Hi Benson, Nice suggestion. Looking for the easiest solution. You win for now (better than pcap parsing!). Thanks for the suggestion. Regards, -- Hugo Connery, Head of IT, DTU Environment http://www.env.dtu.dk ________________________________________ From: Benson Margulies [bimargulies@xxxxxxxxx] Sent: Monday, 8 October 2012 19:07 To: users@xxxxxxxxxxxxxxxx Subject: Re: Cipher suite negotiation details: available to CGI etc. scripts? On Mon, Oct 8, 2012 at 12:47 PM, Hugo Maxwell Connery <hmco@xxxxxxxxxx> wrote: > Hi, Why not make your very own private mod to mod_ssl to support your research, and then consider offering it as a patch later? > > The reasons for my request are detailed below, for those interested. > > I note that the Enviornment Variables available with mod_ssl provide > excellent information about what *has been agreed* during a TLS > negotiation. > > I am interested in the *details* of the negotiation being available to a script (CGI, whatever). > > Specifically, during a TLS negotiation: > > * the client proposes a collection of cipher suites (I want to know what was proposed) > * the server responds with a selection, or says no thanks (seems to be in the Env details) > * the server is configured (mod_ssl) with the SSLCipherSuite directive. (this I also want to know). > > I have full control of the web server, so I can easily cut/paste part 3 (but thats not nice). > > Please let me know if tools/mods/non-standard releases exist such that this > detailed TLS negotiation data can be made available to a script, such that it can > then be delivered to the client (or written by the server). > > == Why == > > I've begun a process with a Professor in Crypto, and a local CERT with the > base objective being taking all the confusion out of configuring TLS with a > reference to current threats on ciphers as implemented in current major web servers > (c.f. BEAST etc.). > > Configuring secure (current threat aware) cypto should not be as cryptic (pun very deliberate) as it is. > > A "yes, look here" response to the above request will result in the following > useful tools: > > 1. Take whatever brower and visit a 'reference' (apache) web-site. It tells you > its SSLCipherSuite config, what suites you asked for, and what was agreed (or no agreement). > > 2. With that, a script (whatever) to launch a bunch of browsers at the site to > then obtain a record of what will happen with the chosen browsers > > 3. Run the above in reverse: you supply the newly configured site's URL and it is > visisted by a bunch of chosen browsers and you learn what suite (if any) was selected. > > Thats the idea. Please assist in exposing the contents of the TLS negotiation. > > This is not about DDOS, but about publicising the innards of the TLS negotiation > of numerous current browsers against web server cipher suite config. > > Thanks in advance to any who respond. > > Regards, > -- > Hugo Connery, Head of IT, DTU Environment > http://www.env.dtu.dk > > PS: I am hoping to avoid parsing pcap files, though that may be necessary in the end. > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|