httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hugo Maxwell Connery <h...@env.dtu.dk>
Subject [users@httpd] Cipher suite negotiation details: available to CGI etc. scripts?
Date Mon, 08 Oct 2012 16:47:04 GMT
Hi,

The reasons for my request are detailed below, for those interested.

I note that the Enviornment Variables available with mod_ssl provide
excellent information about what *has been agreed* during a TLS 
negotiation.  

I am interested in the *details* of the negotiation being available to a script (CGI, whatever).

Specifically, during a TLS negotiation:

* the client proposes a collection of cipher suites (I want to know what was proposed)
* the server responds with a selection, or says no thanks (seems to be in the Env details)
* the server is configured (mod_ssl) with the SSLCipherSuite directive.  (this I also want
to know).

I have full control of the web server, so I can easily cut/paste part 3 (but thats not nice).

Please let me know if tools/mods/non-standard releases exist such that this 
detailed TLS negotiation data can be made available to a script, such that it can
then be delivered to the client (or written by the server).

== Why ==

I've begun a process with a Professor in Crypto, and a local CERT with the 
base objective being taking all the confusion out of configuring TLS with a 
reference to current threats on ciphers as implemented in current major web servers
(c.f. BEAST etc.).

Configuring secure (current threat aware) cypto should not be as cryptic (pun very deliberate)
as it is.

A  "yes, look here" response to the above request will result in the following
useful tools:

1. Take whatever brower and visit a 'reference' (apache) web-site.  It tells you
its SSLCipherSuite config, what suites you asked for, and what was agreed (or no agreement).

2. With that, a script (whatever) to launch a bunch of browsers at the site to
then obtain a record of what will happen with the chosen browsers

3. Run the above in reverse: you supply the newly configured site's URL and it is 
visisted by a bunch of chosen browsers and you learn what suite (if any) was selected.

Thats the idea.  Please assist in exposing the contents of the TLS negotiation.

This is not about DDOS, but about publicising the innards of the TLS negotiation
of numerous current browsers against web server cipher suite config.

Thanks in advance to any who respond.

Regards,
--
Hugo Connery, Head of IT, DTU Environment
http://www.env.dtu.dk

PS: I am hoping to avoid parsing pcap files, though that may be necessary in the end.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message