Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reliability of the cipher suites checking #139

Open
kylak opened this issue Jul 19, 2024 · 2 comments
Open

Reliability of the cipher suites checking #139

kylak opened this issue Jul 19, 2024 · 2 comments
Labels

Comments

@kylak
Copy link

kylak commented Jul 19, 2024

Hi.

There's another issue why I believe in general the result maybe not reliable: for some cipher suites you would need to provide TLS extensions or specific values in those extensions, otherwise the server won't possibly accept the ClientHello, see e.g. testssl/testssl.sh#1207 (comment)

source: testssl/testssl.sh#2526 (comment)

Did you know that ? Is it automatically managed by O-Saft when checking the full range of cipher suites ?

@EnDe
Copy link
Member

EnDe commented Jul 19, 2024

Yes, we are aware about that.
This is a general issue with targets using TLS 1.3. We know about targets where our tool bails out with errors. So depends on what you exactly mean with "reliability":

  • checking all ciphers (fuzzing), yes
  • warning the user, if something fails: yes
  • detecting all ciphers allways: depends
    Currently (2024) we have not seen many targets where the tool returns errors.

Before going into details, can you please explain what you want to achieve?
May be you consult the documentation first. If grep is not your favorite, you can query the docs in o-saft.tcl's Help window ;-)

@kylak
Copy link
Author

kylak commented Jul 19, 2024

I want to achieve two things :

  1. To know the SSL/TLS protocol versions enabled on a server.
  2. To know if there are any other cipher suites authorized by the server than some that I have given him.

Yes the doc seems to have a lot of infos, I'm going to check it out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants