Closed
Bug 764365
Opened 12 years ago
Closed 12 years ago
Add new TLS 1.2 cipher suites implemented in iOS 5.1.1 to ssltap
Categories
(NSS :: Tools, defect, P2)
NSS
Tools
Tracking
(Not tracked)
RESOLVED
FIXED
3.14
People
(Reporter: wtc, Assigned: wtc)
Details
Attachments
(1 file)
|
3.03 KB,
patch
|
elio.maldonado.batiz
:
review+
|
Details | Diff | Splinter Review |
Safari in iOS 5.1.1 uses TLS 1.2 by default. With the proposed
patch, ssltap can print all the cipher suites in the TLS 1.2
ClientHello sent by Safari. I also added
TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x00,0x68) and
TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x00,0x69) even though they
are not sent by Safari.
$ ssltap -sx -p 8443 www.google.com:443
Looking up "www.google.com"...
Proxy socket ready and listening
Connected to www.google.com:443
--> [
(180 bytes of 175)
SSLRecord { [Wed Jun 13 06:04:32 2012]
0: 16 03 03 00 af | .....
type = 22 (handshake)
version = { 3,3 }
length = 175 (0xaf)
handshake {
0: 01 00 00 ab | ....
type = 1 (client_hello)
length = 171 (0x0000ab)
ClientHelloV3 {
client_version = {3, 3}
random = {...}
0: 4f d8 8f e9 42 c6 8a 47 41 3a fa 65 60 a4 92 7f | O...B..GA:.e`..⌂
10: bc 85 3c bc f9 23 8f e6 b3 2f 60 1c d5 6b d0 3a | ..<..#.../`..k.:
session ID = {
length = 0
contents = {...}
}
cipher_suites[37] = {
(0x00ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV
(0xc024) TLS/ECDHE-ECDSA/AES256-CBC/SHA384
(0xc023) TLS/ECDHE-ECDSA/AES128-CBC/SHA256
(0xc00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA
(0xc009) TLS/ECDHE-ECDSA/AES128-CBC/SHA
(0xc007) TLS/ECDHE-ECDSA/RC4-128/SHA
(0xc008) TLS/ECDHE-ECDSA/3DES-EDE-CBC/SHA
(0xc028) TLS/ECDHE-RSA/AES256-CBC/SHA384
(0xc027) TLS/ECDHE-RSA/AES128-CBC/SHA256
(0xc014) TLS/ECDHE-RSA/AES256-CBC/SHA
(0xc013) TLS/ECDHE-RSA/AES128-CBC/SHA
(0xc011) TLS/ECDHE-RSA/RC4-128/SHA
(0xc012) TLS/ECDHE-RSA/3DES-EDE-CBC/SHA
(0xc026) TLS/ECDH-ECDSA/AES256-CBC/SHA384
(0xc025) TLS/ECDH-ECDSA/AES128-CBC/SHA256
(0xc02a) TLS/ECDH-RSA/AES256-CBC/SHA384
(0xc029) TLS/ECDH-RSA/AES128-CBC/SHA256
(0xc004) TLS/ECDH-ECDSA/AES128-CBC/SHA
(0xc005) TLS/ECDH-ECDSA/AES256-CBC/SHA
(0xc002) TLS/ECDH-ECDSA/RC4-128/SHA
(0xc003) TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA
(0xc00e) TLS/ECDH-RSA/AES128-CBC/SHA
(0xc00f) TLS/ECDH-RSA/AES256-CBC/SHA
(0xc00c) TLS/ECDH-RSA/RC4-128/SHA
(0xc00d) TLS/ECDH-RSA/3DES-EDE-CBC/SHA
(0x003d) TLS/RSA/AES256-CBC/SHA256
(0x003c) TLS/RSA/AES128-CBC/SHA256
(0x002f) TLS/RSA/AES128-CBC/SHA
(0x0005) SSL3/RSA/RC4-128/SHA
(0x0004) SSL3/RSA/RC4-128/MD5
(0x0035) TLS/RSA/AES256-CBC/SHA
(0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x0067) TLS/DHE-RSA/AES128-CBC/SHA256
(0x006b) TLS/DHE-RSA/AES256-CBC/SHA256
(0x0033) TLS/DHE-RSA/AES128-CBC/SHA
(0x0039) TLS/DHE-RSA/AES256-CBC/SHA
(0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
}
compression[1] = {
(00) NULL
}
extensions[56] = {
extension type server_name, length [18] = {
0: 00 10 00 00 0d 31 39 32 2e 31 36 38 2e 31 2e 31 | .....192.168.1.1
10: 34 31 | 41
}
extension type elliptic_curves, length [8] = {
0: 00 06 00 17 00 18 00 19 | ........
}
extension type ec_point_formats, length [2] = {
0: 01 00 | ..
}
extension type signature_algorithms, length [12] = {
0: 00 0a 05 01 04 01 02 01 04 03 02 03 | ............
}
}
}
}
}
]
<-- [
(1430 bytes of 93, with 1332 left over)
SSLRecord { [Wed Jun 13 06:04:32 2012]
0: 16 03 03 00 5d | ....]
type = 22 (handshake)
version = { 3,3 }
length = 93 (0x5d)
handshake {
0: 02 00 00 59 | ...Y
type = 2 (server_hello)
length = 89 (0x000059)
ServerHello {
server_version = {3, 3}
random = {...}
0: 4f d8 8f e3 23 e9 2d b1 9e 24 74 70 bb 3e 14 fa | O...#.-..$tp.>..
10: 24 51 36 32 7a 59 dd 2c 87 fe ea 2b d7 e7 32 5d | $Q62zY.,...+..2]
session ID = {
length = 32
contents = {...}
0: dc 7c ba ba 3e 7a ba f7 54 fe 7d b9 d1 73 82 26 | .|..>z..T.}..s.&
10: 3f bc e0 a0 12 61 e3 1a c2 8b ec 49 f0 16 58 e5 | ?....a.....I..X.
}
cipher_suite = (0xc011) TLS/ECDHE-RSA/RC4-128/SHA
compression method = (00) NULL
extensions[17] = {
extension type server_name, length [0]
extension type renegotiation_info, length [1] = {
0: 00 | .
}
extension type ec_point_formats, length [4] = {
0: 03 00 01 02 | ....
}
}
}
}
}
(1430 bytes, making 1332 of 1625)
]
<-- [
(517 bytes, making 1844 of 1625, with 219 left over)
SSLRecord { [Wed Jun 13 06:04:32 2012]
0: 16 03 03 06 59 | ....Y
type = 22 (handshake)
version = { 3,3 }
length = 1625 (0x659)
handshake {
0: 0b 00 06 55 | ...U
type = 11 (certificate)
length = 1621 (0x000655)
CertificateChain {
chainlength = 1618 (0x0652)
Certificate {
size = 805 (0x0325)
data = { saved in file 'cert.001' }
}
Certificate {
size = 807 (0x0327)
data = { saved in file 'cert.002' }
}
}
}
}
(517 bytes of 205, with 9 left over)
SSLRecord { [Wed Jun 13 06:04:32 2012]
0: 16 03 03 00 cd | .....
type = 22 (handshake)
version = { 3,3 }
length = 205 (0xcd)
handshake {
0: 0c 00 00 c9 | ....
type = 12 (server_key_exchange)
length = 201 (0x0000c9)
0: 03 00 17 41 04 75 96 d2 dc e3 90 9b 95 a1 a5 21 | ...A.u.........!
10: 07 97 bd c3 92 61 c4 7a bc ad 9e 1b ff 51 31 24 | .....a.z.....Q1$
20: 27 d1 37 a9 0b 06 40 ae ad 24 b0 42 66 03 1d be | '.7...@..$.Bf...
30: 2b c2 10 d4 63 2d d3 3a 4c 40 06 dc 43 32 13 a7 | +...c-.:L@..C2..
40: a6 65 15 1a 64 05 01 00 80 05 9b 62 be 47 ed cb | .e..d......b.G..
50: 3a bb a9 dd 4e 3c a0 5f 40 59 d8 39 2b bb 6e 76 | :...N<._@Y.9+.nv
60: d4 74 cc 56 7f 4b bc d6 c6 ba 64 e1 c7 cc 84 7b | .t.V⌂K....d....{
70: e5 5d 63 68 be 6c ce 10 05 bb 9b fe 14 29 9a 7f | .]ch.l.......).⌂
80: 06 37 07 a5 3c a5 db 37 a3 61 96 c7 67 8e 40 37 | .7..<..7.a..g.@7
90: f8 b2 6e 34 f7 87 cf fd 83 37 6f 28 4a 67 b0 79 | ..n4.....7o(Jg.y
a0: c3 ba a0 8f b2 7f fe fd ca 8f 86 47 03 af ed 1c | .....⌂.....G....
b0: 05 05 38 dc aa 40 a7 f9 91 7e af b1 98 36 8b fe | ..8..@...~...6..
c0: d9 9a 49 f6 ff 96 d7 5b ee | ..I....[.
}
}
(517 bytes of 4)
SSLRecord { [Wed Jun 13 06:04:32 2012]
0: 16 03 03 00 04 | .....
type = 22 (handshake)
version = { 3,3 }
length = 4 (0x4)
handshake {
0: 0e 00 00 00 | ....
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
Read EOF on Client socket. [Wed Jun 13 06:04:32 2012]
Read EOF on Server socket. [Wed Jun 13 06:04:32 2012]
Connection 1 Complete [Wed Jun 13 06:04:32 2012]
Attachment #632673 -
Flags: review?(emaldona)
|
||
Comment 1•12 years ago
|
||
Comment on attachment 632673 [details] [diff] [review] Proposed patch This patch is fine but we actually don't need it. The changes have already been applied. Reviewing the CVS log I found revision 1.14 date: 2009/08/21 17:10:38; author: wtc%google.com; state: Exp; lines: +15 -1 Bug 511781: added new TLS 1.2 cipher suites implemented in Windows 7. r=nelson.
Attachment #632673 -
Flags: review?(emaldona) → review-
|
Assignee | |
Comment 2•12 years ago
|
||
Comment on attachment 632673 [details] [diff] [review] Proposed patch Elio: This patch is an addition to my previous checkin of TLS 1.2 cipher suites supported by Windows 7. I found that iOS 5.1.1 supports some cipher suites that are not supported by Windows.
|
|
||
Comment 3•12 years ago
|
||
For some odd reason when I tried applying the patch it got rejected as trying to revert previously applied changes. I tried it again on another clean system it now applies cleanly.
|
|
||
Updated•12 years ago
|
Attachment #632673 -
Flags: review- → review+
|
|
Assignee | |
Comment 4•12 years ago
|
||
Elio: thanks for testing and reviewing the patch. Checked in on the NSS trunk (NSS 3.14). Checking in ssltap.c; /cvsroot/mozilla/security/nss/cmd/ssltap/ssltap.c,v <-- ssltap.c new revision: 1.22; previous revision: 1.21 done
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Priority: -- → P2
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•