Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Does Android 4 offer better ciphers than Android 6? #1340

Open
dilyanpalauzov opened this issue Oct 3, 2019 · 1 comment

Comments

@dilyanpalauzov
Copy link

commented Oct 3, 2019

./testssl.sh autoconfig.aegee.org prints, among other things:

 Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------

 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              

meaning that ECDHE-RSA-AES256-GCM-SHA384 is better than ECDHE-RSA-AES128-GCM-SHA256. The output continues with

 Running client simulations (HTTP) via sockets 

 Android 4.4.2                TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Android 5.0.0                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 6.0                  TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 7.0                  TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 Android 8.1 (native)         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 Android 9.0 (native)         TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)

meaning that Android 4.4.2 supports better ciphers compared to Android 5 and Android 6.

https://www.ssllabs.com/ssltest/analyze.html?d=autoconfig.aegee.org&latest repeats this summary.

What is the explanation for better ciphers in Android 4 compared to Android 5 and Android 6?

Moreover, in xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH **256** AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 what does the **256** stand for? If this are the encryption strenght, why is it replaced for this cipher sometimes with 256 bits, sometimes with 253 bits, as in

 Android 4.4.2                TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Android 7.0                  TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
@dilyanpalauzov

This comment has been minimized.

Copy link
Author

commented Oct 3, 2019

There are in

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              

actually two 256 - in the column KeyExch. and in the column Bits. For what stands 253 in

 Running client simulations (HTTP) via sockets 

 Android 4.4.2                TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Android 7.0                  TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.