Re: [OT] Getting TLS handshake details
On Thu, 14 Apr, 2022, 01:06 Christopher Schultz, < ch...@christopherschultz.net> wrote: > All, > > I asked this question a few years ago on SO and I didn't really get an > answer: > > https://stackoverflow.com/questions/39374024/determine-diffie-hellman-parameters-length-for-a-tls-handshake-in-java > > Does anyone know if it's possible to get the DHE key-exchange parameters > during the TLS handshake using just SSLSocket on the client end? I'm > trying to detect when the server is using "weak" DH key lengths like <= > 1024 bits. > > (I'm also curious as to why my ssltest tool[1] is unable to connect to a > server which is allowing ADH-AES128-GCM-SHA256 aka > TLS_DH_anon_WITH_AES_128_GCM_SHA256 ; I suspect it has something to do > with my JVMs unwillingness to use 1024-bit DHE for the handshake, and I > can't figure out how to turn it off. SSLLabs and sslscan both report > this cipher suite as being "enabled" on the server, but my tool reports > that the handshake failed, which usually implies that the cipher suite > is disabled.) > > Thanks, > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: [OT] Getting TLS handshake details
Chris, > Am 14.04.2022 um 23:21 schrieb Christopher Schultz > : > > Peter, > >> On 4/14/22 03:45, Peter Kreuser wrote: >> Chris, Am 13.04.2022 um 21:37 schrieb Christopher Schultz : >>> All, >>> I asked this question a few years ago on SO and I didn't really get an >>> answer: >>> https://stackoverflow.com/questions/39374024/determine-diffie-hellman-parameters-length-for-a-tls-handshake-in-java >>> Does anyone know if it's possible to get the DHE key-exchange parameters >>> during the TLS handshake using just SSLSocket on the client end? I'm trying >>> to detect when the server is using "weak" DH key lengths like <= 1024 bits. >>> (I'm also curious as to why my ssltest tool[1] is unable to connect to a >>> server which is allowing ADH-AES128-GCM-SHA256 aka >>> TLS_DH_anon_WITH_AES_128_GCM_SHA256 ; I suspect it has something to do with >>> my JVMs unwillingness to use 1024-bit DHE for the handshake, and I can't >>> figure out how to turn it off. SSLLabs and sslscan both report this cipher >>> suite as being "enabled" on the server, but my tool reports that the >>> handshake failed, which usually implies that the cipher suite is disabled.) >> Is your question how to detect this in code? Or specifically in Java? > > Specifically in Java, and without any cooperation from the server e.g. > returning the details in some kind of HTTP header. I expect to perform a TLS > handshake only and then terminate the socket connection. > >> Anyways Do you know testssl.sh? > > I think that just executes openssl in a loop, no? Not quite. It sets openssl params for specific tls testcases and verifies output from the tls response or certs. Plus it has test case for known dhparams. However that info may not be accessible from java, as Thomas said. Peter >> If I want to know how to handle a specific tls problem I check in >> Dirk's code and start from there... > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Getting TLS handshake details
Peter, On 4/14/22 03:45, Peter Kreuser wrote: Chris, Am 13.04.2022 um 21:37 schrieb Christopher Schultz : All, I asked this question a few years ago on SO and I didn't really get an answer: https://stackoverflow.com/questions/39374024/determine-diffie-hellman-parameters-length-for-a-tls-handshake-in-java Does anyone know if it's possible to get the DHE key-exchange parameters during the TLS handshake using just SSLSocket on the client end? I'm trying to detect when the server is using "weak" DH key lengths like <= 1024 bits. (I'm also curious as to why my ssltest tool[1] is unable to connect to a server which is allowing ADH-AES128-GCM-SHA256 aka TLS_DH_anon_WITH_AES_128_GCM_SHA256 ; I suspect it has something to do with my JVMs unwillingness to use 1024-bit DHE for the handshake, and I can't figure out how to turn it off. SSLLabs and sslscan both report this cipher suite as being "enabled" on the server, but my tool reports that the handshake failed, which usually implies that the cipher suite is disabled.) Is your question how to detect this in code? Or specifically in Java? Specifically in Java, and without any cooperation from the server e.g. returning the details in some kind of HTTP header. I expect to perform a TLS handshake only and then terminate the socket connection. Anyways Do you know testssl.sh? I think that just executes openssl in a loop, no? If I want to know how to handle a specific tls problem I check in Dirk's code and start from there... -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Getting TLS handshake details
Chris, > Am 13.04.2022 um 21:37 schrieb Christopher Schultz > : > > All, > > I asked this question a few years ago on SO and I didn't really get an answer: > https://stackoverflow.com/questions/39374024/determine-diffie-hellman-parameters-length-for-a-tls-handshake-in-java > > Does anyone know if it's possible to get the DHE key-exchange parameters > during the TLS handshake using just SSLSocket on the client end? I'm trying > to detect when the server is using "weak" DH key lengths like <= 1024 bits. > > (I'm also curious as to why my ssltest tool[1] is unable to connect to a > server which is allowing ADH-AES128-GCM-SHA256 aka > TLS_DH_anon_WITH_AES_128_GCM_SHA256 ; I suspect it has something to do with > my JVMs unwillingness to use 1024-bit DHE for the handshake, and I can't > figure out how to turn it off. SSLLabs and sslscan both report this cipher > suite as being "enabled" on the server, but my tool reports that the > handshake failed, which usually implies that the cipher suite is disabled.) > Is your question how to detect this in code? Or specifically in Java? Anyways Do you know testssl.sh? If I want to know how to handle a specific tls problem I check in Dirk's code and start from there... Peter > Thanks, > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
