Closed Bug 511781 Opened 11 years ago Closed 11 years ago

Add new TLS 1.2 cipher suites implemented in Windows 7 to ssltap

Categories

(NSS :: Tools, enhancement, P2)

enhancement

Tracking

(Not tracked)

RESOLVED FIXED
3.12.5

People

(Reporter: wtc, Assigned: wtc)

Details

Attachments

(1 file)

Attached patch Proposed patchSplinter Review
The attached patch adds the new TLS 1.2 cipher suites
implemented in Windows 7 RC to ssltap.

The new cipher suites are specified in the following RFCs:

0x00003C, 0x00003D, 0x000040, 0x00006A: RFC 5246 TLS 1.2

0x00C023 - 0x00C02C: RFC 5289 TLS ECC cipher suites with
SHA-256/384 and AES GCM

signature_algorithms: RFC 5246 TLS 1.2.  See also
http://www.iana.org/assignments/tls-extensiontype-values/

TLS 1.1 and TLS 1.2 are disabled by default in Windows 7
RC.  If I enable them, ssltap with this patch shows that
Internet Explorer sends the following ClientHello message.
Note that OCSP stapling is supported:

--> [
(173 bytes of 168)
SSLRecord { [Thu Aug 20 16:20:42 2009]
   0: 16 03 03 00  a8                                     | .....
   type    = 22 (handshake)
   version = { 3,3 }
   length  = 168 (0xa8)
   handshake {
   0: 01 00 00 a4                                         | ....
      type = 1 (client_hello)
      length = 164 (0x0000a4)
         ClientHelloV3 {
            client_version = {3, 3}
            random = {...}
   0: 4a 8d da 4a  7e 63 d0 27  a9 17 28 b6  ed 27 2a bd  | J..J~c.'..(..'*.
  10: c6 29 72 e2  9c 91 8c c6  46 a5 f5 39  ea d3 db 16  | .)r.....F..9....
            session ID = {
                length = 0
                contents = {...}
            }
            cipher_suites[22] = { 
                (0x003c) TLS/RSA/AES128-CBC/SHA256
                (0x002f) TLS/RSA/AES128-CBC/SHA
                (0x003d) TLS/RSA/AES256-CBC/SHA256
                (0x0035) TLS/RSA/AES256-CBC/SHA
                (0x0005) SSL3/RSA/RC4-128/SHA
                (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
                (0xc027) TLS/ECDHE-RSA/AES128-CBC/SHA256
                (0xc013) TLS/ECDHE-RSA/AES128-CBC/SHA
                (0xc028) TLS/ECDHE-RSA/AES256-CBC/SHA384
                (0xc014) TLS/ECDHE-RSA/AES256-CBC/SHA
                (0xc023) TLS/ECDHE-ECDSA/AES128-CBC/SHA256
                (0xc009) TLS/ECDHE-ECDSA/AES128-CBC/SHA
                (0xc024) TLS/ECDHE-ECDSA/AES256-CBC/SHA384
                (0xc00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA
                (0xc02b) TLS/ECDHE-ECDSA/AES128-GCM/SHA256
                (0xc02c) TLS/ECDHE-ECDSA/AES256-GCM/SHA384
                (0x0040) TLS/DHE-DSS/AES128-CBC/SHA256
                (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
                (0x006a) TLS/DHE-DSS/AES256-CBC/SHA256
                (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
                (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
                (0x0004) SSL3/RSA/RC4-128/MD5
            }
            compression[1] = { 00 }
            extensions[79] = {
              extension type server_name, length [28] = {
              <...snipped...>
              }
              extension type status_request, length [5] = {
   0: 01 00 00 00  00                                     | .....
              }
              extension type elliptic_curves, length [8] = {
   0: 00 06 00 17  00 18 00 19                            | ........
              }
              extension type ec_point_formats, length [2] = {
   0: 01 00                                               | ..
              }
              extension type signature_algorithms, length [16] = {
   0: 00 0e 04 01  05 01 02 01  04 03 05 03  02 03 02 02  | ................
              }
            }
         }
   }
}
]
Attachment #395712 - Flags: review?(nelson)
Comment on attachment 395712 [details] [diff] [review]
Proposed patch

r=nelson
Attachment #395712 - Flags: review?(nelson) → review+
Priority: -- → P2
Target Milestone: --- → 3.12.5
Version: unspecified → trunk
I checked in the patch on the NSS trunk (NSS 3.12.5).

Checking in ssltap.c;
/cvsroot/mozilla/security/nss/cmd/ssltap/ssltap.c,v  <--  ssltap.c
new revision: 1.14; previous revision: 1.13
done
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Duplicate of this bug: 632064
You need to log in before you can comment on or make changes to this bug.