Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FYI: New TLS code points #1207

Open
dcooper16 opened this issue Feb 27, 2019 · 8 comments
Open

FYI: New TLS code points #1207

dcooper16 opened this issue Feb 27, 2019 · 8 comments
Labels
Milestone

Comments

@dcooper16
Copy link
Contributor

It appears that two authentication-only cipher suites have been defined for TLSv1.3 (see https://mailarchive.ietf.org/arch/msg/tls/0oy4wY4xiB1tASCBDWczh2xTVMM).

In looking at the TLS Cipher Suites registry, I noticed a number of recently-added cipher suites that are not yet in etc/cipher-mapping.txt:

I haven't had a chance to review these documents, so I don't know what would be involved in adding support for them to testssl.sh. For some of them it may be enough to just add the values for etc/cipher-mapping.txt, but for others at least some additional work would be required.

Value Description Reference
0xC0,0xB0 TLS_ECCPWD_WITH_AES_128_GCM_SHA256 [RFC8492]
0xC0,0xB1 TLS_ECCPWD_WITH_AES_256_GCM_SHA384 [RFC8492]
0xC0,0xB2 TLS_ECCPWD_WITH_AES_128_CCM_SHA256 [RFC8492]
0xC0,0xB3 TLS_ECCPWD_WITH_AES_256_CCM_SHA384 [RFC8492]
0xC0,0xB4 TLS_SHA256_SHA256 [draft-camwinget-tls-ts13-macciphersuites]
0xC0,0xB5 TLS_SHA384_SHA384 [draft-camwinget-tls-ts13-macciphersuites]
0xC1,0x00 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC [draft-smyshlyaev-tls12-gost-suites]
0xC1,0x01 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC [draft-smyshlyaev-tls12-gost-suites]
0xC1,0x02 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT [draft-smyshlyaev-tls12-gost-suites]
0xD0,0x01 TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 [RFC8442]
0xD0,0x02 TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 [RFC8442]
0xD0,0x03 TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 [RFC8442]
0xD0,0x05 TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 [RFC8442]
@drwetter drwetter added this to the 3.0 milestone Feb 28, 2019
@drwetter
Copy link
Collaborator

drwetter commented Feb 28, 2019

Thanks, David for keeping an eye on it!

Will look into it next week. At least some ciphers need to be added to $ossl_strong_ciphers in run_cipherlists(), and in the preference check. Also it might be worth a try to find out whether there's an OpenSSL name yet,

Cheers, Dirk

@dcooper16
Copy link
Contributor Author

Hi Dirk,

I hadn't thought about adding the ciphers to run_cipherlists() and other changes like that.

The changes I was thinking about were, for example, that in order to test for RFC 8492 ciphers it seems that the ClientHello needs to include a pwd_name extension and possibly a key_share extension. It may be okay that we don't know a valid user name, as the document recommends returning a ServerHello in response to an unknown name rather than terminating the connection (which would provide a way for an attacker to learn whether a user name is valid or not).

The draft-camwinget-tls-ts13-macciphersuites will require modifications to the code to "decrypt" the Server's response, but that should be very easy, since the data is not actually encrypted.

@drwetter
Copy link
Collaborator

Hi David, I haven't even clicked any link yet ;-)

@dcooper16 dcooper16 changed the title FYI: New TLS cipher suites FYI: New TLS code points Mar 5, 2019
@dcooper16
Copy link
Contributor Author

In addition to the new cipher suites mentioned above, below are some more code points that have recently been registered:

TLS Supported Groups

Value Description Reference
31 brainpoolP256r1 [draft-bruckert-brainpool-for-tls13]
32 brainpoolP384r1 [draft-bruckert-brainpool-for-tls13]
33 brainpoolP512r1 [draft-bruckert-brainpool-for-tls13]
34 GC256A [draft-smyshlyaev-tls12-gost-suites]
35 GC256B [draft-smyshlyaev-tls12-gost-suites]
36 GC256C [draft-smyshlyaev-tls12-gost-suites]
37 GC256D [draft-smyshlyaev-tls12-gost-suites]
38 GC512A [draft-smyshlyaev-tls12-gost-suites]
39 GC512B [draft-smyshlyaev-tls12-gost-suites]
40 GC512C [draft-smyshlyaev-tls12-gost-suites]

TLS SignatureAlgorithm (for TLSv1.2 and earlier)

Value Description Reference
64 gostr34102012_256 [draft-smyshlyaev-tls12-gost-suites]
65 gostr34102012_512 [draft-smyshlyaev-tls12-gost-suites]

TLS SignatureScheme (for TLSv1.3)

Value Description Reference
0x081A ecdsa_brainpoolP256r1_sha256 [draft-bruckert-brainpool-for-tls13]
0x081B ecdsa_brainpoolP384r1_sha384 [draft-bruckert-brainpool-for-tls13]
0x081C ecdsa_brainpoolP512r1_sha512 [draft-bruckert-brainpool-for-tls13]

@drwetter
Copy link
Collaborator

drwetter commented Mar 6, 2019

Thanks!

maybe we should watch the page (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml) with a cronjob or the CSV files...

@drwetter drwetter modified the milestones: 3.0, 3.1dev Jan 20, 2020
@dcooper16
Copy link
Contributor Author

Just to update this issue:

  1. draft-bruckert-brainpool-for-tls13 is now RFC 8734
  2. There are two new documents specifying code points:

@drwetter
Copy link
Collaborator

Hi David,

thanks!

Would there be a negative impact if we add some of the values to our respective files? (draft: can't tell whether it's a good idea or we'd rather wait. --> you can tell better I guess)

Cheers,. Dirk

@dcooper16
Copy link
Contributor Author

Hi Dirk,

Just adding these values to files such as etc/cipher-mapping.txt probably wouldn't cause any problems, but I'm not sure. There is code in testssl.sh that would eventually need to be updated. For example, there is code in testssl.sh that assumes a cipher suite is a TLSv1.3 cipher suite if and only if its code point begins with 13.

So, for the moment I would suggest waiting.

dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Dec 2, 2022
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Dec 30, 2022
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Jan 17, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Jan 31, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Feb 2, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Feb 3, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Feb 6, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Feb 7, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Feb 8, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Feb 21, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Mar 13, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Mar 20, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Mar 27, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Mar 31, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Sep 5, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Sep 8, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Sep 11, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Sep 15, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Oct 3, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Oct 10, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Oct 11, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Nov 1, 2023
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Jan 3, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Jan 22, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Mar 19, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Apr 25, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Jun 13, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Jun 13, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
@drwetter drwetter added the 3.3dev next release label Jul 19, 2024
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Jul 23, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Aug 27, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Sep 5, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Sep 6, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Sep 9, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Oct 8, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Oct 15, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Oct 17, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Oct 29, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Nov 22, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Nov 27, 2024
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
dcooper16 added a commit to dcooper16/testssl.sh that referenced this issue Jan 13, 2025
This commit adds support for new codepoints as mentioned in testssl#1207 and testssl#2285.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants