Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
FYI: New TLS code points #1207
It appears that two authentication-only cipher suites have been defined for TLSv1.3 (see https://mailarchive.ietf.org/arch/msg/tls/0oy4wY4xiB1tASCBDWczh2xTVMM).
In looking at the TLS Cipher Suites registry, I noticed a number of recently-added cipher suites that are not yet in etc/cipher-mapping.txt:
I haven't had a chance to review these documents, so I don't know what would be involved in adding support for them to testssl.sh. For some of them it may be enough to just add the values for etc/cipher-mapping.txt, but for others at least some additional work would be required.
Thanks, David for keeping an eye on it!
Will look into it next week. At least some ciphers need to be added to
I hadn't thought about adding the ciphers to
The changes I was thinking about were, for example, that in order to test for RFC 8492 ciphers it seems that the ClientHello needs to include a pwd_name extension and possibly a key_share extension. It may be okay that we don't know a valid user name, as the document recommends returning a ServerHello in response to an unknown name rather than terminating the connection (which would provide a way for an attacker to learn whether a user name is valid or not).
The draft-camwinget-tls-ts13-macciphersuites will require modifications to the code to "decrypt" the Server's response, but that should be very easy, since the data is not actually encrypted.
In addition to the new cipher suites mentioned above, below are some more code points that have recently been registered:
TLS Supported Groups
TLS SignatureAlgorithm (for TLSv1.2 and earlier)
TLS SignatureScheme (for TLSv1.3)
maybe we should watch the page (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml) with a cronjob or the CSV files...