FYI: New TLS code points

[dcooper16]

It appears that two authentication-only cipher suites have been defined for TLSv1.3 (see https://mailarchive.ietf.org/arch/msg/tls/0oy4wY4xiB1tASCBDWczh2xTVMM).

In looking at the TLS Cipher Suites registry, I noticed a number of recently-added cipher suites that are not yet in etc/cipher-mapping.txt:

I haven't had a chance to review these documents, so I don't know what would be involved in adding support for them to testssl.sh. For some of them it may be enough to just add the values for etc/cipher-mapping.txt, but for others at least some additional work would be required.

Value	Description	Reference
0xC0,0xB0	TLS_ECCPWD_WITH_AES_128_GCM_SHA256	[RFC8492]
0xC0,0xB1	TLS_ECCPWD_WITH_AES_256_GCM_SHA384	[RFC8492]
0xC0,0xB2	TLS_ECCPWD_WITH_AES_128_CCM_SHA256	[RFC8492]
0xC0,0xB3	TLS_ECCPWD_WITH_AES_256_CCM_SHA384	[RFC8492]
0xC0,0xB4	TLS_SHA256_SHA256	[draft-camwinget-tls-ts13-macciphersuites]
0xC0,0xB5	TLS_SHA384_SHA384	[draft-camwinget-tls-ts13-macciphersuites]
0xC1,0x00	TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC	[draft-smyshlyaev-tls12-gost-suites]
0xC1,0x01	TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC	[draft-smyshlyaev-tls12-gost-suites]
0xC1,0x02	TLS_GOSTR341112_256_WITH_28147_CNT_IMIT	[draft-smyshlyaev-tls12-gost-suites]
0xD0,0x01	TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256	[RFC8442]
0xD0,0x02	TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384	[RFC8442]
0xD0,0x03	TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256	[RFC8442]
0xD0,0x05	TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256	[RFC8442]

[drwetter]

Thanks, David for keeping an eye on it!

Will look into it next week. At least some ciphers need to be added to $ossl_strong_ciphers in run_cipherlists(), and in the preference check. Also it might be worth a try to find out whether there's an OpenSSL name yet,

Cheers, Dirk

[dcooper16]

Hi Dirk,

I hadn't thought about adding the ciphers to run_cipherlists() and other changes like that.

The changes I was thinking about were, for example, that in order to test for RFC 8492 ciphers it seems that the ClientHello needs to include a pwd_name extension and possibly a key_share extension. It may be okay that we don't know a valid user name, as the document recommends returning a ServerHello in response to an unknown name rather than terminating the connection (which would provide a way for an attacker to learn whether a user name is valid or not).

The draft-camwinget-tls-ts13-macciphersuites will require modifications to the code to "decrypt" the Server's response, but that should be very easy, since the data is not actually encrypted.

[drwetter]

Hi David, I haven't even clicked any link yet ;-)

[dcooper16]

In addition to the new cipher suites mentioned above, below are some more code points that have recently been registered:

TLS Supported Groups

Value	Description	Reference
31	brainpoolP256r1	[draft-bruckert-brainpool-for-tls13]
32	brainpoolP384r1	[draft-bruckert-brainpool-for-tls13]
33	brainpoolP512r1	[draft-bruckert-brainpool-for-tls13]
34	GC256A	[draft-smyshlyaev-tls12-gost-suites]
35	GC256B	[draft-smyshlyaev-tls12-gost-suites]
36	GC256C	[draft-smyshlyaev-tls12-gost-suites]
37	GC256D	[draft-smyshlyaev-tls12-gost-suites]
38	GC512A	[draft-smyshlyaev-tls12-gost-suites]
39	GC512B	[draft-smyshlyaev-tls12-gost-suites]
40	GC512C	[draft-smyshlyaev-tls12-gost-suites]

TLS SignatureAlgorithm (for TLSv1.2 and earlier)

Value	Description	Reference
64	gostr34102012_256	[draft-smyshlyaev-tls12-gost-suites]
65	gostr34102012_512	[draft-smyshlyaev-tls12-gost-suites]

TLS SignatureScheme (for TLSv1.3)

Value	Description	Reference
0x081A	ecdsa_brainpoolP256r1_sha256	[draft-bruckert-brainpool-for-tls13]
0x081B	ecdsa_brainpoolP384r1_sha384	[draft-bruckert-brainpool-for-tls13]
0x081C	ecdsa_brainpoolP512r1_sha512	[draft-bruckert-brainpool-for-tls13]

[drwetter]

Thanks!

maybe we should watch the page (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml) with a cronjob or the CSV files...

[dcooper16]

Just to update this issue:

1. draft-bruckert-brainpool-for-tls13 is now RFC 8734
2. There are two new documents specifying code points:

• draft-smyshlyaev-tls13-gost-suites - GOST Cipher Suites for Transport Layer Security (TLS) Protocol Version 1.3
• RFC 8998 - ShangMi (SM) Cipher Suites for TLS 1.3

[drwetter]

Hi David,

thanks!

Would there be a negative impact if we add some of the values to our respective files? (draft: can't tell whether it's a good idea or we'd rather wait. --> you can tell better I guess)

Cheers,. Dirk

[dcooper16]

Hi Dirk,

Just adding these values to files such as etc/cipher-mapping.txt probably wouldn't cause any problems, but I'm not sure. There is code in testssl.sh that would eventually need to be updated. For example, there is code in testssl.sh that assumes a cipher suite is a TLSv1.3 cipher suite if and only if its code point begins with 13.

So, for the moment I would suggest waiting.