RE: Cipher suite negotiation details: available to CGI etc. scripts?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Benson,

Nice suggestion.  Looking for the easiest solution.

You win for now (better than pcap parsing!).

Thanks for the suggestion.

Regards,
--
Hugo Connery, Head of IT, DTU Environment
http://www.env.dtu.dk
________________________________________
From: Benson Margulies [bimargulies@xxxxxxxxx]
Sent: Monday, 8 October 2012 19:07
To: users@xxxxxxxxxxxxxxxx
Subject: Re:  Cipher suite negotiation details: available to CGI etc. scripts?

On Mon, Oct 8, 2012 at 12:47 PM, Hugo Maxwell Connery <hmco@xxxxxxxxxx> wrote:
> Hi,

Why not make your very own private mod to mod_ssl to support your
research, and then consider offering it as a patch later?


>
> The reasons for my request are detailed below, for those interested.
>
> I note that the Enviornment Variables available with mod_ssl provide
> excellent information about what *has been agreed* during a TLS
> negotiation.
>
> I am interested in the *details* of the negotiation being available to a script (CGI, whatever).
>
> Specifically, during a TLS negotiation:
>
> * the client proposes a collection of cipher suites (I want to know what was proposed)
> * the server responds with a selection, or says no thanks (seems to be in the Env details)
> * the server is configured (mod_ssl) with the SSLCipherSuite directive.  (this I also want to know).
>
> I have full control of the web server, so I can easily cut/paste part 3 (but thats not nice).
>
> Please let me know if tools/mods/non-standard releases exist such that this
> detailed TLS negotiation data can be made available to a script, such that it can
> then be delivered to the client (or written by the server).
>
> == Why ==
>
> I've begun a process with a Professor in Crypto, and a local CERT with the
> base objective being taking all the confusion out of configuring TLS with a
> reference to current threats on ciphers as implemented in current major web servers
> (c.f. BEAST etc.).
>
> Configuring secure (current threat aware) cypto should not be as cryptic (pun very deliberate) as it is.
>
> A  "yes, look here" response to the above request will result in the following
> useful tools:
>
> 1. Take whatever brower and visit a 'reference' (apache) web-site.  It tells you
> its SSLCipherSuite config, what suites you asked for, and what was agreed (or no agreement).
>
> 2. With that, a script (whatever) to launch a bunch of browsers at the site to
> then obtain a record of what will happen with the chosen browsers
>
> 3. Run the above in reverse: you supply the newly configured site's URL and it is
> visisted by a bunch of chosen browsers and you learn what suite (if any) was selected.
>
> Thats the idea.  Please assist in exposing the contents of the TLS negotiation.
>
> This is not about DDOS, but about publicising the innards of the TLS negotiation
> of numerous current browsers against web server cipher suite config.
>
> Thanks in advance to any who respond.
>
> Regards,
> --
> Hugo Connery, Head of IT, DTU Environment
> http://www.env.dtu.dk
>
> PS: I am hoping to avoid parsing pcap files, though that may be necessary in the end.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux