On Mon, Oct 8, 2012 at 12:47 PM, Hugo Maxwell Connery <h...@env.dtu.dk> wrote: > Hi,
Why not make your very own private mod to mod_ssl to support your research, and then consider offering it as a patch later? > > The reasons for my request are detailed below, for those interested. > > I note that the Enviornment Variables available with mod_ssl provide > excellent information about what *has been agreed* during a TLS > negotiation. > > I am interested in the *details* of the negotiation being available to a > script (CGI, whatever). > > Specifically, during a TLS negotiation: > > * the client proposes a collection of cipher suites (I want to know what was > proposed) > * the server responds with a selection, or says no thanks (seems to be in the > Env details) > * the server is configured (mod_ssl) with the SSLCipherSuite directive. > (this I also want to know). > > I have full control of the web server, so I can easily cut/paste part 3 (but > thats not nice). > > Please let me know if tools/mods/non-standard releases exist such that this > detailed TLS negotiation data can be made available to a script, such that it > can > then be delivered to the client (or written by the server). > > == Why == > > I've begun a process with a Professor in Crypto, and a local CERT with the > base objective being taking all the confusion out of configuring TLS with a > reference to current threats on ciphers as implemented in current major web > servers > (c.f. BEAST etc.). > > Configuring secure (current threat aware) cypto should not be as cryptic (pun > very deliberate) as it is. > > A "yes, look here" response to the above request will result in the following > useful tools: > > 1. Take whatever brower and visit a 'reference' (apache) web-site. It tells > you > its SSLCipherSuite config, what suites you asked for, and what was agreed (or > no agreement). > > 2. With that, a script (whatever) to launch a bunch of browsers at the site to > then obtain a record of what will happen with the chosen browsers > > 3. Run the above in reverse: you supply the newly configured site's URL and > it is > visisted by a bunch of chosen browsers and you learn what suite (if any) was > selected. > > Thats the idea. Please assist in exposing the contents of the TLS > negotiation. > > This is not about DDOS, but about publicising the innards of the TLS > negotiation > of numerous current browsers against web server cipher suite config. > > Thanks in advance to any who respond. > > Regards, > -- > Hugo Connery, Head of IT, DTU Environment > http://www.env.dtu.dk > > PS: I am hoping to avoid parsing pcap files, though that may be necessary in > the end. > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
