Closed
Bug 764365
Opened 12 years ago
Closed 12 years ago
Add new TLS 1.2 cipher suites implemented in iOS 5.1.1 to ssltap
Categories
(NSS :: Tools, defect, P2)
NSS
Tools
Tracking
(Not tracked)
RESOLVED
FIXED
3.14
People
(Reporter: wtc, Assigned: wtc)
Details
Attachments
(1 file)
3.03 KB,
patch
|
elio.maldonado.batiz
:
review+
|
Details | Diff | Splinter Review |
Safari in iOS 5.1.1 uses TLS 1.2 by default. With the proposed patch, ssltap can print all the cipher suites in the TLS 1.2 ClientHello sent by Safari. I also added TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x00,0x68) and TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x00,0x69) even though they are not sent by Safari. $ ssltap -sx -p 8443 www.google.com:443 Looking up "www.google.com"... Proxy socket ready and listening Connected to www.google.com:443 --> [ (180 bytes of 175) SSLRecord { [Wed Jun 13 06:04:32 2012] 0: 16 03 03 00 af | ..... type = 22 (handshake) version = { 3,3 } length = 175 (0xaf) handshake { 0: 01 00 00 ab | .... type = 1 (client_hello) length = 171 (0x0000ab) ClientHelloV3 { client_version = {3, 3} random = {...} 0: 4f d8 8f e9 42 c6 8a 47 41 3a fa 65 60 a4 92 7f | O...B..GA:.e`..⌂ 10: bc 85 3c bc f9 23 8f e6 b3 2f 60 1c d5 6b d0 3a | ..<..#.../`..k.: session ID = { length = 0 contents = {...} } cipher_suites[37] = { (0x00ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xc024) TLS/ECDHE-ECDSA/AES256-CBC/SHA384 (0xc023) TLS/ECDHE-ECDSA/AES128-CBC/SHA256 (0xc00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA (0xc009) TLS/ECDHE-ECDSA/AES128-CBC/SHA (0xc007) TLS/ECDHE-ECDSA/RC4-128/SHA (0xc008) TLS/ECDHE-ECDSA/3DES-EDE-CBC/SHA (0xc028) TLS/ECDHE-RSA/AES256-CBC/SHA384 (0xc027) TLS/ECDHE-RSA/AES128-CBC/SHA256 (0xc014) TLS/ECDHE-RSA/AES256-CBC/SHA (0xc013) TLS/ECDHE-RSA/AES128-CBC/SHA (0xc011) TLS/ECDHE-RSA/RC4-128/SHA (0xc012) TLS/ECDHE-RSA/3DES-EDE-CBC/SHA (0xc026) TLS/ECDH-ECDSA/AES256-CBC/SHA384 (0xc025) TLS/ECDH-ECDSA/AES128-CBC/SHA256 (0xc02a) TLS/ECDH-RSA/AES256-CBC/SHA384 (0xc029) TLS/ECDH-RSA/AES128-CBC/SHA256 (0xc004) TLS/ECDH-ECDSA/AES128-CBC/SHA (0xc005) TLS/ECDH-ECDSA/AES256-CBC/SHA (0xc002) TLS/ECDH-ECDSA/RC4-128/SHA (0xc003) TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA (0xc00e) TLS/ECDH-RSA/AES128-CBC/SHA (0xc00f) TLS/ECDH-RSA/AES256-CBC/SHA (0xc00c) TLS/ECDH-RSA/RC4-128/SHA (0xc00d) TLS/ECDH-RSA/3DES-EDE-CBC/SHA (0x003d) TLS/RSA/AES256-CBC/SHA256 (0x003c) TLS/RSA/AES128-CBC/SHA256 (0x002f) TLS/RSA/AES128-CBC/SHA (0x0005) SSL3/RSA/RC4-128/SHA (0x0004) SSL3/RSA/RC4-128/MD5 (0x0035) TLS/RSA/AES256-CBC/SHA (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA (0x0067) TLS/DHE-RSA/AES128-CBC/SHA256 (0x006b) TLS/DHE-RSA/AES256-CBC/SHA256 (0x0033) TLS/DHE-RSA/AES128-CBC/SHA (0x0039) TLS/DHE-RSA/AES256-CBC/SHA (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA } compression[1] = { (00) NULL } extensions[56] = { extension type server_name, length [18] = { 0: 00 10 00 00 0d 31 39 32 2e 31 36 38 2e 31 2e 31 | .....192.168.1.1 10: 34 31 | 41 } extension type elliptic_curves, length [8] = { 0: 00 06 00 17 00 18 00 19 | ........ } extension type ec_point_formats, length [2] = { 0: 01 00 | .. } extension type signature_algorithms, length [12] = { 0: 00 0a 05 01 04 01 02 01 04 03 02 03 | ............ } } } } } ] <-- [ (1430 bytes of 93, with 1332 left over) SSLRecord { [Wed Jun 13 06:04:32 2012] 0: 16 03 03 00 5d | ....] type = 22 (handshake) version = { 3,3 } length = 93 (0x5d) handshake { 0: 02 00 00 59 | ...Y type = 2 (server_hello) length = 89 (0x000059) ServerHello { server_version = {3, 3} random = {...} 0: 4f d8 8f e3 23 e9 2d b1 9e 24 74 70 bb 3e 14 fa | O...#.-..$tp.>.. 10: 24 51 36 32 7a 59 dd 2c 87 fe ea 2b d7 e7 32 5d | $Q62zY.,...+..2] session ID = { length = 32 contents = {...} 0: dc 7c ba ba 3e 7a ba f7 54 fe 7d b9 d1 73 82 26 | .|..>z..T.}..s.& 10: 3f bc e0 a0 12 61 e3 1a c2 8b ec 49 f0 16 58 e5 | ?....a.....I..X. } cipher_suite = (0xc011) TLS/ECDHE-RSA/RC4-128/SHA compression method = (00) NULL extensions[17] = { extension type server_name, length [0] extension type renegotiation_info, length [1] = { 0: 00 | . } extension type ec_point_formats, length [4] = { 0: 03 00 01 02 | .... } } } } } (1430 bytes, making 1332 of 1625) ] <-- [ (517 bytes, making 1844 of 1625, with 219 left over) SSLRecord { [Wed Jun 13 06:04:32 2012] 0: 16 03 03 06 59 | ....Y type = 22 (handshake) version = { 3,3 } length = 1625 (0x659) handshake { 0: 0b 00 06 55 | ...U type = 11 (certificate) length = 1621 (0x000655) CertificateChain { chainlength = 1618 (0x0652) Certificate { size = 805 (0x0325) data = { saved in file 'cert.001' } } Certificate { size = 807 (0x0327) data = { saved in file 'cert.002' } } } } } (517 bytes of 205, with 9 left over) SSLRecord { [Wed Jun 13 06:04:32 2012] 0: 16 03 03 00 cd | ..... type = 22 (handshake) version = { 3,3 } length = 205 (0xcd) handshake { 0: 0c 00 00 c9 | .... type = 12 (server_key_exchange) length = 201 (0x0000c9) 0: 03 00 17 41 04 75 96 d2 dc e3 90 9b 95 a1 a5 21 | ...A.u.........! 10: 07 97 bd c3 92 61 c4 7a bc ad 9e 1b ff 51 31 24 | .....a.z.....Q1$ 20: 27 d1 37 a9 0b 06 40 ae ad 24 b0 42 66 03 1d be | '.7...@..$.Bf... 30: 2b c2 10 d4 63 2d d3 3a 4c 40 06 dc 43 32 13 a7 | +...c-.:L@..C2.. 40: a6 65 15 1a 64 05 01 00 80 05 9b 62 be 47 ed cb | .e..d......b.G.. 50: 3a bb a9 dd 4e 3c a0 5f 40 59 d8 39 2b bb 6e 76 | :...N<._@Y.9+.nv 60: d4 74 cc 56 7f 4b bc d6 c6 ba 64 e1 c7 cc 84 7b | .t.V⌂K....d....{ 70: e5 5d 63 68 be 6c ce 10 05 bb 9b fe 14 29 9a 7f | .]ch.l.......).⌂ 80: 06 37 07 a5 3c a5 db 37 a3 61 96 c7 67 8e 40 37 | .7..<..7.a..g.@7 90: f8 b2 6e 34 f7 87 cf fd 83 37 6f 28 4a 67 b0 79 | ..n4.....7o(Jg.y a0: c3 ba a0 8f b2 7f fe fd ca 8f 86 47 03 af ed 1c | .....⌂.....G.... b0: 05 05 38 dc aa 40 a7 f9 91 7e af b1 98 36 8b fe | ..8..@...~...6.. c0: d9 9a 49 f6 ff 96 d7 5b ee | ..I....[. } } (517 bytes of 4) SSLRecord { [Wed Jun 13 06:04:32 2012] 0: 16 03 03 00 04 | ..... type = 22 (handshake) version = { 3,3 } length = 4 (0x4) handshake { 0: 0e 00 00 00 | .... type = 14 (server_hello_done) length = 0 (0x000000) } } ] Read EOF on Client socket. [Wed Jun 13 06:04:32 2012] Read EOF on Server socket. [Wed Jun 13 06:04:32 2012] Connection 1 Complete [Wed Jun 13 06:04:32 2012]
Attachment #632673 -
Flags: review?(emaldona)
Comment 1•12 years ago
|
||
Comment on attachment 632673 [details] [diff] [review] Proposed patch This patch is fine but we actually don't need it. The changes have already been applied. Reviewing the CVS log I found revision 1.14 date: 2009/08/21 17:10:38; author: wtc%google.com; state: Exp; lines: +15 -1 Bug 511781: added new TLS 1.2 cipher suites implemented in Windows 7. r=nelson.
Attachment #632673 -
Flags: review?(emaldona) → review-
Assignee | ||
Comment 2•12 years ago
|
||
Comment on attachment 632673 [details] [diff] [review] Proposed patch Elio: This patch is an addition to my previous checkin of TLS 1.2 cipher suites supported by Windows 7. I found that iOS 5.1.1 supports some cipher suites that are not supported by Windows.
Comment 3•12 years ago
|
||
For some odd reason when I tried applying the patch it got rejected as trying to revert previously applied changes. I tried it again on another clean system it now applies cleanly.
Updated•12 years ago
|
Attachment #632673 -
Flags: review- → review+
Assignee | ||
Comment 4•12 years ago
|
||
Elio: thanks for testing and reviewing the patch. Checked in on the NSS trunk (NSS 3.14). Checking in ssltap.c; /cvsroot/mozilla/security/nss/cmd/ssltap/ssltap.c,v <-- ssltap.c new revision: 1.22; previous revision: 1.21 done
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Priority: -- → P2
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•