-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FYI: New TLS code points #1207
Comments
Thanks, David for keeping an eye on it! Will look into it next week. At least some ciphers need to be added to Cheers, Dirk |
Hi Dirk, I hadn't thought about adding the ciphers to The changes I was thinking about were, for example, that in order to test for RFC 8492 ciphers it seems that the ClientHello needs to include a pwd_name extension and possibly a key_share extension. It may be okay that we don't know a valid user name, as the document recommends returning a ServerHello in response to an unknown name rather than terminating the connection (which would provide a way for an attacker to learn whether a user name is valid or not). The draft-camwinget-tls-ts13-macciphersuites will require modifications to the code to "decrypt" the Server's response, but that should be very easy, since the data is not actually encrypted. |
Hi David, I haven't even clicked any link yet ;-) |
In addition to the new cipher suites mentioned above, below are some more code points that have recently been registered: TLS Supported Groups
TLS SignatureAlgorithm (for TLSv1.2 and earlier)
TLS SignatureScheme (for TLSv1.3)
|
Thanks! maybe we should watch the page (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml) with a cronjob or the CSV files... |
Just to update this issue:
|
Hi David, thanks! Would there be a negative impact if we add some of the values to our respective files? (draft: can't tell whether it's a good idea or we'd rather wait. --> you can tell better I guess) Cheers,. Dirk |
Hi Dirk, Just adding these values to files such as etc/cipher-mapping.txt probably wouldn't cause any problems, but I'm not sure. There is code in testssl.sh that would eventually need to be updated. For example, there is code in testssl.sh that assumes a cipher suite is a TLSv1.3 cipher suite if and only if its code point begins with 13. So, for the moment I would suggest waiting. |
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
It appears that two authentication-only cipher suites have been defined for TLSv1.3 (see https://mailarchive.ietf.org/arch/msg/tls/0oy4wY4xiB1tASCBDWczh2xTVMM).
In looking at the TLS Cipher Suites registry, I noticed a number of recently-added cipher suites that are not yet in etc/cipher-mapping.txt:
I haven't had a chance to review these documents, so I don't know what would be involved in adding support for them to testssl.sh. For some of them it may be enough to just add the values for etc/cipher-mapping.txt, but for others at least some additional work would be required.
The text was updated successfully, but these errors were encountered: