[Ach] SSLyze / GnuTLS

Michael Zeltner m at niij.org
Fri Nov 22 01:51:10 CET 2013 

On 21 Nov 18:39, Adi Kriegisch wrote:
> Yeah, GnuTLS is difficult... ;-) I want to provide a valid string for
> GnuTLS too but I'd very much apprechiate help on doing so.

So here's some documentation that isn't very helpful, I found:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html 

But it points to http://www.gnutls.org/manual/html_node/Priority-Strings.html

So here's one that I came up with that exim actually starts with:

tls_require_ciphers =
NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-256-CBC:+AES-128-CBC:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+COMP-NULL:-MD5

One can test what that would result in with

$ gnutls-cli --priority "$prioritylist" -l

That might be broken on wheezy (can somebody confirm?) but on Fedora it sort of
works. The results for the list above are very minimal:

TLS_RSA_AES_256_CBC_SHA1                            0x00, 0x35  SSL3.0
TLS_RSA_AES_256_CBC_SHA256                          0x00, 0x3d  TLS1.2
TLS_RSA_AES_128_CBC_SHA1                            0x00, 0x2f  SSL3.0
TLS_RSA_AES_128_CBC_SHA256                          0x00, 0x3c  TLS1.2

Certificate types: none
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
Compression: COMP-NULL
Elliptic curves: none
PK-signatures: SIGN-RSA-SHA512, SIGN-RSA-SHA384, SIGN-RSA-SHA256,
SIGN-RSA-SHA224, SIGN-RSA-SHA1

But my output on wheezy looks different from that, listing MACs and key
exchange algorithms … Hrmrmrm. Very sceptical.

Funky bits like %SERVER_PRECEDENCE don't seem to work with exim either. It
would really help if another tool could enumerate whatever it actually offers.
I remember some shell script that uses openssl in a really inefficient way to
list ciphers - given that nothing else worked that might be an option? Pointers
welcome …

> In case you want to help out, would you want to join our meeting next
> monday?

I'm not in Vienna at the moment. I'll be back in about a month from now.

Michael
-- 
https://niij.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20131121/fd5359f6/attachment.sig>

More information about the Ach mailing list