls-scan using the buid*.sh script, it actually builds all its dependency from the source (openssl, libevent etc.), and it is not dependent of any other (openssl, libevent) versions preinstalled on that box.

prbinu / tls-scan

--cipher argument does not accept chacha or RSA ciphers. #11