sewkra
commented
2 weeks ago A table mapping the OpenSSL names to the IANA names could be a solution: https://testssl.sh/openssl-iana.mapping.html
Closed sewkra closed 2 weeks ago
sewkra
commented
2 weeks ago A table mapping the OpenSSL names to the IANA names could be a solution: https://testssl.sh/openssl-iana.mapping.html
Hi everyone!
I was using this scanner with the settings below, but it didn’t seem to work for several sites, including Twitter:
./tls-scan --connect=twitter.com -a --pretty
Here’s what I got in the results:
"cipherSuite": { "supported": [ "AES-128-GCM", "AES-256-GCM", "CHACHA20-POLY1305", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-SHA", "AES256-GCM-SHA384", "AES256-SHA", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-SHA", "AES128-GCM-SHA256", "AES128-SHA" ]
And here’s a comparison with the SSL Labs results:
1.3 (server has no preference) TLS_AES_128_GCM_SHA256 (0x1301) ECDH x25519 (eq. 3072 bits RSA) FS | 128 TLS_AES_256_GCM_SHA384 (0x1302) ECDH x25519 (eq. 3072 bits RSA) FS | 256 TLS_CHACHA20_POLY1305_SHA256 (0x1303) ECDH x25519 (eq. 3072 bits RSA) FS | 256 TLS 1.2 (suites in server-preferred order) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH x25519 (eq. 3072 bits RSA) FS | 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. 3072 bits RSA) FS WEAK | 128 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH x25519 (eq. 3072 bits RSA) FS | 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH x25519 (eq. 3072 bits RSA) FS WEAK | 256 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK | 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK | 128 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK | 256 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK | 256
I've noticed an issue with the CipherSuite output in this scanner. The first three ciphers (AES-128-GCM, AES-256-GCM, CHACHA20-POLY1305) are expected not to include Au and Kx details because they are TLS 1.3 ciphers, where Au=any and Kx=any apply by default. However, other ciphers, like AES128-SHA, are also being returned without Au and Kx information, which creates ambiguity around the key exchange and authentication method used.
When I compare these results with SSL Labs, the differences become even more evident, as SSL Labs provides much more detailed information on ciphers. The lack of clarity here makes it difficult to assess the security properties of certain ciphers.
Thanks for any help or insights!