[Ach] SSLyze / GnuTLS
m at niij.org
Fri Nov 22 01:51:10 CET 2013
On 21 Nov 18:39, Adi Kriegisch wrote:
> Yeah, GnuTLS is difficult... ;-) I want to provide a valid string for
> GnuTLS too but I'd very much apprechiate help on doing so.
So here's some documentation that isn't very helpful, I found:
But it points to http://www.gnutls.org/manual/html_node/Priority-Strings.html
So here's one that I came up with that exim actually starts with:
One can test what that would result in with
$ gnutls-cli --priority "$prioritylist" -l
That might be broken on wheezy (can somebody confirm?) but on Fedora it sort of
works. The results for the list above are very minimal:
TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0
TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0
TLS_RSA_AES_128_CBC_SHA256 0x00, 0x3c TLS1.2
Certificate types: none
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
Elliptic curves: none
PK-signatures: SIGN-RSA-SHA512, SIGN-RSA-SHA384, SIGN-RSA-SHA256,
But my output on wheezy looks different from that, listing MACs and key
exchange algorithms … Hrmrmrm. Very sceptical.
Funky bits like %SERVER_PRECEDENCE don't seem to work with exim either. It
would really help if another tool could enumerate whatever it actually offers.
I remember some shell script that uses openssl in a really inefficient way to
list ciphers - given that nothing else worked that might be an option? Pointers
> In case you want to help out, would you want to join our meeting next
I'm not in Vienna at the moment. I'll be back in about a month from now.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 801 bytes
Desc: not available
More information about the Ach