A quick look over some browsers and their SSL/TLS implementations

by adrian 10. March 2011 00:47

Here are a few observations regarding some browsers and their SSL/TLS implementations.

Browsers tested
Internet Explorer 6 on Windows XP SP3 / Windows XP x64 SP2
Internet Explorer 7 on Windows XP SP3 / Windows XP x64 SP2
Internet Explorer 7 on Windows Vista SP 2
Internet Explorer 8 on Windows XP SP3 / Windows XP x64 SP2
Internet Explorer 8 on Windows Vista SP 2
Internet Explorer 8 on Windows 7
Chrome 9.0.597.94 on Windows XP/Vista/7, Mac OS X 10.5.8/10.6.6, Ubuntu 10.02 Desktop(web version)
Firefox 3.6.13 on Windows XP/Vista/7, Mac OS X 10.5.8/10.6.6, Ubuntu 10.02 Desktop(web version)
Firefox 3.6.13 on Fedora 14(shipped version)
Firefox 3.6.14 on Red Hat Enterprise Linux Server 6.0(shipped version)
Opera 11.01 on Windows XP/Vista/7, Mac OS X 10.5.8/10.6.6
Safari 5.0.3 on Mac OS X 10.5.8
Safari 5.0.3 on Mac OS X 10.6.6
Safari 5.0.3 on Windows XP SP3 / Windows XP x64 SP2
Safari 5.0.3 on Windows Vista SP 2
Safari 5.0.3 on Windows 7

What’s below
- Platform agility
- Supported SSL/TLS versions
- Most common cipher suite
- Most common authentication/key exchange methods
- Most common symmetric encryption algorithm
- Most common hash functions
- ECC(Elliptic Curve Cryptography) support
- Common cipher suites offering ephemerality
- Most uncommon symmetric encryption algorithm
- Most uncommon hash function
- Secure renegotiation support
- SNI support
- SSL/TLS versions fallback mechanisms
- On the edge

Platform agility
Some browsers use the TLS implementation of the underlying operating system. This is the case of the Internet Explorer versions or Safari. Thus the SSL/TLS versions and cipher suites supported may vary from OS to OS for such browsers.
Firefox and Chrome use NSS meaningless of the OS. However, some Linux distros ship a Firefox version which may have disabled ECC support, like Fedora or Red Hat Enterprise Linux.
Opera uses its own TLS implementation(Presto) and is able to “preserve” the available the SSL/TLS versions and cipher suites supported meaningless of the OS.

Supported SSL/TLS versions
SSL 3.0 is supported and enabled by default on all tested browsers.
TLS 1.0 is supported and enabled by default on the most browsers from the ones tested; exception makes Internet Explorer 6 which does not enable TLS 1.0 by default.
SSL 2.0 is enabled by default only on Internet Explorer 6.
Opera does not support SSL 2.0.
Also, apparently, Safari(meaningless of the OS) does not use SSL 2.0.

TLS 1.1 and TLS 1.2 are supported by Opera and Internet Explorer 8 on Windows 7; only Opera enables them by default.

All the browsers, except Internet Explorer 6, use by default a TLS 1.0 Client Hello.
Internet Explorer 6 uses a SSL 2.0 compatible SSL 3.0 Client Hello.

Most common cipher suites
Supported under SSL 3.0, TLS 1.0 by all the tested browsers:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS _RSA_WITH_3DES_EDE_CBC_SHA

AES based cipher suites(TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA) are also supported by most of the tested browsers under TLS 1.0, exception make the browsers using Schannel(NT 5.1.2600 x32 version, the x64 version may enable support for some AES cipher suites with the help of a KB).

Most common authentication/key exchange methods
RSA for key exchange and authentication is supported under SSL 3.0, TLS 1.0 by all tested browsers.
DHE_DSS for key exchange(DHE) and authentication(DSS) is supported under SSL 3.0, TLS 1.0 by all the tested browsers; however in practice this is rarely used on the server side.

Most common symmetric encryption algorithm
Some RC4 and 3DES based cipher suites(see above) are supported by all the tested browsers under SSL 3.0 and TLS 1.0.
Some AES CBC based cipher suites(see above) are also supported by most of the tested browsers under TLS 1.0, exception make the browsers using Schannel(NT 5.1.2600 x32 version, the x64 version may enable support for some AES cipher suites with the help of a KB).
Schannel does not allow the use of AES cipher suites under SSL 3.0; NSS or Presto do.

Most common hash functions
MD5 and SHA-1 based cipher suites are supported by all the tested browsers under SSL 3.0 and TLS 1.0.
SHA256 based cipher suites are supported only by Opera and Internet Explorer 8 on Windows 7; only Opera enables them by default.

ECC(Elliptic Curve Cryptography) support
Opera, the browsers using Schannel NT 5.1.2600 and Safari on Mac OS X 10.5.8 do not provide support for ECC.
Also Firefox versions shipped with some Linux distros(Fedora, Red Hat Enterprise Linux) do not support ECC.
The rest of the tested browsers support ECC, and the three popular ECC curves:
- secp256r1(aka NIST P-256)
- secp384r1(aka NIST P-384)
- secp521r1(aka NIST P-521); this one is disabled by default on Schannel NT 6.0.6002.

Common cipher suites offering ephemerality
Some DHE_RSA based cipher suites are supported by all the tested browsers except the ones using Schannel(which does not support DHE_RSA based cipher suites).
Some DHE_DSS based cipher suites are supported by all the tested browsers.
Some ECDHE_RSA or ECDHE_ECDSA based cipher suites are also supported by some browsers; exceptions being Opera, the browsers using Schannel NT 5.1.2600 and Safari on Mac OS X 10.5.8, plus the Firefox versions shipped with some Linux distros(Fedora, Red Hat Enterprise Linux).

Most uncommon symmetric encryption algorithm
AES-GCM; only Internet Explorer 8 on Windows 7 supports AES-GCM based cipher suites.

Most uncommon hash function
SHA384; only Internet Explorer 8 on Windows 7 supports SHA384 based cipher suites.

Secure renegotiation support
Most of the tested browsers support the new secure renegotiation extension.
Support for it was not observed for Safari on Mac OS X 10.5.8 and Mac OS X 10.6.6.

SNI support
SNI is supported by all the tested browsers except the ones using Schannel NT 5.1.2600.

SSL/TLS versions fallback mechanisms
All the tested browsers tested use their own fallback mechanisms.
Opera has a sort of a probing mechanism to determine the highest TLS version supported by a server.
Notably Internet Explorer 6 fallback mechanism poses the most security risk, an attacker being able to downgrade to SSL 2.0.

On the edge
Chrome and Firefox engage in a TLS handshake with a server replying with a higher TLS version than the one advertised by them.
Opera supports and successfully negotiates SHA256 based cipher suites under TLS 1.0 and TLS 1.1(also adds them to a SSL 3.0 Client Hello).

References
http://www.carbonwind.net/TLS_Cipher_Suites_Project/tls_ssl_cipher_suites_annex_a1_main.docx

Tags:

SSL

Comments (4) -

Eddy Nigg United States
3/10/2011 2:08:01 AM #

Correction: Chrome uses NSS only on Linux, it uses Windows or Apple certificate store on those platforms.

adrian
3/10/2011 1:47:10 PM #

The way I understand it, on Windows, Chrome uses the NSS stack(note the cipher suites supported + features like False Start) + Crypto API for certificates stuff(trusted roots, OCSP).
on Mac also the NSS stack is used, for cert revok status I could play with the options from Keychain Access, if I remember correctly.

possibly related:
www.carbonwind.net/.../...OCSPCRL-in-practice.aspx
www.carbonwind.net/.../...es_simple_table_all.docx

spinkham United States
3/11/2011 3:26:28 PM #

This was true until the middle of 2010. See code.google.com/p/chromium/issues/detail?id=28744 and code.google.com/p/chromium/issues/detail?id=30689 .

Chrome switched to NSS on all platforms to be able to control the SSL features better.

SSL Certificates United States
3/10/2011 4:01:37 PM #

OMG, this is certainly a very well written post. I really appreciate your efforts putting together browsers and their SSL/TLS implementations. Thumbs up.
Thank you, ClickSSL

Comments are closed

Home | Hire me

Support this blog

Adds

Book Shelf

 

Month List