Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

all IANA cipher suites #135

Open
kylak opened this issue Jul 16, 2024 · 5 comments
Open

all IANA cipher suites #135

kylak opened this issue Jul 16, 2024 · 5 comments
Labels
question

Comments

@kylak
Copy link

kylak commented Jul 16, 2024

Hello, does O-Saft uses all IANA cipher suites ?

Thanks.
@EnDe
Copy link
Member

EnDe commented Jul 16, 2024

Hi,

o-saft.pl ciphers -V
lib/Ciphers.pm dump

Does this answer your question?

Please keep in mind that the list of ciphers with their attributes is compiled manually.
The (current) list of IANA can be found in lib/Ciphers.pm, see @cipher_iana_recomended there.

This does not restrict to test for ciphers not listed (see dump above), you always may check for the complete range with:
o-saft.pl demo +cipher --cipher-range=huge
or even:
o-saft.pl demo +cipher --cipher-range=full

@EnDe
Copy link
Member

EnDe commented Jul 16, 2024

just check the IANA list (didn't change since ages). It's now possible to do:
o-saft.pl demo +cipher --cipher-range=iana
The list is now defined in lib/Ocfg.pm; I'll remove @cipher_iana_recomended ...

Am I right that your test purpose is to check if non-IANA ciphers are supported?

@kylak
Copy link
Author

kylak commented Jul 16, 2024

No actually, I want to test any possible cipher suite on each TLS/SSL protocol version to see which cipher suite is permitted by the server and hence which TLS/SSL protocol version is permited also. A brute force technique. So the tool I would need, has to have all the cipher suite that could be used on a TLS/SSL communication, it includes therefore the IANA cipher suites and the non-IANA cipher suites, in total I found 376 cipher suites that could be used (but maybe I forgot some?).
hello_tls makes what I want but it only used the IANA cipher suites and doesn't check for the SSLv2 protocol.
Do you know if O-Saft could help me to reach my goal ?

@EnDe
Copy link
Member

EnDe commented Jul 16, 2024

yes for sure:
o-saft.pl your.tld +cipher --cipher-range=huge
or even:
o-saft.pl your.tld +cipher --cipher-range=full
The Total number ... line at end of the output will show the number of checked and accepted ciphers.

Add the --trace option and you see the complete list of cipher suite keys to be tested (be prepared for huge, huge, ... output then;-)

However, I rarely found a target which responded to ciphers not in --cipher-range=rfc (which is the default).
Please let me know, if you find other ciphers.

If you're testing targets with a proprietry SSL/TLS-stack, we know of some strange and unexpected behaviours. Then you need to look at the more advanced options for --ssl-*:
o-saft.pl --help=opts | egrep ssl-

@EnDe EnDe added the question label Jul 16, 2024
@kylak
Copy link
Author

kylak commented Jul 16, 2024

Ok. I'm going to try that, thanks.

@kylak kylak mentioned this issue Jul 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@EnDe @kylak