映射SSL/TLS密码套件及其等效的OpenSSL [英] Map SSL/TLS cipher suites and their OpenSSL equivalents

问题描述

我正在尝试检查哪些密码套件可以与服务器进行握手.我在帖子末尾使用了脚本，他代表他调用了OpenSSL，输出的是与套件名称等效的OpenSSL.例如:

I am trying to check which cipher suites can make a handshake with a server. I am using the script in the end of the post, which on his behalf is calling OpenSSL and the output is with the OpenSSL equvalents of the suites names.For example:

$./ciphers.sh stackoverflow.com:443
stackoverflow.com:443,SSL2(),SSL3(),TLS1(ECDHE-RSA-AES256-SHA:AES256-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA),TLS1.1(ECDHE-RSA-AES256-SHA:AES256-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA),TLS1.2(ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:AES128-SHA256:AES128-SHA)

我不知道如何使用SSL/TLS密码套件名称来映射它们.我需要的是密码名称列表，例如

I can't figure out how to map them with the SSL/TLS cipher suites names. What I need is a list of the cipher names, like

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA   
TLS_RSA_WITH_AES_128_CBC_SHA       
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA 

但是我只是想不通...谢谢您的帮助和时间！

but I just can't figure it out... Thank you for your help and time!

#!/usr/bin/env bash
ciphers2=$(openssl ciphers -ssl2 'ALL:eNULL' | sed -e 's/:/ /g')
ciphers3=$(openssl ciphers -ssl3 'ALL:eNULL' | sed -e 's/:/ /g')
cipherst1=$(openssl ciphers -tls1 'ALL:eNULL' | sed -e 's/:/ /g')
cipherst11=$(openssl ciphers -tls1.1 'ALL:eNULL' | sed -e 's/:/ /g')
cipherst12=$(openssl ciphers -tls1.2 'ALL:eNULL' | sed -e 's/:/ /g')

SSL2="SSL2("
for cipher in ${ciphers2[@]}
do
result=$(echo -n | openssl s_client -ssl2 -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" ]] ; then
  SSL2="${SSL2}${cipher}:"
fi
done
SSL2=$(echo "${SSL2})" | sed -e 's/:)/)/g')

SSL3="SSL3("
for cipher in ${ciphers3[@]}
do
result=$(echo -n | openssl s_client -ssl3 -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" ]] ; then
  SSL3="${SSL3}${cipher}:"
fi
done
SSL3=$(echo "${SSL3})" | sed -e 's/:)/)/g')
TLS1="TLS1("
for cipher in ${cipherst1[@]}
do
result=$(echo -n | openssl s_client -tls1 -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" ]] ; then
  TLS1="${TLS1}${cipher}:"
fi
done
TLS1=$(echo "${TLS1})" | sed -e 's/:)/)/g')

TLS11="TLS1.1("
for cipher in ${cipherst11[@]}
do
result=$(echo -n | openssl s_client -tls1_1 -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" ]] ; then
  TLS11="${TLS11}${cipher}:"
fi
done
TLS11=$(echo "${TLS11})" | sed -e 's/:)/)/g')

TLS12="TLS1.2("
for cipher in ${cipherst12[@]}
do
result=$(echo -n | openssl s_client -tls1_2 -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is ${cipher}" ]] ; then
  TLS12="${TLS12}${cipher}:"
fi
done
TLS12=$(echo "${TLS12})" | sed -e 's/:)/)/g')

echo "$1,$SSL2,$SSL3,$TLS1,$TLS11,$TLS12";

推荐答案

名称映射:OpenSSL使用其自己的一组密码套件名称，这些名称与密码中的名称相关但不相同.其他大多数实现和文档使用的RFC.请参见系统中ciphers的手册页(如果是Unix，并且bash大多是在Unix系统上，尽管它可以移植到其他系统上)，其标题大约为"CIPHER SUITE NAMES".在某些系统上，您可能需要指定类似man 1ssl ciphers的节.或在线(更新) https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html (如有必要，请使用右侧的链接以获取特定版本).

NAME MAPPING: OpenSSL uses its own set of ciphersuite names which are related to, but not the same as, the names in the RFCs used by most other implementations and documentation. See the man page for ciphers on your system (if Unix-like, and bash is mostly on Unix-like systems although it can be ported to others) under the heading "CIPHER SUITE NAMES" about halfway down. On some systems you may need to specify a section something like man 1ssl ciphers. Or online at (updated) https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html (use links at the right for specific release if necessary).

要手动将RFC名称转换为OpenSSL:丢弃(前导)TLS或SSL和(嵌入)WITH，并将所有_更改为-；如果密钥交换是普通RSA(不是[EC] DH [E] -RSA)，则将其完全丢弃；在某些情况下，将DHE交换为EDH(仅旧版本)，并且始终将DH_anon交换为ADH或将ECDH_anon交换为AECDH；在大多数情况下将3DES_EDE_CBC更改为DES-CBC3；将EXPORT缩短为EXP并将其移到开头；如果不需要消除歧义，则在某些情况下会降低位长和CBC.

To manually convert an RFC name to OpenSSL: discard (leading) TLS or SSL and (embedded) WITH and change all _ to -; where the keyexchange is plain RSA (not [EC]DH[E]-RSA) discard it entirely; in some cases swap DHE to EDH (older versions only) and always swap DH_anon to ADH or ECDH_anon to AECDH; change 3DES_EDE_CBC in most cases to DES-CBC3; shorten EXPORT to EXP and move it to the beginning; drop bitlengths and CBC in some cases if not needed to disambiguate.

请注意，匿名套件从未包含在提供或接受的默认列表中；在2015-03年度，出口套件从1.0.0r 1.0.1m和1.0.2a开始从默认设置中删除，并在2016-03年度中从1.0.1s和1.0.2g开始从默认值中完全删除和删除了单个DES； 1.1.0中不是默认的3DES RC4 SEED IDEA Camellia和DSS认证(又名DSA).从1.0.0版本开始默认禁用SSL2协议，并在2016-08年发布的1.1.0版本中将其完全删除； SSL3默认在1.1.0中被编译出来，但是可以重新添加(尽管您不应该使用它，也不能在较低版本中使用，因为POODLE破坏了SSL3，但RC4除外，RC4还有其他缺陷).

Note that anonymous suites have never been in included in the default list offered or accepted; export suites were removed from default starting with 1.0.0r 1.0.1m and 1.0.2a in 2015-03, and removed entirely and single-DES removed from default starting with 1.0.1s and 1.0.2g in 2016-03; 3DES RC4 SEED IDEA Camellia and DSS authentication (aka DSA) are not default in 1.1.0; SSL2 protocol has been disabled by default since 1.0.0 and is removed entirely in 1.1.0 released 2016-08; SSL3 is compiled out by default in 1.1.0 but can be added back (although you shouldn't use it, nor on lower releases, because it is broken by POODLE except for RC4 which has other flaws).

可用性:密码套件在1.1.0以下的OpenSSL中分为三类:SSL2的密码套件； SSL2的密码套件； SSL2的密码套件.适用于SSL3及更高版本的产品；以及TLS1.2的那些. SSL2使用不同的代码方案，因此SSL2套件不能用于较新的协议，反之亦然.出于趣味，TLS1.0删除了Fortezza套件(无论如何OpenSSL都未实现)，而TLS1.1删除了导出套件，但如上所述，OpenSSL仍然允许它们.另一方面，TLS1.2添加了新格式(AEAD)和新的PRF/KDF方案，并与它们一起使用了一堆仅适用于TLS1.2的新密码套件.除了单DES和IDEA之外，它还保留了TLS1.1中的所有内容，但如上所述，OpenSSL仍然允许使用.

AVAILABILITY: ciphersuites fall in three classes in OpenSSL below 1.1.0: those for SSL2; those for SSL3 and up; and those for TLS1.2. SSL2 uses a different code scheme, so SSL2 suites can't be used for newer protocols or vice versa. To be pedantic, TLS1.0 dropped the Fortezza suites (which OpenSSL doesn't implement anyway) and TLS1.1 dropped the export suites, but OpenSSL still allowed them except as noted above. TLS1.2 on the other hand added a new format (AEAD) and a new PRF/KDF scheme, and with them a bunch of new ciphersuites that only work on TLS1.2; it also kept everything from TLS1.1 except single-DES and IDEA, which OpenSSL again still allowed except as above.

1.1.0以下的ciphers上的-ssl2 -ssl3 -tls1选项仅将您限制为与该 format 兼容的套件，并且所有SSL3-up和TLS1.2套件均与-ssl3兼容和-tls1;再次参见手册页.正如@Andrew所指出的，在1.1.0以下没有-tls1.1或-tls1.2的选项(编辑)，这添加了实际上仍然相同的选项-tls1_1和-tls1_2(下划线不是点)，并且还添加了一个选项-stdname显示标准(RFC)名称，避免了映射问题-但是使行很长，恕我直言，这是不可读的.

The -ssl2 -ssl3 -tls1 options on ciphers below 1.1.0 only limit you to suites compatible with that format, and all SSL3-up and TLS1.2 suites are compatible with both -ssl3 and -tls1; see the man page again. As @Andrew noted there were no options for -tls1.1 or -tls1.2 below 1.1.0 (edit) which adds options -tls1_1 and -tls1_2 (underscore not dot) which are still actually the same, and also adds an option -stdname to display the standard (RFC) name, avoiding the mapping issue -- but making the lines very long, IMHO unreadably so.

PS::如果您的目标只是匹配或通过一些愚蠢地枚举密码的审核扫描，则可以使用此方法.如果您希望确定有关服务器安全性的有用信息，则通常会浪费时间.服务器完全不执行SSL2或SSL3(具有任何密码套件)并支持一些体面的密码套件并且不应用错误的首选项(此扫描不会测试)就足够了；除此之外，与使用良好的身份验证密钥和证书链以及可能进行的装订(这是无法测试的)之类的事情相比，对哪些密码套件的确切支持对安全性的影响要小得多.使用良好的短暂参数和随机性，这几乎是无法测试的，并且不会尝试；支持诸如5746和后备功能之类的功能，并且没有诸如Heartbleed和CCS之类的无法测试的错误；避免或减轻无法测试的压缩问题，并且通常来说这是不可测试的，并且将记录拆分作为针对BEAST的最佳实践(实际上是不可测试的)；以及SSL/TLS级别以上的所有问题.

PS: if your goal is just to match, or pass, some audit scan that stupidly enumerates ciphers, this approach can work. If you are hoping to determine something useful about the security of a server, this is mostly a waste of time. It is enough that the server doesn't do SSL2 or SSL3 AT ALL (with any ciphersuite) and supports some decent ciphersuites and doesn't apply a bad preference (which this scan doesn't test); beyond that exactly which ciphersuites are supported matters much less to security than things like using good auth key and cert chain and maybe stapling, which this doesn't test; using good ephemeral parameters and randomness which are nearly impossible to test and this doesn't try; supporting features like 5746 and fallback and not having bugs like Heartbleed and CCS which this doesn't test; avoiding or mitigating compression issues which this doesn't test and in general may not be testable, and using record splitting as a best practice against BEAST which isn't practically testable; as well as all manner of issues above the SSL/TLS level.

更新:以上内容是在TLS1.3于2018年发布之前编写的，并由OpenSSL 1.1.1实施. TLS1.3使用一组全新的密码套件，它们仅指定完全不再使用HMAC的 AEAD 对称加密(GCM，CCM或ChaCha + Poly)，以及KDF哈希(KDF进行了实质性更改)并且不再称为PRF)； 1.3密码套件没有像以前的版本那样指定 密钥交换和服务器身份验证. (这些内容现在由协议的其他部分处理.有关详细信息，请参见RFC8446.)对于1.3套件，OpenSSL使用标准名称以及单独的新API.命令行ciphers涵盖1.0-1.2和1.3 API.如上所述，从1.1.0版开始，SSL2被完全删除，包括其所有唯一的密码套件.

Update: the above was written before TLS1.3 was published in 2018, and implemented by OpenSSL 1.1.1. TLS1.3 uses a completely new set of ciphersuites which specify only AEAD symmetric encryption (GCM, CCM, or ChaCha+Poly) which no longer uses HMAC at all, and KDF hash (the KDF being substantially changed and no longer called PRF); a 1.3 ciphersuite does not specify keyexchange and server authentication, as previous versions did. (Those are now handled by other parts of the protocol. See RFC 8446 for details.) For 1.3 suites OpenSSL uses the standard names, and also a separate, new API; commandline ciphers covers both 1.0-1.2 and 1.3 APIs. As noted above, SSL2 was entirely deleted as of 1.1.0, including all its unique ciphersuites.

这篇关于映射SSL/TLS密码套件及其等效的OpenSSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！