You had me at EHLO. -- Espi
On Wed, Jul 17, 2013 at 8:26 AM, Ziots, Edward <[email protected]> wrote: > Chris, **** > > ** ** > > I believe in the Client Hello Message and the associated Cipher Specs are > passed between the client and the server and they agree on a mutual cipher > specification they can support. **** > > ** ** > > You can look at this using openssl or sslscan (if you have a unix system)* > *** > > ** ** > > Here is an example of what you will see on a unix system:**** > > Testing SSL server google.com on port 443**** > > ** ** > > Supported Server Cipher(s):**** > > Rejected SSLv2 168 bits DES-CBC3-MD5**** > > Rejected SSLv2 56 bits DES-CBC-MD5**** > > Rejected SSLv2 40 bits EXP-RC2-CBC-MD5**** > > Rejected SSLv2 128 bits RC2-CBC-MD5**** > > Rejected SSLv2 40 bits EXP-RC4-MD5**** > > Rejected SSLv2 128 bits RC4-MD5**** > > Rejected SSLv3 256 bits ADH-AES256-SHA**** > > Rejected SSLv3 256 bits DHE-RSA-AES256-SHA**** > > Rejected SSLv3 256 bits DHE-DSS-AES256-SHA**** > > Accepted SSLv3 256 bits AES256-SHA**** > > Rejected SSLv3 128 bits ADH-AES128-SHA**** > > Rejected SSLv3 128 bits DHE-RSA-AES128-SHA**** > > Rejected SSLv3 128 bits DHE-DSS-AES128-SHA**** > > Accepted SSLv3 128 bits AES128-SHA**** > > Rejected SSLv3 168 bits ADH-DES-CBC3-SHA**** > > Rejected SSLv3 56 bits ADH-DES-CBC-SHA**** > > Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA**** > > Rejected SSLv3 128 bits ADH-RC4-MD5**** > > Rejected SSLv3 40 bits EXP-ADH-RC4-MD5**** > > Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA**** > > Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA**** > > Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA**** > > Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA**** > > Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA**** > > Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA**** > > Accepted SSLv3 168 bits DES-CBC3-SHA**** > > Rejected SSLv3 56 bits DES-CBC-SHA**** > > Rejected SSLv3 40 bits EXP-DES-CBC-SHA**** > > Rejected SSLv3 40 bits EXP-RC2-CBC-MD5**** > > Accepted SSLv3 128 bits RC4-SHA**** > > Accepted SSLv3 128 bits RC4-MD5**** > > Rejected SSLv3 40 bits EXP-RC4-MD5**** > > Rejected SSLv3 0 bits NULL-SHA**** > > Rejected SSLv3 0 bits NULL-MD5**** > > Rejected TLSv1 256 bits ADH-AES256-SHA**** > > Rejected TLSv1 256 bits DHE-RSA-AES256-SHA**** > > Rejected TLSv1 256 bits DHE-DSS-AES256-SHA**** > > Accepted TLSv1 256 bits AES256-SHA**** > > Rejected TLSv1 128 bits ADH-AES128-SHA**** > > Rejected TLSv1 128 bits DHE-RSA-AES128-SHA**** > > Rejected TLSv1 128 bits DHE-DSS-AES128-SHA**** > > Accepted TLSv1 128 bits AES128-SHA**** > > Rejected TLSv1 168 bits ADH-DES-CBC3-SHA**** > > Rejected TLSv1 56 bits ADH-DES-CBC-SHA**** > > Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA**** > > Rejected TLSv1 128 bits ADH-RC4-MD5**** > > Rejected TLSv1 40 bits EXP-ADH-RC4-MD5**** > > Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA**** > > Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA**** > > Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA**** > > Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA**** > > Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA**** > > Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA**** > > Accepted TLSv1 168 bits DES-CBC3-SHA**** > > Rejected TLSv1 56 bits DES-CBC-SHA**** > > Rejected TLSv1 40 bits EXP-DES-CBC-SHA**** > > Rejected TLSv1 40 bits EXP-RC2-CBC-MD5**** > > Accepted TLSv1 128 bits RC4-SHA**** > > Accepted TLSv1 128 bits RC4-MD5**** > > Rejected TLSv1 40 bits EXP-RC4-MD5**** > > Rejected TLSv1 0 bits NULL-SHA**** > > Rejected TLSv1 0 bits NULL-MD5**** > > ** ** > > Prefered Server Cipher(s):**** > > *SSLv3 128 bits RC4-SHA* > > *TLSv1 128 bits RC4-SHA* > > * * > > *And here is the certificate information* > > *SSL Certificate:* > > * Version: 2* > > * Serial Number: -4294967295* > > * Signature Algorithm: sha1WithRSAEncryption* > > * Issuer: /C=US/O=Google Inc/CN=Google Internet Authority* > > * Not valid before: Jul 12 09:00:30 2013 GMT* > > * Not valid after: Oct 31 23:59:59 2013 GMT* > > * Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*. > google.com* > > * Public Key Algorithm: rsaEncryption* > > * RSA Public Key: (1024 bit)* > > * Modulus (1024 bit):* > > * 00:d4:64:e4:a0:d1:99:77:13:76:8a:ea:90:11:6a:* > > * ec:cc:f5:ec:f5:d8:dc:bd:57:6b:2a:40:03:f8:0c:* > > * 8e:ee:d3:71:2e:9c:6c:c9:8e:12:19:88:5d:7e:54:* > > * 97:e1:80:c5:f2:f0:98:4d:96:48:67:b5:2b:9f:26:* > > * fb:e0:78:0f:5e:77:10:a2:17:73:e8:a5:ac:32:ad:* > > * ec:af:c1:7d:c5:f5:70:7d:ea:52:19:3a:65:cd:c8:* > > * 3b:63:d3:3c:bd:d4:62:45:80:e9:68:87:d4:48:6e:* > > * 69:fd:fd:f3:d1:5f:07:b5:64:db:43:6f:d9:03:af:* > > * 34:e1:d6:d7:ca:99:5a:06:f3* > > * Exponent: 65537 (0x10001)* > > * X509v3 Extensions:* > > * X509v3 Extended Key Usage:* > > * TLS Web Server Authentication, TLS Web Client Authentication* > > * X509v3 Subject Key Identifier:* > > * 0A:CF:FB:B2:52:23:8F:BE:DA:A4:3A:C6:63:66:AF:20:01:6C:5F:33* > > * X509v3 Authority Key Identifier:* > > * keyid:BF:C0:30:EB:F5:43:11:3E:67:BA:9E:91:FB:FC:6A:DA:E3:6B:12:24 > * > > * * > > * X509v3 CRL Distribution Points:* > > * URI: > http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crl > * > > ** ** > > Edward E. Ziots, CISSP, CISA, Security +, Network +**** > > Security Engineer**** > > Lifespan Organization**** > > [email protected]**** > > Work:401-255-2497**** > > ** ** > > ** ** > > This electronic message and any attachments may be privileged and > confidential and protected from disclosure. If you are reading this > message, but are not the intended recipient, nor an employee or agent > responsible for delivering this message to the intended recipient, you are > hereby notified that you are strictly prohibited from copying, printing, > forwarding or otherwise disseminating this communication. If you have > received this communication in error, please immediately notify the sender > by replying to the message. Then, delete the message from your computer. > Thank you.**** > > *[image: Description: Description: Lifespan]* > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Christopher Bodnar > *Sent:* Wednesday, July 17, 2013 11:04 AM > *To:* [email protected] > *Subject:* [NTSysADM] SSL/TLS question**** > > ** ** > > I'd really appreciate any help clarifying this topic for me. > > I know I should know this stuff, but I've never really had to deal with it > much before besides installing a certificate on an IIS server. I've always > seen them lumped together as SSL/TLS. > > OK.... so basically TLS is the next version of SSL ( > https://en.wikipedia.org/wiki/Transport_Layer_Security). That I get. What > I was trying to find out is how you know what version is being used, and > what dictates that. I initially thought that was the certificate. That does > not seem to be the case. It seems that it's a negotiation based on what is > configured on the client and the server, based on the application being > used (Web, Mail, FTP, etc....). So for example on a generic web site using > IE as the client and IIS as the web server with a certificate installed.... > the client and server negotiate the SSL/TLS version based on the browsers > configuration and the registry keys on the server > (HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders > \SCHANNEL\Protocols)? > > Is that right at a high level? > > Thanks > > **** > > *Christopher Bodnar* > Enterprise Architect I, Corporate Office of Technology:Enterprise > Architecture and Engineering Services **** > > Tel 610-807-6459 > 3900 Burgess Place, Bethlehem, PA 18017 > [email protected] **** > > > * > The Guardian Life Insurance Company of America* > * > *www.guardianlife.com **** > > > ----------------------------------------- This message, and any > attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or communication of this > message is strictly prohibited. If you have received this message in error, > please notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. **** >
<<image002.jpg>>
<<image001.jpg>>
