########################################################################################## PAS-5: Replace observed Cipher Suites with Human Readable versions ########################################################################################## Issue Type: New Feature ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Closed Resolution: Done (2015-11-27 13:13:38) Project: PCAP Analysis Script (PAS) Reported By: btasker Assigned To: btasker Components: - Reports - SSL/TLS Affected Versions: - 0.1 Targeted for fix in version: - 0.1 Labels: HTTPS, TLS, Time Estimate: 6 minutes Time Logged: 39 minutes ----------------------------------------------------------------------------------------- Issue Description ================== At the moment, TLS/SSL information extracted from the handshake is stored as follows -- BEGIN SNIPPET -- 0xc02b,0xc02f,0x009e,0xc00a,0xc009,0xc013,0xc014,0x0033,0x0039,0x009c,0x002f,0x0035,0x000a -- END SNIPPET -- Which, while compact, isn't particularly helpful for a human reader. Entries should be replaced with the Human readable version For example, -- BEGIN SNIPPET -- 0xc02b = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xc02f = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xc00a = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xc013 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xc014 = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0x0088 = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA -- END SNIPPET -- Need to look up the others though ----------------------------------------------------------------------------------------- Issue Relations ================ - RFC 5246 Appendix A.5 (https://tools.ietf.org/html/rfc5246#appendix-A.5) - RFC 4492 Section 6 (https://tools.ietf.org/html/rfc4492#section-6) - Hex to Human Readable Cipherlist (Projects Static) (http://projectsstatic.bentasker.co.uk/PAS/PAS5-Humanise_ciphersuite_output/ciphersuite_list.txt) - RFC 5288 Section 3 (https://tools.ietf.org/html/rfc5288#section-3) - RFC 5289 Section 3 (https://tools.ietf.org/html/rfc5289#section-3) - RFC 7251 Section 2 (https://tools.ietf.org/html/rfc7251#section-2) - RFC 4785 Section 3 (https://tools.ietf.org/html/rfc4785#section-3) ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2015-11-22 10:38:53 ----------------------------------------------------------------------------------------- btasker added 'HTTPS' to labels ----------------------------------------------------------------------------------------- 2015-11-22 10:39:00 ----------------------------------------------------------------------------------------- btasker changed labels from 'HTTPS' to 'HTTPS TLS' ----------------------------------------------------------------------------------------- 2015-11-24 14:41:48 btasker ----------------------------------------------------------------------------------------- The values for each ciphersuite are listed in RFC 5246 Appendix A.5 so we can pull from there ----------------------------------------------------------------------------------------- 2015-11-24 14:44:48 btasker ----------------------------------------------------------------------------------------- Eliptic Curve based cipher suites were added in TLS1.2 and are defined in RFC 4492 Section 6 ----------------------------------------------------------------------------------------- 2015-11-24 15:01:17 btasker ----------------------------------------------------------------------------------------- So, the values defined in RFC 4492 give us -- BEGIN SNIPPET -- 0xC001 = TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC002 = TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xC003 = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC004 = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC005 = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC006 = TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC007 = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC008 = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC009 = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC00A = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00B = TLS_ECDH_RSA_WITH_NULL_SHA 0xC00C = TLS_ECDH_RSA_WITH_RC4_128_SHA 0xC00D = TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00E = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00F = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC010 = TLS_ECDHE_RSA_WITH_NULL_SHA 0xC011 = TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC012 = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC013 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC014 = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC015 = TLS_ECDH_anon_WITH_NULL_SHA 0xC016 = TLS_ECDH_anon_WITH_RC4_128_SHA 0xC017 = TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 0xC018 = TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC019 = TLS_ECDH_anon_WITH_AES_256_CBC_SHA -- END SNIPPET -- I'll start implementing something used for those first, so that it can be tested and the grab the rest from RFC 5246 ----------------------------------------------------------------------------------------- 2015-11-24 15:07:50 ----------------------------------------------------------------------------------------- btasker changed status from 'Open' to 'In Progress' ----------------------------------------------------------------------------------------- 2015-11-24 15:23:24 btasker ----------------------------------------------------------------------------------------- Replacement of the EC ciphersuites as been implemented, using the following command to build _sed_ expressions from the file at http://projectsstatic.bentasker.co.uk/PAS/PAS5-Humanise_ciphersuite_output/ciphersuite_list.txt -- BEGIN SNIPPET -- wget -q -O - "http://projectsstatic.bentasker.co.uk/PAS/PAS5-Humanise_ciphersuite_output/ciphersuite_list.txt" | egrep -v -e "^#" | while read -r line; do hex=$(echo "$line" | cut -d\= -f1); str=$(echo "$line" | cut -d\= -f2); echo "-e 's/$hex/$str/gi' \\"; done -- END SNIPPET -- Test is still running, but looks OK so far. Will work on building a list of the other suites from RFC 5246 ----------------------------------------------------------------------------------------- 2015-11-24 15:38:28 btasker ----------------------------------------------------------------------------------------- Have updated the list in projectsstatic and regenerated the list of cipher replacements. Test run going at the moment, if all goes well will commit the change ----------------------------------------------------------------------------------------- 2015-11-24 15:38:31 ----------------------------------------------------------------------------------------- btasker changed status from 'In Progress' to 'Open' ----------------------------------------------------------------------------------------- 2015-11-24 15:38:54 ----------------------------------------------------------------------------------------- btasker changed timespent from '0 minutes' to '30 minutes' ----------------------------------------------------------------------------------------- 2015-11-24 15:53:54 btasker ----------------------------------------------------------------------------------------- Current version seems to work, though I've missed RFC 5288 (doi) so some suites still aren't being replaced. Probably missed a couple of other RFCs too but the concept at least seems to be working Committing current build and will dig out the other details shortly ----------------------------------------------------------------------------------------- 2015-11-24 15:55:42 git ----------------------------------------------------------------------------------------- -- BEGIN QUOTE -- Repo: PCAPAnalyseandReport Commit: 0eac1dd8b4012c04ae5564d4a791716a8eda3a78 Author: Ben Tasker