Updates to my SSL/TLS project

by adrian 23. February 2011 15:13

Lately I’ve been updating my little SSL/TLS project.

Sum-up:

The doc listing the (almost) all known cipher suites includes the Rabbit and HC-128 based ones(used by CyaSSL) and the NTRU cipher suites have been moved into the main table(some being implemented by CyaSSL).
To my current knowledge, the table listing the known cipher suites is the most complete and most accurate from the ones found on the web, with links to the RFCs/Draft/Extra references mentioning the cipher suites.
Note that there are active/expired drafts mentioning additional cipher suites with TBD cipher suite codes. Currently these are not included into the doc, this is on the todo list.
The doc partially attempts to list the cipher suites in relationship with their SSL/TLS protocol version usage. This is useful to determine protocol specification violations, or too strict implementations.
The doc can be accessed as a htm or docx:
http://www.carbonwind.net/TLS_Cipher_Suites_Project/tls_ssl_cipher_suites_simple_table_all.htm
http://www.carbonwind.net/TLS_Cipher_Suites_Project/tls_ssl_cipher_suites_simple_table_all.docx

The doc listing some common browsers/libraries/servers and the associated cipher suites implemented has been updated and now the following browsers were fingerprinted:
IE6 (Windows XP SP3 / Windows XP x64 SP2)
IE7 (Windows XP SP3 / Windows XP x64 SP2)
IE7 (Windows Vista SP2)
IE8 (Windows XP SP3 / Windows XP x64 SP2)
IE8 (Windows Vista SP2)
IE8 (Windows 7)
Firefox 3.6.x
Firefox 3.6.x on Fedora 14
Google Chrome 9.0.x
Opera 11.0x
Safari 5.0.x on Mac OS X 10.5.8
Safari 5.0.x on Mac OS X 10.6.6
Safari 5.0.x (Windows XP SP3 / Windows XP x64 SP2)
Safari 5.0.x (Windows Vista SP2)
Safari 5.0.x (Windows 7)
Instead of simple fingerprinting(either on server side or using Wireshark), a combination was used: the Client Hello messages were analyzed with Wireshark, and each cipher suite, under the possible protocol version, was used in an attempt to complete a SSL/TLS handshake, to assure that this cipher suite is actually usable.
For the server side, OpenSSL s_server, GnuTLS gnutls-srv, IIS versions and https://www.mikestoolbox.net/ were used.
Furthermore, if possible(if known) non-default configurations for each browser were fingerprinted, in order to fully determine the browser’s capabilities.
The doc can be accessed as a htm or docx:
http://www.carbonwind.net/TLS_Cipher_Suites_Project/tls_ssl_cipher_suites_annex_a1_main.htm
http://www.carbonwind.net/TLS_Cipher_Suites_Project/tls_ssl_cipher_suites_annex_a1_main.docx

Working on right now: build a browser cipher suites matrix.

Tags:

SSL

Comments are closed

Home | Hire me

Support this blog

Adds

Book Shelf

 

Month List