SSL/TLS Cipher Suites Project Early Preview

This is an inroduction to something I’ve been working at for a while now.
Basically there is a large scale project aimed to analyze/fingerprint every SSL/TLS client&server&library out there(browsers, web servers, WAFs, SSL VPN servers, utilities, scanners, sniffers, etc.) in respect with the supported cipher suites.

Being a large scale project requires some time and some efforts.

The project is still in the early phases, but I come up with an auxiliary document(actually there are other auxiliary documents for this project not available yet for preview), auxiliary document still in works, quickly presenting some SSL/TLS cipher suites and SSL/TLS versions supported by a few popular products.
Lately I ran out of time a little, and I did not have time to finish this auxiliary document yet(the content is incomplete and not reviewed). There are some comments/few words added, but the wording might be kind of poor now.
However, instead of having it sitting pointless till I have time to finish it, I decided to publish it the way it is as it may prove useful for some people. Hopefully I will find some time soon to add more data to it, polish it a little bit.

For now it includes:
1. GnuTLS
1.1. GnuTLS 2.8.6 Cipher Suites
1.2. mod_gnutls 0.5.5(GnuTLS 2.8.6 + Apache 2.2.15) Cipher Suites
3. NSS(Network Security Services)
3.1. NSS 3.12.5 Cipher Suites
3.2. Firefox 3.6 Cipher Suites
3.3. Google Chrome 5 Beta on Linux Cipher Suites
3.4. mod_nss 1.0.8 Cipher Suites
4. OpenSSL
4.1. OpenSSL 0.9.8m Cipher Suites
4.2. OpenSSL 1.0.0 Cipher Suites
4.3. mod_ssl (Apache 2.2.15 + OpenSSL 0.9.8m) Cipher Suites
4.4. mod_ssl (Apache 2.3.5 Alpha + OpenSSL 1.0.0) Cipher Suites

Lately there were some new releases for the products mentioned above:
OpenSSL 0.9.8m and not 0.9.8n was analyzed.
mod_gnutls 0.5.5 was analyzed instead of 0.5.6.
NSS 3.12.5 was analyzed instead of 3.12.6.

I just quickly updated within the document OpenSSL 1.0.0 Beta 5 to the final version OpenSSL 1.0.0(some issues or whatever with SSL 2.0 cipher suites noticed with OpenSSL Beta 5 seem to be gone in the final version, “issues” previously “affecting” Apache and mod_ssl).

If you wonder how the tables present in the  auxiliary document were realized, well, a sort of a manual approach was used.
Actually most of the cipher suites on the server and client side were manually tested.
For example OpenSSL s_client, s_server, respective GnuTLS gnutls-cli and gnutls-serv were used along with the browsers(not just NSS based) and web servers, meaning using the browsers(not just NSS based) + OpenSSL s_client and GnuTLS gnutls-cli to connect to OpenSSL s_server, GnuTLS gnutls-server and the associated Apache mod.
I will come up in the future with more details about the testing and fingerprinting methodology.
Additionally, SSL Labs was used to fingerprint the web servers(kudos to Ivan Ristic). While speaking with Ivan Ristic, he informed me that he has a similar project on his mind, and we could combine our efforts in the future.
And Wireshark was used to sniff the Client Hello and note the cipher suites.

Interestingly, due to the manual approach, the project revealed all sort of bugs, from security related ones to RFC violation(not necessarily in the products mentioned above).

The published document makes reference to some “main tables”. These tables are not available yet for download and contain a lot of information regarding a specific cipher suite, like cipher suite strength(not just encryption strength, which may vary depending on the SSL/TLS version used), associated stuff with the cipher suite like encryption cipher, authentication and key exchange method, MAC, PRF(if any, depending on the SSL/TLS version), RFC/Draft mentioning the cipher suite, FIPS compliant(yes or no), along with the libraries, clients and servers supporting it and the SSL/TLS version.
The auxiliary document just extracts some of this data for some products.

Basically the document linked bellow is an Word 2007 .docx file saved as html.

You can find this document at:

Pingbacks and trackbacks (1)+

Comments are closed