On Wed, May 30, 2012 at 1:57 PM, Andreas Metzler
<[email protected]> wrote:
> As swaks is a debugging tool I think it would be nice if there was some
> enhanced knob to force a specific TLS version (as s_client) does.
> Other than that I have not got any suggestions. Neither s_client
> nor gnutls-cli can handle this server gracefully either. ;-)
Good points, I exposed a protocol knob and a cipher knob. I used your
server extensively for testing, thanks.
Change 1: expose to the user of swaks what protocols the underlying
openssl lib will support:
swaks -q tls -tls -s m26s25.vlinux.de --dump
squeeze: available protocols = SSLv2, SSLv3, TLSv1
wheezy/sid: available protocols = SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2
Change 2: allow user to set allowed protocols or exclude protocols
swaks -q tls -tls -s m26s25.vlinux.de
=== TLS started with cipher TLSv1.1:DHE-RSA-AES256-SHA:256
swaks -q tls -tls -s m26s25.vlinux.de --tls-protocol no_tlsv1_1,no_tlsv1
=== TLS started with cipher SSLv3:DHE-RSA-AES256-SHA:256
swaks -q tls -tls -s m26s25.vlinux.de --tls-protocol sslv3
=== TLS started with cipher SSLv3:DHE-RSA-AES256-SHA:256
Change 3: Allow users to pass in a cipher list
swaks -q tls -tls -s m26s25.vlinux.de
=== TLS started with cipher TLSv1.1:DHE-RSA-AES256-SHA:256
swaks -q tls -tls -s m26s25.vlinux.de -tls-cipher 3DES:+RSA
=== TLS started with cipher TLSv1.1:EDH-RSA-DES-CBC3-SHA:168
In re: change 2, I found a bug in sid's libnet-ssleay-perl 1.48-1 in
that one of the underlying constants used to set protocols is wrong,
meaning, on sid, forcing protocols isn't 100% reliable. I do feel
absolutely sure that it's a problem in the perl module itself though.
I submitted a bug report for it, though it doesn't appear to have been
processed yet.
Thanks for the suggestions, this will be a useful improvement to swaks!
--John
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
