[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-users] OpenSSL egg option defaults poll
|
From: |
Andy Bennett |
|
Subject: |
Re: [Chicken-users] OpenSSL egg option defaults poll |
|
Date: |
Sun, 23 Nov 2014 14:00:44 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.8.1 |
Hi,
>>> I'd be glad if some of you could test this out and tell me what you
>>> think about it
>>
>> Can you give some tips for how to test this from a spiffy applications?
>> I usually just pass in ssl-accept instead of tcp-accept.
>> [...]
>
> Hello,
>
> actually I have very little experience with spiffy, but if it can use
> ssl-accept, it must use ssl-listen somewhere and that's the point that
> would need to be adapted.
>
> Judging by Spiffy's documentation in the Wiki you could do something
> like this:
>
> (define ear
> (ssl-listen*
> hostname: "localhost" port: 44344
> certificate: "my-server-cert.pem"
> private-key: "my-server-key.pem"))
> (accept-loop ear ssl-accept)
>
> Beware, this snippet of code is completely untested!
I've just tried this.
I have openssl 1.0.1e-2+deb7u13 on my localhost
With ssl-listen:
$ nmap --script ssl-enum-ciphers -sV -p 8080 127.0.0.1
-----
| ssl-enum-ciphers:
| SSLv3
| Ciphers (9)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - unknown strength
| Compressors (1)
| NULL
| TLSv1.0
| Ciphers (9)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - unknown strength
| Compressors (1)
| NULL
| TLSv1.1
| Ciphers (9)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - unknown strength
| Compressors (1)
| NULL
| TLSv1.2
| Ciphers (13)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
| TLS_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - unknown strength
| Compressors (1)
| NULL
|_ Least strength = unknown strength
-----
With ssl-listen*:
-----
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
| TLS_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
| TLS_RSA_WITH_DES_CBC_SHA - unknown strength
| TLS_RSA_WITH_RC4_128_MD5 - unknown strength
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - unknown strength
| Compressors (1)
| NULL
|_ Least strength = unknown strength
-----
I'm not sure I entirely trust nmap as other the openssl tool shows that
zlib compression is negotiated when using either ssl-listen or ssl-listen*
ssl-listen:
-----
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID:
ADB914DDE44B74FABB090BFAA419BCE65B3969B5C1CA1981007B43E4DFEE21BE
Session-ID-ctx:
Master-Key:
F148213C9B6AA23159CFD29129833A3DBB283B611B6234636B3F5F355FB5BA06C9BB740B4408ADF2B404817BCE24F27C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 48 89 c5 a7 75 7f 03 c9-a3 1a 9d fd 61 5c 4e 8d
H...u.......a\N.
0010 - 4a c2 fc 3a 9a 24 a4 f7-4c 24 dc cc 81 7c 09 ae
J..:.$..L$...|..
0020 - 1e d5 a6 50 fc 92 bd 71-c5 42 83 7f c4 d9 46 58
...P...q.B....FX
0030 - b4 39 48 8c af 79 c1 c0-fa cf c4 d8 23 a1 f9 69
.9H..y......#..i
0040 - b6 b1 5f 5b ab 44 45 80-bf 2d 57 27 72 82 97 0f
.._[.DE..-W'r...
0050 - c7 cb f6 ac 13 a5 bc 07-51 72 98 46 ca f6 de 4f
........Qr.F...O
0060 - d9 01 b6 0f c6 a7 15 ef-1e 23 09 30 56 2d 59 e7
.........#.0V-Y.
0070 - 8a d6 1c be 35 a0 e7 95-3d fa db 9b 14 4e ab f3
....5...=....N..
0080 - 7b 6a 92 91 8b cd b7 d3-96 4b e1 80 b1 10 19 61
{j.......K.....a
0090 - 39 83 91 5c 3d 2b f5 a7-5f 03 c4 1d c1 ef 2a bc
9..\=+.._.....*.
Compression: 1 (zlib compression)
Start Time: 1416751082
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
-----
ssl-listen*:
$ openssl s_client -connect localhost:8080
-----
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID:
DE42CC49DE950270E6CD216F2A372356A4EBFD8FEDBE804DCF98EF7814AA8772
Session-ID-ctx:
Master-Key:
20A7A7025CA0E830B286375A8FF1B0852AE894027356F8D1F1D975784DF779BFF1E7915D1E3E8D392D95691D9CB33843
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - d6 49 c4 2b 88 5d 04 e4-40 28 e4 a4 65 8c cb f3
.I.+.]..@(..e...
0010 - bb 04 b8 21 e4 aa 85 7a-23 86 06 61 55 68 e2 ba
...!...z#..aUh..
0020 - bc fc 00 9d b2 df bf 56-bc b0 2a c3 f6 a4 b7 e2
.......V..*.....
0030 - 6c bf 5b 35 cc d3 81 70-37 21 1a 7f 94 55 14 92
l.[5...p7!...U..
0040 - 31 43 91 d4 4d e5 06 e3-68 a7 a2 a9 1a 15 6d 8d
1C..M...h.....m.
0050 - 53 bb a0 de 99 91 43 52-ae 17 32 e8 d5 a3 14 34
S.....CR..2....4
0060 - 59 fd 26 a8 87 f8 10 8c-a9 1a fa 11 48 97 8c 90
Y.&.........H...
0070 - 2d 8b 6e 96 32 78 44 22-a1 b3 11 1f 07 e7 28 49
-.n.2xD"......(I
0080 - a8 9f 45 09 00 2d 2b 2e-a9 a8 4f 7d 12 07 14 7b
..E..-+...O}...{
0090 - bc 3d 83 d4 90 44 01 ec-02 73 37 47 6a 33 a9 34
.=...D...s7Gj3.4
Compression: 1 (zlib compression)
Start Time: 1416750927
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
-----
Regards,
@ndy
--
address@hidden
http://www.ashurst.eu.org/
0x7EBA75FF
- Re: [Chicken-users] OpenSSL egg option defaults poll, Andy Bennett, 2014/11/22
- Re: [Chicken-users] OpenSSL egg option defaults poll, Mario Domenech Goulart, 2014/11/23
- Re: [Chicken-users] OpenSSL egg option defaults poll, Andy Bennett, 2014/11/23
- Re: [Chicken-users] OpenSSL egg option defaults poll, Andy Bennett, 2014/11/23
- Re: [Chicken-users] OpenSSL egg option defaults poll, Florian Zumbiehl, 2014/11/23
- Re: [Chicken-users] OpenSSL egg option defaults poll, Andy Bennett, 2014/11/25
- Re: [Chicken-users] OpenSSL egg option defaults poll, Andy Bennett, 2014/11/25
- Re: [Chicken-users] OpenSSL egg option defaults poll, Florian Zumbiehl, 2014/11/26
- Re: [Chicken-users] OpenSSL egg option defaults poll, Andy Bennett, 2014/11/28
- Re: [Chicken-users] OpenSSL egg option defaults poll,
Andy Bennett <=