Permalink
Browse files

RFC --> IANA

The cipher suites names in the RFCs stem (mostly) from IANA, see
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

This PR corrects that in places visible to the user. For backwards
compatibility the cmd line switches still work as before, but there's
a preference to IANA. The RFC naming is labeled as to be retired
in the future.
  • Loading branch information...
drwetter committed Nov 8, 2018
1 parent 32923bb commit da233c939e654de827af15a3d6354cf6e50034ca
Showing with 41 additions and 32 deletions.
  1. +9 −6 doc/testssl.1
  2. +11 −8 doc/testssl.1.html
  3. +10 −7 doc/testssl.1.md
  4. +2 −2 openssl-rfc.mapping.html
  5. +9 −9 testssl.sh
View
@@ -1,7 +1,7 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "TESTSSL" "1" "September 2018" "" ""
.TH "TESTSSL" "1" "November 2018" "" ""
.
.SH "NAME"
\fBtestssl\fR
@@ -318,23 +318,26 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, \.\.\., CSP headers)
\fB\-\-wide\fR Except the "each cipher output" all tests displays the single cipher name (scheme see below)\. This option enables testssl\.sh to display also for the following sections the same output as for testing each ciphers: BEAST, PFS, RC4\. The client simulation has also a wide mode\. The difference here is restricted to a column aligned output and a proper headline\. The environment variable \fBWIDE\fR can be used instead\.
.
.P
\fB\-\-mapping <openssl|rfc|no\-openssl|no\-rfc>\fR
\fB\-\-mapping <openssl|iana|no\-openssl|no\-iana>\fR
.
.IP "\(bu" 4
\fBopenssl\fR: use the OpenSSL cipher suite name as the primary name cipher suite name form (default),
.
.IP "\(bu" 4
\fBrfc\fR: use the RFC cipher suite name as the primary name cipher suite name form\.
\fBiana\fR: use the IANA cipher suite name as the primary name cipher suite name form\.
.
.IP "\(bu" 4
\fBno\-openssl\fR: don\'t display the OpenSSL cipher suite name, display RFC names only\.
\fBno\-openssl\fR: don\'t display the OpenSSL cipher suite name, display IANA names only\.
.
.IP "\(bu" 4
\fBno\-rfc\fR: don\'t display the RFC cipher suite name, display OpenSSL names only\.
\fBno\-iana\fR: don\'t display the IANA cipher suite name, display OpenSSL names only\.
.
.IP "" 0
.
.P
Please note that in testssl\.sh 3,0 you can still use \fBrfc\fR instead of \fBiana\fR and \fBno\-rfc\fR instead of \fBno\-iana\fR but it\'ll disappear after 3\.0\.
.
.P
\fB\-\-show\-each\fR This is an option for all wide modes only: it displays all ciphers tested \-\- not only succeeded ones\. \fBSHOW_EACH_C\fR is your friend if you prefer to set this via the shell environment\.
.
.P
@@ -738,7 +741,7 @@ TLSWG Draft: The Transport Layer Security (TLS) Protocol Version 1\.3
\fBetc/*pem\fR Here are the certificate stores from Apple, Linux, Mozilla Firefox, Windows\.
.
.P
\fBetc/mapping\-rfc\.txt\fR Provides a mandatory file with mapping from OpenSSL cipher suites names to the ones from IANA / used in the RFCs\.
\fBetc/cipher\-mapping\.txt\fR Provides a mandatory file with mapping from OpenSSL cipher suites names to the ones from IANA / used in the RFCs\.
.
.P
\fBetc/tls_data\.txt\fR Provides a mandatory file for ciphers (bash sockets) and key material\.
View
@@ -334,16 +334,19 @@ <h3 id="OUTPUT-OPTIONS">OUTPUT OPTIONS</h3>
<p><code>--wide</code> Except the "each cipher output" all tests displays the single cipher name (scheme see below). This option enables testssl.sh to display also for the following sections the same output as for testing each ciphers: BEAST, PFS, RC4. The client simulation has also a wide mode. The difference here is restricted to a column aligned output and a proper headline. The environment variable <code>WIDE</code> can be used instead.</p>
<p><code>--mapping &lt;openssl|rfc|no-openssl|no-rfc></code></p>
<p><code>--mapping &lt;openssl|iana|no-openssl|no-iana></code></p>
<ul>
<li><code>openssl</code>: use the OpenSSL cipher suite name as the primary name cipher suite name form (default),</li>
<li><code>rfc</code>: use the RFC cipher suite name as the primary name cipher suite name form.</li>
<li><code>no-openssl</code>: don't display the OpenSSL cipher suite name, display RFC names only.</li>
<li><code>no-rfc</code>: don't display the RFC cipher suite name, display OpenSSL names only.</li>
<li><code>iana</code>: use the IANA cipher suite name as the primary name cipher suite name form.</li>
<li><code>no-openssl</code>: don't display the OpenSSL cipher suite name, display IANA names only.</li>
<li><code>no-iana</code>: don't display the IANA cipher suite name, display OpenSSL names only.</li>
</ul>
<p>Please note that in testssl.sh 3,0 you can still use <code>rfc</code> instead of <code>iana</code> and <code>no-rfc</code> instead of <code>no-iana</code> but it'll disappear
after 3.0.</p>
<p><code>--show-each</code> This is an option for all wide modes only: it displays all ciphers tested -- not only succeeded ones. <code>SHOW_EACH_C</code> is your friend if you prefer to set this via the shell environment.</p>
<p><code>--color &lt;0|1|2|3></code> It determines the use of colors on the screen: <code>2</code> is the default and makes use of ANSI and termcap escape codes on your terminal. <code>1</code> just uses non-colored mark-up like bold, italics, underline, reverse. <code>0</code> means no mark-up at all = no escape codes. <code>3</code> will color ciphers and EC according to an internal (not yet perfect) rating. Setting the environment variable <code>COLOR</code> achieves the same result.</p>
@@ -541,11 +544,11 @@ <h2 id="EXIT-STATUS">EXIT STATUS</h2>
<h2 id="FILES">FILES</h2>
<p><strong>etc/*pem</strong> Here are the certificate stores from Apple, Linux, Mozilla Firefox, Windows.</p>
<p><strong>etc/*pem</strong> Here are the certificate stores from Apple, Linux, Mozilla Firefox, Windows.</p>
<p><strong>etc/mapping-rfc.txt</strong> Provides a mandatory file with mapping from OpenSSL cipher suites names to the ones from IANA / used in the RFCs.</p>
<p><strong>etc/cipher-mapping.txt</strong> Provides a mandatory file with mapping from OpenSSL cipher suites names to the ones from IANA / used in the RFCs.</p>
<p><strong>etc/tls_data.txt</strong> Provides a mandatory file for ciphers (bash sockets) and key material.</p>
<p><strong>etc/tls_data.txt</strong> Provides a mandatory file for ciphers (bash sockets) and key material.</p>
<h2 id="AUTHORS">AUTHORS</h2>
@@ -571,7 +574,7 @@ <h2 id="SEE-ALSO">SEE ALSO</h2>
<ol class='man-decor man-foot man foot'>
<li class='tl'></li>
<li class='tc'>September 2018</li>
<li class='tc'>November 2018</li>
<li class='tr'>testssl(1)</li>
</ol>
View
@@ -257,12 +257,15 @@ The same can be achieved by setting the environment variable `WARNINGS`.
`--wide` Except the "each cipher output" all tests displays the single cipher name (scheme see below). This option enables testssl.sh to display also for the following sections the same output as for testing each ciphers: BEAST, PFS, RC4. The client simulation has also a wide mode. The difference here is restricted to a column aligned output and a proper headline. The environment variable `WIDE` can be used instead.
`--mapping <openssl|rfc|no-openssl|no-rfc>`
`--mapping <openssl|iana|no-openssl|no-iana>`
* `openssl`: use the OpenSSL cipher suite name as the primary name cipher suite name form (default),
* `rfc`: use the RFC cipher suite name as the primary name cipher suite name form.
* `no-openssl`: don't display the OpenSSL cipher suite name, display RFC names only.
* `no-rfc`: don't display the RFC cipher suite name, display OpenSSL names only.
* `iana`: use the IANA cipher suite name as the primary name cipher suite name form.
* `no-openssl`: don't display the OpenSSL cipher suite name, display IANA names only.
* `no-iana`: don't display the IANA cipher suite name, display OpenSSL names only.
Please note that in testssl.sh 3,0 you can still use `rfc` instead of `iana` and `no-rfc` instead of `no-iana` but it'll disappear
after 3.0.
`--show-each` This is an option for all wide modes only: it displays all ciphers tested -- not only succeeded ones. `SHOW_EACH_C` is your friend if you prefer to set this via the shell environment.
@@ -466,11 +469,11 @@ does the same on the plain text IMAP port. Please note that for plain TLS-encryp
## FILES
**etc/\*pem** Here are the certificate stores from Apple, Linux, Mozilla Firefox, Windows.
**etc/\*pem** Here are the certificate stores from Apple, Linux, Mozilla Firefox, Windows.
**etc/mapping-rfc.txt** Provides a mandatory file with mapping from OpenSSL cipher suites names to the ones from IANA / used in the RFCs.
**etc/cipher-mapping.txt** Provides a mandatory file with mapping from OpenSSL cipher suites names to the ones from IANA / used in the RFCs.
**etc/tls_data.txt** Provides a mandatory file for ciphers (bash sockets) and key material.
**etc/tls_data.txt** Provides a mandatory file for ciphers (bash sockets) and key material.
## AUTHORS
View
@@ -1,6 +1,6 @@
<html lang="en">
<head>
<title>Mapping OpenSSL cipher suite names to RFC names</title>
<title>Mapping OpenSSL cipher suite names to IANA names</title>
<meta charset="UTF-8">
</head>
<style type="text/css">
@@ -35,7 +35,7 @@
<col width="8%" />
<col width="37%" />
<thead>
<tr><th class="sticky" >Cipher Suite</th><th class="sticky"> Name (OpenSSL)</th><th class="sticky"> KeyExch. </th><th class="sticky"> Encryption </th><th class="sticky"> Bits </th><th class="sticky">Cipher Suite Name (RFC)</th></tr>
<tr><th class="sticky" >Cipher Suite</th><th class="sticky"> Name (OpenSSL)</th><th class="sticky"> KeyExch. </th><th class="sticky"> Encryption </th><th class="sticky"> Bits </th><th class="sticky">Cipher Suite Name (IANA)</th></tr>
</thead>
<tbody>
<!-- RFC 2246, RFC 4346, RFC 5246 -->
View
@@ -3184,15 +3184,15 @@ show_rfc_style(){
neat_header(){
if [[ "$DISPLAY_CIPHERNAMES" =~ rfc ]]; then
out "$(printf -- "Hexcode Cipher Suite Name (RFC) KeyExch. Encryption Bits")"
out "$(printf -- "Hexcode Cipher Suite Name (IANA/RFC) KeyExch. Encryption Bits")"
[[ "$DISPLAY_CIPHERNAMES" != "rfc-only" ]] && out "$(printf -- " Cipher Suite Name (OpenSSL)")"
outln
out "$(printf -- "%s------------------------------------------------------------------------------------------")"
[[ "$DISPLAY_CIPHERNAMES" != "rfc-only" ]] && out "$(printf -- "---------------------------------------")"
outln
else
out "$(printf -- "Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits")"
[[ "$DISPLAY_CIPHERNAMES" != "openssl-only" ]] && out "$(printf -- " Cipher Suite Name (RFC)")"
[[ "$DISPLAY_CIPHERNAMES" != "openssl-only" ]] && out "$(printf -- " Cipher Suite Name (IANA/RFC)")"
outln
out "$(printf -- "%s--------------------------------------------------------------------------")"
[[ "$DISPLAY_CIPHERNAMES" != "openssl-only" ]] && out "$(printf -- "---------------------------------------------------")"
@@ -4510,7 +4510,7 @@ run_client_simulation() {
outln
out "--------------------------------------------------------------------------"
else
out " Browser Protocol Cipher Suite Name (RFC) "
out " Browser Protocol Cipher Suite Name (IANA/RFC) "
( "$using_sockets" || "$HAS_DH_BITS") && out "Forward Secrecy"
outln
out "------------------------------------------------------------------------------------------"
@@ -15854,9 +15854,9 @@ output options (can also be preset via environment variables):
--wide wide output for tests like RC4, BEAST. PFS also with hexcode, kx, strength, RFC name
--show-each for wide outputs: display all ciphers tested -- not only succeeded ones
--mapping <openssl| openssl: use the OpenSSL cipher suite name as the primary name cipher suite name form (default)
rfc| rfc: use the RFC cipher suite name as the primary name cipher suite name form
no-openssl| no-openssl: don't display the OpenSSL cipher suite name, display RFC names only
no-rfc> no-rfc: don't display the RFC cipher suite name, display OpenSSL names only
iana|rfc -> use the IANA/(RFC) cipher suite name as the primary name cipher suite name form
no-openssl| -> don't display the OpenSSL cipher suite name, display IANA/(RFC) names only
no-iana|no-rfc> -> don't display the IANA/(RFC) cipher suite name, display OpenSSL names only
--color <0|1|2|3> 0: no escape or other codes, 1: b/w escape codes, 2: color (default), 3: extra color (color all ciphers)
--colorblind swap green and blue in the output
--debug <0-6> 1: screen output normal but keeps debug output in /tmp/. 2-6: see "grep -A 5 '^DEBUG=' testssl.sh"
@@ -17957,10 +17957,10 @@ parse_cmd_line() {
[[ $? -eq 0 ]] && shift
case "$cipher_mapping" in
no-openssl) DISPLAY_CIPHERNAMES="rfc-only" ;;
no-rfc) DISPLAY_CIPHERNAMES="openssl-only" ;;
no-rfc|no-iana) DISPLAY_CIPHERNAMES="openssl-only" ;;
openssl) DISPLAY_CIPHERNAMES="openssl" ;;
rfc) DISPLAY_CIPHERNAMES="rfc" ;;
*) tmln_warning "\nmapping can only be \"no-openssl\", \"no-rfc\", \"openssl\" or \"rfc\""
rfc|iana) DISPLAY_CIPHERNAMES="rfc" ;;
*) tmln_warning "\nmapping can only be \"no-openssl\", \"no-iana\"(\"no-rfc\"), \"openssl\" or \"iana\"(\"rfc\")"
help 1 ;;
esac
;;

0 comments on commit da233c9

Please sign in to comment.