[Ach] SSLyze / GnuTLS
Michael Zeltner
m at niij.org
Fri Nov 22 01:51:10 CET 2013
On 21 Nov 18:39, Adi Kriegisch wrote:
> Yeah, GnuTLS is difficult... ;-) I want to provide a valid string for
> GnuTLS too but I'd very much apprechiate help on doing so.
So here's some documentation that isn't very helpful, I found:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
But it points to http://www.gnutls.org/manual/html_node/Priority-Strings.html
So here's one that I came up with that exim actually starts with:
tls_require_ciphers =
NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-256-CBC:+AES-128-CBC:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+COMP-NULL:-MD5
One can test what that would result in with
$ gnutls-cli --priority "$prioritylist" -l
That might be broken on wheezy (can somebody confirm?) but on Fedora it sort of
works. The results for the list above are very minimal:
TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0
TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0
TLS_RSA_AES_128_CBC_SHA256 0x00, 0x3c TLS1.2
Certificate types: none
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
Compression: COMP-NULL
Elliptic curves: none
PK-signatures: SIGN-RSA-SHA512, SIGN-RSA-SHA384, SIGN-RSA-SHA256,
SIGN-RSA-SHA224, SIGN-RSA-SHA1
But my output on wheezy looks different from that, listing MACs and key
exchange algorithms … Hrmrmrm. Very sceptical.
Funky bits like %SERVER_PRECEDENCE don't seem to work with exim either. It
would really help if another tool could enumerate whatever it actually offers.
I remember some shell script that uses openssl in a really inefficient way to
list ciphers - given that nothing else worked that might be an option? Pointers
welcome …
> In case you want to help out, would you want to join our meeting next
> monday?
I'm not in Vienna at the moment. I'll be back in about a month from now.
Michael
--
https://niij.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20131121/fd5359f6/attachment.sig>
More information about the Ach
mailing list