New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Diffie Helmann information for each cipher suite no longer returned #331
Comments
I want to bring it back but the previous code was too difficult to maintain. |
I need this as well. Was the problem with both the C code and the Python usage of it? I ask because I'm interested in submitting a PR and was wondering if simply restoring the low-level Python extensions, and then using them in the new Python SSL client code would be a valid approach. |
The problem was that the code that was reading the DH information was using "private" APIs and data structures; hence it would only work on specific versions of OpenSSL, and it also required some heavy lifting to be done during the build process. The right way to bring the functionality back would be to find an "official"/public API to retrieve the DH info in OpenSSL 1.1.1. |
Thanks for the update! I'll try to work on this as I have time. |
A fix for this would be really appreciated. Currently I have to run all tests twice - with 1.4.1 and 2.0.1. A lot of setups have issues with DH param strength... |
Bump, because I would really appreciate this fix |
Also, the 1.1.1 manpages have some info about DH:
I'm not sure what endpoint you'll need for sslyze, but maybe you can find something useful in these search results. |
I'd also really appreciate some more information on the key exchange and the authentication used. |
Correct me if I'm wrong: If we'd check the certificate for every accepted cipher suite, then we can get the public key and information about the key exchange (and authentication) from the certificate and don't depend on OpenSSL. This would of course come with the overhead of requesting a lot more certificate chains, but this also seems to be the "correct" implementation to me. I think we would need to create a new plugin as the certificate and cipher suite plugins are currently indepent, but I just had a quick look. |
@botastic a server usually only supports one authentication algorithm- In most cases this is RSA, in some cases it is ECDSA (or much rarer DSS). If you have such a server I am really interested in seeing the results of sslyze. |
Unfortunately I don't, but it really would be interesting. Nonetheless, wouldn't it still be better to check all certificates or supply an option for it? If different certificates are allowed for different cipher suites with the same authentication method, one of them could have a weak RSA (/ECDSA/DSS) key while the other ones have perfectly fine ones. Admittedly this is rather unlikely. |
@botastic I just had someone look into it: If there are two certificates (ECDSA and RSA), only one of them is shown in the results (console or JSON output). Testssl however shows both certificates. |
we can still calculate DH information from Handshake bytes |
@FWinterborn opened some really cool pull requests for this: I ll try to get them released soon. |
I am really interested in the changes @FWinterborn made because I need them for my Bachelor Thesis project. Is there a timetable when this is going to be released? And is there something I can help you with? |
# Conflicts: # sslyze/cli/json_output.py # sslyze/plugins/openssl_cipher_suites_plugin.py
Fixed in v3.0.0. |
In version 2.0.0 the
dh_info
key for ciphers that use Diffie-Hellmann key exchange has disappeared.Are you planning to bring it back, or is it gone for good?
Example JSON from
1.4.3
:Example from
2.0.0
:The text was updated successfully, but these errors were encountered: