httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hugo Maxwell Connery <h...@env.dtu.dk>
Subject RE: [users@httpd] Cipher suite negotiation details: available to CGI etc. scripts?
Date Mon, 08 Oct 2012 18:54:30 GMT
Hi Benson,

Nice suggestion.  Looking for the easiest solution.

You win for now (better than pcap parsing!).

Thanks for the suggestion.

Regards,
--
Hugo Connery, Head of IT, DTU Environment
http://www.env.dtu.dk
________________________________________
From: Benson Margulies [bimargulies@gmail.com]
Sent: Monday, 8 October 2012 19:07
To: users@httpd.apache.org
Subject: Re: [users@httpd] Cipher suite negotiation details: available to CGI etc. scripts?

On Mon, Oct 8, 2012 at 12:47 PM, Hugo Maxwell Connery <hmco@env.dtu.dk> wrote:
> Hi,

Why not make your very own private mod to mod_ssl to support your
research, and then consider offering it as a patch later?


>
> The reasons for my request are detailed below, for those interested.
>
> I note that the Enviornment Variables available with mod_ssl provide
> excellent information about what *has been agreed* during a TLS
> negotiation.
>
> I am interested in the *details* of the negotiation being available to a script (CGI,
whatever).
>
> Specifically, during a TLS negotiation:
>
> * the client proposes a collection of cipher suites (I want to know what was proposed)
> * the server responds with a selection, or says no thanks (seems to be in the Env details)
> * the server is configured (mod_ssl) with the SSLCipherSuite directive.  (this I also
want to know).
>
> I have full control of the web server, so I can easily cut/paste part 3 (but thats not
nice).
>
> Please let me know if tools/mods/non-standard releases exist such that this
> detailed TLS negotiation data can be made available to a script, such that it can
> then be delivered to the client (or written by the server).
>
> == Why ==
>
> I've begun a process with a Professor in Crypto, and a local CERT with the
> base objective being taking all the confusion out of configuring TLS with a
> reference to current threats on ciphers as implemented in current major web servers
> (c.f. BEAST etc.).
>
> Configuring secure (current threat aware) cypto should not be as cryptic (pun very deliberate)
as it is.
>
> A  "yes, look here" response to the above request will result in the following
> useful tools:
>
> 1. Take whatever brower and visit a 'reference' (apache) web-site.  It tells you
> its SSLCipherSuite config, what suites you asked for, and what was agreed (or no agreement).
>
> 2. With that, a script (whatever) to launch a bunch of browsers at the site to
> then obtain a record of what will happen with the chosen browsers
>
> 3. Run the above in reverse: you supply the newly configured site's URL and it is
> visisted by a bunch of chosen browsers and you learn what suite (if any) was selected.
>
> Thats the idea.  Please assist in exposing the contents of the TLS negotiation.
>
> This is not about DDOS, but about publicising the innards of the TLS negotiation
> of numerous current browsers against web server cipher suite config.
>
> Thanks in advance to any who respond.
>
> Regards,
> --
> Hugo Connery, Head of IT, DTU Environment
> http://www.env.dtu.dk
>
> PS: I am hoping to avoid parsing pcap files, though that may be necessary in the end.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message