Hi, The reasons for my request are detailed below, for those interested. I note that the Enviornment Variables available with mod_ssl provide excellent information about what *has been agreed* during a TLS negotiation. I am interested in the *details* of the negotiation being available to a script (CGI, whatever). Specifically, during a TLS negotiation: * the client proposes a collection of cipher suites (I want to know what was proposed) * the server responds with a selection, or says no thanks (seems to be in the Env details) * the server is configured (mod_ssl) with the SSLCipherSuite directive. (this I also want to know). I have full control of the web server, so I can easily cut/paste part 3 (but thats not nice). Please let me know if tools/mods/non-standard releases exist such that this detailed TLS negotiation data can be made available to a script, such that it can then be delivered to the client (or written by the server). == Why == I've begun a process with a Professor in Crypto, and a local CERT with the base objective being taking all the confusion out of configuring TLS with a reference to current threats on ciphers as implemented in current major web servers (c.f. BEAST etc.). Configuring secure (current threat aware) cypto should not be as cryptic (pun very deliberate) as it is. A "yes, look here" response to the above request will result in the following useful tools: 1. Take whatever brower and visit a 'reference' (apache) web-site. It tells you its SSLCipherSuite config, what suites you asked for, and what was agreed (or no agreement). 2. With that, a script (whatever) to launch a bunch of browsers at the site to then obtain a record of what will happen with the chosen browsers 3. Run the above in reverse: you supply the newly configured site's URL and it is visisted by a bunch of chosen browsers and you learn what suite (if any) was selected. Thats the idea. Please assist in exposing the contents of the TLS negotiation. This is not about DDOS, but about publicising the innards of the TLS negotiation of numerous current browsers against web server cipher suite config. Thanks in advance to any who respond. Regards, -- Hugo Connery, Head of IT, DTU Environment http://www.env.dtu.dk PS: I am hoping to avoid parsing pcap files, though that may be necessary in the end. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|