Merge pull request #1438 from drwetter/update_clienthandshakes

Update clienthandshakes
This commit is contained in:
Dirk Wetter 2020-01-16 22:26:21 +01:00 committed by GitHub
commit 86afeabf8f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 580 additions and 89 deletions

View File

@ -741,7 +741,7 @@
minEcdsaBits+=(-1) minEcdsaBits+=(-1)
curves+=("X25519:prime256v1:secp384r1") curves+=("X25519:prime256v1:secp384r1")
requiresSha2+=(false) requiresSha2+=(false)
current+=(true) current+=(false)
names+=("Chrome 70 Win 10") names+=("Chrome 70 Win 10")
short+=("chrome_70_win10") short+=("chrome_70_win10")
@ -776,7 +776,7 @@
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0304") highest_protocol+=("0x0304")
alpn+=("h2,http/1.1") alpn+=("h2,http/1.1")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1024) minDhBits+=(1024)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -798,7 +798,51 @@
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0304") highest_protocol+=("0x0304")
alpn+=("h2,http/1.1") alpn+=("h2,http/1.1")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1024)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1")
requiresSha2+=(false)
current+=(true)
names+=("Chrome 78 (Win 10)")
short+=("chrome_78_win10")
ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
sni+=("$SNI")
warning+=("")
handshakebytes+=("1603010200010001fc030332e6eabb5d4b9818074f79423b0a9cde127a309671fcf0d0420bdb68f98bbc9320085a3e18e8e5cf4060c1e7065523d344f09186ffb835c10095df30b1611bc49a0022eaea130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001912a2a000000000014001200000f73736c2e677374617469632e636f6d00170000ff01000100000a000a0008eaea001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029eaea000100001d0020e0a5bb30a2a14bc13685b4a19ba59628aad22b761dceb63a9dcfa10475f84260002d00020101002b000b0a0a0a0304030303020301001b00030200025a5a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
protos+=("-no_ssl3 -no_ssl2")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP")
minDhBits+=(1024)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1")
requiresSha2+=(false)
current+=(false)
names+=("Chrome 79 (Win 10)")
short+=("chrome_79_win10")
ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
sni+=("$SNI")
warning+=("")
handshakebytes+=("1603010200010001fc03032f8eea63ff25d05264565777081b6d1a326e12f37751c33c7e953973af65b2ab20a62f96b75b1c41454679b64cd32fb0fbbf99ff019501d92184d589a529c21c590022caca130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001917a7a000000000014001200000f73736c2e677374617469632e636f6d00170000ff01000100000a000a0008eaea001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029eaea000100001d0020465dfa0295bf9cd3578d2f23bbfdf58d6468c5dd0c071f0b7c6bb92fc507685b002d00020101002b000b0ababa0304030303020301001b00030200029a9a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
protos+=("-no_ssl3 -no_ssl2")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP")
minDhBits+=(1024) minDhBits+=(1024)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -819,7 +863,7 @@
tlsvers+=("-tls1") tlsvers+=("-tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0301") highest_protocol+=("0x0301")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -840,7 +884,7 @@
tlsvers+=("-tls1") tlsvers+=("-tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0301") highest_protocol+=("0x0301")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -861,7 +905,7 @@
tlsvers+=("-tls1") tlsvers+=("-tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0301") highest_protocol+=("0x0301")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -882,7 +926,7 @@
tlsvers+=("-tls1") tlsvers+=("-tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0301") highest_protocol+=("0x0301")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -903,7 +947,7 @@
tlsvers+=("-tls1") tlsvers+=("-tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0301") highest_protocol+=("0x0301")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -924,7 +968,7 @@
tlsvers+=("-tls1") tlsvers+=("-tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0301") highest_protocol+=("0x0301")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -945,7 +989,7 @@
tlsvers+=("-tls1") tlsvers+=("-tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0301") highest_protocol+=("0x0301")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -966,7 +1010,7 @@
tlsvers+=("-tls1") tlsvers+=("-tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0301") highest_protocol+=("0x0301")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -987,7 +1031,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1008,7 +1052,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1029,7 +1073,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1050,7 +1094,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1071,7 +1115,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1092,7 +1136,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0300")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1113,7 +1157,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1134,7 +1178,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1155,7 +1199,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(-1) minDhBits+=(-1)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1176,7 +1220,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1197,7 +1241,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1218,7 +1262,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1239,7 +1283,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1260,7 +1304,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1281,7 +1325,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1302,7 +1346,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1323,7 +1367,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1344,7 +1388,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1365,7 +1409,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0304") highest_protocol+=("0x0304")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1386,7 +1430,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0304") highest_protocol+=("0x0304")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1407,7 +1451,7 @@
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0304") highest_protocol+=("0x0304")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1415,7 +1459,7 @@
minEcdsaBits+=(-1) minEcdsaBits+=(-1)
curves+=("X25519:prime256v1:secp384r1:secp521r1") curves+=("X25519:prime256v1:secp384r1:secp521r1")
requiresSha2+=(false) requiresSha2+=(false)
current+=(true) current+=(false)
names+=("Firefox 66 (Win 8.1/10)") names+=("Firefox 66 (Win 8.1/10)")
short+=("firefox_66_win81") short+=("firefox_66_win81")
@ -1429,7 +1473,29 @@
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0304") highest_protocol+=("0x0304")
alpn+=("h2,http/1.1") alpn+=("h2,http/1.1")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
requiresSha2+=(false)
current+=(true)
names+=("Firefox 71 (Win 10)")
short+=("firefox_71_win10")
ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384")
sni+=("$SNI")
warning+=("")
handshakebytes+=("16030102580100025403036d4532515bff048c5c74cb0d39518c9c02e2dfd4d8ecae6591ee67d29ea62eab20c70c3e8feae9ed79d54914215aab37d3d5b7966a422edc41d2c027f9973d6b160024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a010001e700000014001200000f7777772e6d6f7a696c6c612e6f726700170000ff01000100000a000e000c001d00170018001901000101000b000201000010000e000c02683208687474702f312e310005000501000000000033006b0069001d002005dcfe2c42419119e518fb087071ba68445b825e4f4dd9ddb8679c3011d3e75800170041046bd8e6b1818d3985e55a8514d3ec5091945df5eb48136c3a9f67bb6d6665758ef088520626748d59bba63786c0164b948013e0f8eee0ba425d643b7c5d4bfa8f002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001002900eb00c600c0995b148219e66aca5e58a74de1551ae6c76897f50fc853147cf22db9a937361496395112ab0382a942c95fbd48b787d031ae89a8f23f9b7a56c2a0ed5158e919d2491c003ab7d1ca1944b7e5d068d4e6a0c83d9096e9cb76ad2ac081075551cf4bdbfff1194a71c54bf8f88cbe7c246c728155e92f94015e4c5140ce84087c842033ea00fa92f5bd5b601f9650aee0eb0d000175e447945fd28e1df361c5cce443351fd0f7f13cb6cab2e2cc8c3951eb4367dc5004415ab6c3cf0adbca1e3be4f149f74100212008a1f3195cd13d7b4386acd47cdfae0afad06cf8d245744e815ec6989e3cdd6c")
protos+=("-no_ssl3 -no_ssl2")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -1922,6 +1988,50 @@
minEcdsaBits+=(-1) minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1") curves+=("X25519:secp256r1:secp384r1")
requiresSha2+=(false) requiresSha2+=(false)
current+=(false)
names+=("Opera 65 (Win 10)")
short+=("opera_65_win10")
ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
sni+=("$SNI")
warning+=("")
handshakebytes+=("1603010200010001fc03039eee8c108ed7b040285658cddb0022e7e1f17bc92084335edf8ad5404fbf424a203bedd34c83b59c3e302af681b449490895335de0d8a0f10d20a0ff610130229b00224a4a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001912a2a000000000014001200000f626c6f67732e6f706572612e636f6d00170000ff01000100000a000a00081a1a001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b00291a1a000100001d0020cc29a9f8b3a69149c38b29ccb7341b98efd1714c3887fc1e84512470f783921a002d00020101002b000b0adada0304030303020301001b0003020002dada000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
protos+=("-no_ssl2 -no_ssl3")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP,FTP")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1")
requiresSha2+=(false)
current+=(false)
names+=("Opera 66 (Win 10)")
short+=("opera_66_win10")
ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
sni+=("$SNI")
warning+=("")
handshakebytes+=("1603010200010001fc0303a7ab90aa0987b33da751017bb78958f51bc1aa76e116c21eb4bb0b51a9f88f77203658175a55b25ab41867568b52e8fb8eaf4c8e91ceccf30ae498879e468579b100222a2a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001911a1a000000000014001200000f626c6f67732e6f706572612e636f6d00170000ff01000100000a000a00087a7a001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b00297a7a000100001d0020488d0d07b77098f98cb97ee85ae88b358404a8004633896e5110966ab3c18f66002d00020101002b000b0ababa0304030303020301001b00030200023a3a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
protos+=("-no_ssl2 -no_ssl3")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP,FTP")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1")
requiresSha2+=(false)
current+=(true) current+=(true)
names+=("Safari 5.1.9 OS X 10.6.8") names+=("Safari 5.1.9 OS X 10.6.8")
@ -2554,7 +2664,7 @@
minEcdsaBits+=(-1) minEcdsaBits+=(-1)
curves+=("sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1:sect239k1:sect233k1:sect233r1:secp224k1:secp224r1:sect193r1:sect193r2:secp192k1:prime192v1:sect163k1:sect163r1:sect163r2:secp160k1:secp160r1:secp160r2") curves+=("sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1:sect239k1:sect233k1:sect233r1:secp224k1:secp224r1:sect193r1:sect193r2:secp192k1:prime192v1:sect163k1:sect163r1:sect163r2:secp160k1:secp160r1:secp160r2")
requiresSha2+=(false) requiresSha2+=(false)
current+=(true) current+=(false)
names+=("OpenSSL 1.0.2e") names+=("OpenSSL 1.0.2e")
short+=("openssl_102e") short+=("openssl_102e")
@ -2586,7 +2696,29 @@
handshakebytes+=("16030100c2010000be03036468410c4ae36f78a4357ad19fa61353e46aed101eff4e0c9f77ec654dc12eb4000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100005d00000013001100000e7465737473736c2e73683a343433000b000403000102000a000a0008001d001700190018002300000016000000170000000d0020001e060106020603050105020503040104020403030103020303020102020203") handshakebytes+=("16030100c2010000be03036468410c4ae36f78a4357ad19fa61353e46aed101eff4e0c9f77ec654dc12eb4000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100005d00000013001100000e7465737473736c2e73683a343433000b000403000102000a000a0008001d001700190018002300000016000000170000000d0020001e060106020603050105020503040104020403030103020303020102020203")
protos+=("-no_ssl2 -no_ssl3") protos+=("-no_ssl2 -no_ssl3")
tlsvers+=("-tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0301")
highest_protocol+=("0x0303")
alpn+=("h2,http/1.1")
service+=("ANY")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp521r1:secp384r1")
requiresSha2+=(false)
current+=(false)
names+=("OpenSSL 1.1.0l (Debian)")
short+=("openssl_110l")
ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
ciphersuites+=("")
sni+=("$SNI")
warning+=("")
handshakebytes+=("16030100bf010000bb030350a1cc6c1ae6c9726ce0a025f4d2c522e6b503d5ccd2d1740bd1bb2e7af108d5000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100005a00000010000e00000b7465737473736c2e6e6574000b000403000102000a000a0008001d001700190018002300000016000000170000000d0020001e060106020603050105020503040104020403030103020303020102020203")
protos+=("-no_ssl2 -no_ssl3")
tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0303") highest_protocol+=("0x0303")
alpn+=("h2,http/1.1") alpn+=("h2,http/1.1")
service+=("ANY") service+=("ANY")
@ -2608,7 +2740,29 @@
handshakebytes+=("160301012d010001290303ac67ab7c72eea2e0f68615f02c9e566ed4a3bb0022c2ca1db7615acfb9dedd0120415470391af467e708e8983b134defcb4f4855e774606ae8223265af0fbb802a003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff010000a200000013001100000e7465737473736c2e73683a343433000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020b4556edddf807eb6b6bbcd61e25775a3992dd6f5caeee76d37f8895436efc972") handshakebytes+=("160301012d010001290303ac67ab7c72eea2e0f68615f02c9e566ed4a3bb0022c2ca1db7615acfb9dedd0120415470391af467e708e8983b134defcb4f4855e774606ae8223265af0fbb802a003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff010000a200000013001100000e7465737473736c2e73683a343433000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020b4556edddf807eb6b6bbcd61e25775a3992dd6f5caeee76d37f8895436efc972")
protos+=("-no_ssl2 -no_ssl3") protos+=("-no_ssl2 -no_ssl3")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("ANY")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:x448:secp521r1:secp384r1")
requiresSha2+=(true)
current+=(false)
names+=("OpenSSL 1.1.1d (Debian)")
short+=("openssl_111d")
ciphers+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
sni+=("$SNI")
warning+=("")
handshakebytes+=("16030101290100012503036f18cf85cf24e3676f0e79a3503aa9feefc961e3baed7b00fd876a2c6d2395b3205f4fb8769aa1e5279b848b3f35bec3d7aa9966595d22ebcd35e72f79b9d9fcc9003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100009e0000000f000d00000a7465737473736c2e7368000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020a12c2f7e04adcb76ce5eb8b05cf631e7cdf46f5e28cbe86a676d704098507b40")
protos+=("-no_ssl2 -no_ssl3")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304") highest_protocol+=("0x0304")
alpn+=("h2,http/1.1") alpn+=("h2,http/1.1")
service+=("ANY") service+=("ANY")
@ -2641,6 +2795,28 @@
minEcdsaBits+=(-1) minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
requiresSha2+=(false) requiresSha2+=(false)
current+=(false)
names+=("Thunderbird (68.3)")
short+=("thunderbird_68_3_1")
ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384")
sni+=("$SNI")
warning+=("")
handshakebytes+=("1603010200010001fc030342ffc6c8b96ea60586a63fe7d97ec8d5c962b55ccfe02177cd94c8ea42f7333e209c9b6129e250f6fb8127664d26a46c410a6c217d4c2c4dc49125edd7191043810024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a0100018f00000013001100000e696d61702e676d61696c2e636f6d00170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000005000501000000000033006b0069001d0020fb48d75e98e9e9c7a7aa32106b8856384f9af1e50f9bd45f2ae3dc349858741b00170041047138476a2fbfd6dc6fa4b351b99248abc20bf27ccb962445161036ec3df7bf7566e048374b72d4cbcf4526475a8a13bbaea75e5925514d6db1a4ae60f6a961fd002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001001500a2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
protos+=("-no_ssl3 -no_ssl2")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP,SMTP,POP,IMAP")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
requiresSha2+=(false)
current+=(true) current+=(true)
names+=("Baidu Jan 2015") names+=("Baidu Jan 2015")

View File

@ -0,0 +1,28 @@
This file contains client handshake data manually created from Wireshark.
The content needs to be added to client-simulation.txt which other part
comes from the SSLlabs client API via update_client_sim_data.pl
The whole process is done manually.
## Instructions how to add a client simulation:
* Start wireshark at a client or router. Best is during capture to filter for the target of your choice.
* Make sure you create a bit of encrypted traffic to your target. Attention, privacy: if you want to contribute, be aware that the ClientHello contains the target hostname (SNI).
* Make sure the client traffic is specific: For just "Android" do not use a browser! Use the play store app e.g..
* Stop recording.
* If needed sort for ClientHello.
* Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure, it's the right traffic.
* Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream.
* Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here)
* Adjust "lowest_protocol" and "highest_protocol" accordingly.
* Get "curves" from at the supported groups TLS extension 10 = 0x00a. Omit any GREASE.
* Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010).
* Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true
* Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle
* For "ciphers" mark the cipher suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2cipher.sh`
* "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ``~/utils/hexstream2cipher.sh``
* Figure out the services by applying a good piece of human logic
* Before submitting a PR: test it yourself! You can also watch it again via wireshark

View File

@ -3,28 +3,7 @@
# comes from the SSLlabs client API via update_client_sim_data.pl # comes from the SSLlabs client API via update_client_sim_data.pl
# The whole process is done manually. # The whole process is done manually.
# #
# Instructions how to add a client simulation: # Instructions how to add a client simulation see file "client-simulation.wiresharked.md".
# * Start wireshark at the client / router. Best is during capture to filter for the target you want to contribute.
# * Make sure you create a bit of encrypted traffic to a target of your choice 1) .
# * Make sure the client traffic is specific: For just "Android" do not use a browser!
# * Stop the recording.
# * If needed sort for ClientHello.
# * Look for the ClientHello which matches the source IP + destination you had in mind. Check the destination hostname in the SNI extension so that you can be sure, it's the right traffic.
# * Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream.
# * Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here)
# * Adjust "lowest_protocol" and "highest_protocol" accordingly.
# * Get "curves" from at the supported groups TLS extension 10 = 0x00a. Omit any GREASE.
# * Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010).
# * Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true
# * Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle
# * For "ciphers" mark the Cipher Suites --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to ~/utils/hexstream2cipher.sh
# * "ciphersutes" are TLS 1.3 ciphersuites. You can identify them as they currently are like 0x130?. Retrieve them from above see ~/utils/hexstream2cipher.sh
# * Figure out the services by applying a good piece of logic
# * Before submitting a PR: test it yourself! You can also watch it again via wireshark
#
#
# 1) Attention, privacy: if you want to contribute it contains the target hostname (SNI)
names+=("Android 8.1 (native)") names+=("Android 8.1 (native)")
short+=("android_81") short+=("android_81")
@ -104,7 +83,7 @@
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0304") highest_protocol+=("0x0304")
alpn+=("h2,http/1.1") alpn+=("h2,http/1.1")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1024) minDhBits+=(1024)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -126,7 +105,51 @@
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0304") highest_protocol+=("0x0304")
alpn+=("h2,http/1.1") alpn+=("h2,http/1.1")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1024)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1")
requiresSha2+=(false)
current+=(true)
names+=("Chrome 78 (Win 10)")
short+=("chrome_78_win10")
ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
sni+=("$SNI")
warning+=("")
handshakebytes+=("1603010200010001fc030332e6eabb5d4b9818074f79423b0a9cde127a309671fcf0d0420bdb68f98bbc9320085a3e18e8e5cf4060c1e7065523d344f09186ffb835c10095df30b1611bc49a0022eaea130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001912a2a000000000014001200000f73736c2e677374617469632e636f6d00170000ff01000100000a000a0008eaea001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029eaea000100001d0020e0a5bb30a2a14bc13685b4a19ba59628aad22b761dceb63a9dcfa10475f84260002d00020101002b000b0a0a0a0304030303020301001b00030200025a5a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
protos+=("-no_ssl3 -no_ssl2")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP")
minDhBits+=(1024)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1")
requiresSha2+=(false)
current+=(false)
names+=("Chrome 79 (Win 10)")
short+=("chrome_79_win10")
ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
sni+=("$SNI")
warning+=("")
handshakebytes+=("1603010200010001fc03032f8eea63ff25d05264565777081b6d1a326e12f37751c33c7e953973af65b2ab20a62f96b75b1c41454679b64cd32fb0fbbf99ff019501d92184d589a529c21c590022caca130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001917a7a000000000014001200000f73736c2e677374617469632e636f6d00170000ff01000100000a000a0008eaea001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b0029eaea000100001d0020465dfa0295bf9cd3578d2f23bbfdf58d6468c5dd0c071f0b7c6bb92fc507685b002d00020101002b000b0ababa0304030303020301001b00030200029a9a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
protos+=("-no_ssl3 -no_ssl2")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP")
minDhBits+=(1024) minDhBits+=(1024)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -148,7 +171,29 @@
lowest_protocol+=("0x0301") lowest_protocol+=("0x0301")
highest_protocol+=("0x0304") highest_protocol+=("0x0304")
alpn+=("h2,http/1.1") alpn+=("h2,http/1.1")
service+=("HTTP,FTP") service+=("HTTP")
minDhBits+=(1023)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
requiresSha2+=(false)
current+=(true)
names+=("Firefox 71 (Win 10)")
short+=("firefox_71_win10")
ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384")
sni+=("$SNI")
warning+=("")
handshakebytes+=("16030102580100025403036d4532515bff048c5c74cb0d39518c9c02e2dfd4d8ecae6591ee67d29ea62eab20c70c3e8feae9ed79d54914215aab37d3d5b7966a422edc41d2c027f9973d6b160024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a010001e700000014001200000f7777772e6d6f7a696c6c612e6f726700170000ff01000100000a000e000c001d00170018001901000101000b000201000010000e000c02683208687474702f312e310005000501000000000033006b0069001d002005dcfe2c42419119e518fb087071ba68445b825e4f4dd9ddb8679c3011d3e75800170041046bd8e6b1818d3985e55a8514d3ec5091945df5eb48136c3a9f67bb6d6665758ef088520626748d59bba63786c0164b948013e0f8eee0ba425d643b7c5d4bfa8f002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001002900eb00c600c0995b148219e66aca5e58a74de1551ae6c76897f50fc853147cf22db9a937361496395112ab0382a942c95fbd48b787d031ae89a8f23f9b7a56c2a0ed5158e919d2491c003ab7d1ca1944b7e5d068d4e6a0c83d9096e9cb76ad2ac081075551cf4bdbfff1194a71c54bf8f88cbe7c246c728155e92f94015e4c5140ce84087c842033ea00fa92f5bd5b601f9650aee0eb0d000175e447945fd28e1df361c5cce443351fd0f7f13cb6cab2e2cc8c3951eb4367dc5004415ab6c3cf0adbca1e3be4f149f74100212008a1f3195cd13d7b4386acd47cdfae0afad06cf8d245744e815ec6989e3cdd6c")
protos+=("-no_ssl3 -no_ssl2")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP")
minDhBits+=(1023) minDhBits+=(1023)
maxDhBits+=(-1) maxDhBits+=(-1)
minRsaBits+=(-1) minRsaBits+=(-1)
@ -220,6 +265,50 @@
minEcdsaBits+=(-1) minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1") curves+=("X25519:secp256r1:secp384r1")
requiresSha2+=(false) requiresSha2+=(false)
current+=(false)
names+=("Opera 65 (Win 10)")
short+=("opera_65_win10")
ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
sni+=("$SNI")
warning+=("")
handshakebytes+=("1603010200010001fc03039eee8c108ed7b040285658cddb0022e7e1f17bc92084335edf8ad5404fbf424a203bedd34c83b59c3e302af681b449490895335de0d8a0f10d20a0ff610130229b00224a4a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001912a2a000000000014001200000f626c6f67732e6f706572612e636f6d00170000ff01000100000a000a00081a1a001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b00291a1a000100001d0020cc29a9f8b3a69149c38b29ccb7341b98efd1714c3887fc1e84512470f783921a002d00020101002b000b0adada0304030303020301001b0003020002dada000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
protos+=("-no_ssl2 -no_ssl3")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP,FTP")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1")
requiresSha2+=(false)
current+=(false)
names+=("Opera 66 (Win 10)")
short+=("opera_66_win10")
ciphers+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256")
sni+=("$SNI")
warning+=("")
handshakebytes+=("1603010200010001fc0303a7ab90aa0987b33da751017bb78958f51bc1aa76e116c21eb4bb0b51a9f88f77203658175a55b25ab41867568b52e8fb8eaf4c8e91ceccf30ae498879e468579b100222a2a130113021303c02bc02fc02cc030cca9cca8c013c014009c009d002f0035000a010001911a1a000000000014001200000f626c6f67732e6f706572612e636f6d00170000ff01000100000a000a00087a7a001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201001200000033002b00297a7a000100001d0020488d0d07b77098f98cb97ee85ae88b358404a8004633896e5110966ab3c18f66002d00020101002b000b0ababa0304030303020301001b00030200023a3a000100001500c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
protos+=("-no_ssl2 -no_ssl3")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP,FTP")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1")
requiresSha2+=(false)
current+=(true) current+=(true)
names+=("OpenSSL 1.1.0j (Debian)") names+=("OpenSSL 1.1.0j (Debian)")
@ -242,6 +331,28 @@
minEcdsaBits+=(-1) minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp521r1:secp384r1") curves+=("X25519:secp256r1:secp521r1:secp384r1")
requiresSha2+=(false) requiresSha2+=(false)
current+=(false)
names+=("OpenSSL 1.1.0l (Debian)")
short+=("openssl_110l")
ciphers+=("ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
ciphersuites+=("")
sni+=("$SNI")
warning+=("")
handshakebytes+=("16030100bf010000bb030350a1cc6c1ae6c9726ce0a025f4d2c522e6b503d5ccd2d1740bd1bb2e7af108d5000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100005a00000010000e00000b7465737473736c2e6e6574000b000403000102000a000a0008001d001700190018002300000016000000170000000d0020001e060106020603050105020503040104020403030103020303020102020203")
protos+=("-no_ssl2 -no_ssl3")
tlsvers+=("-tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0303")
alpn+=("h2,http/1.1")
service+=("ANY")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp521r1:secp384r1")
requiresSha2+=(false)
current+=(true) current+=(true)
names+=("OpenSSL 1.1.1b (Debian)") names+=("OpenSSL 1.1.1b (Debian)")
@ -253,7 +364,7 @@
handshakebytes+=("160301012d010001290303ac67ab7c72eea2e0f68615f02c9e566ed4a3bb0022c2ca1db7615acfb9dedd0120415470391af467e708e8983b134defcb4f4855e774606ae8223265af0fbb802a003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff010000a200000013001100000e7465737473736c2e73683a343433000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020b4556edddf807eb6b6bbcd61e25775a3992dd6f5caeee76d37f8895436efc972") handshakebytes+=("160301012d010001290303ac67ab7c72eea2e0f68615f02c9e566ed4a3bb0022c2ca1db7615acfb9dedd0120415470391af467e708e8983b134defcb4f4855e774606ae8223265af0fbb802a003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff010000a200000013001100000e7465737473736c2e73683a343433000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020b4556edddf807eb6b6bbcd61e25775a3992dd6f5caeee76d37f8895436efc972")
protos+=("-no_ssl2 -no_ssl3") protos+=("-no_ssl2 -no_ssl3")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1") tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0300") lowest_protocol+=("0x0301")
highest_protocol+=("0x0304") highest_protocol+=("0x0304")
alpn+=("h2,http/1.1") alpn+=("h2,http/1.1")
service+=("ANY") service+=("ANY")
@ -262,7 +373,29 @@
minRsaBits+=(-1) minRsaBits+=(-1)
maxRsaBits+=(-1) maxRsaBits+=(-1)
minEcdsaBits+=(-1) minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:X448:secp521r1:secp384r1") curves+=("X25519:secp256r1:x448:secp521r1:secp384r1")
requiresSha2+=(true)
current+=(false)
names+=("OpenSSL 1.1.1d (Debian)")
short+=("openssl_111d")
ciphers+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA")
ciphersuites+=("TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256")
sni+=("$SNI")
warning+=("")
handshakebytes+=("16030101290100012503036f18cf85cf24e3676f0e79a3503aa9feefc961e3baed7b00fd876a2c6d2395b3205f4fb8769aa1e5279b848b3f35bec3d7aa9966595d22ebcd35e72f79b9d9fcc9003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100009e0000000f000d00000a7465737473736c2e7368000b000403000102000a000c000a001d0017001e00190018002300000016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020a12c2f7e04adcb76ce5eb8b05cf631e7cdf46f5e28cbe86a676d704098507b40")
protos+=("-no_ssl2 -no_ssl3 -tls1_1 -tls1")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("ANY")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:x448:secp521r1:secp384r1")
requiresSha2+=(true) requiresSha2+=(true)
current+=(true) current+=(true)
@ -286,6 +419,28 @@
minEcdsaBits+=(-1) minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072") curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
requiresSha2+=(false) requiresSha2+=(false)
current+=(false)
names+=("Thunderbird (68.3)")
short+=("thunderbird_68_3_1")
ciphers+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA")
ciphersuites+=("TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384")
sni+=("$SNI")
warning+=("")
handshakebytes+=("1603010200010001fc030342ffc6c8b96ea60586a63fe7d97ec8d5c962b55ccfe02177cd94c8ea42f7333e209c9b6129e250f6fb8127664d26a46c410a6c217d4c2c4dc49125edd7191043810024130113031302c02bc02fcca9cca8c02cc030c00ac009c013c01400330039002f0035000a0100018f00000013001100000e696d61702e676d61696c2e636f6d00170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000005000501000000000033006b0069001d0020fb48d75e98e9e9c7a7aa32106b8856384f9af1e50f9bd45f2ae3dc349858741b00170041047138476a2fbfd6dc6fa4b351b99248abc20bf27ccb962445161036ec3df7bf7566e048374b72d4cbcf4526475a8a13bbaea75e5925514d6db1a4ae60f6a961fd002b0009080304030303020301000d0018001604030503060308040805080604010501060102030201002d00020101001c00024001001500a2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
protos+=("-no_ssl3 -no_ssl2")
tlsvers+=("-tls1_3 -tls1_2 -tls1_1 -tls1")
lowest_protocol+=("0x0301")
highest_protocol+=("0x0304")
alpn+=("h2,http/1.1")
service+=("HTTP,SMTP,POP,IMAP")
minDhBits+=(-1)
maxDhBits+=(-1)
minRsaBits+=(-1)
maxRsaBits+=(-1)
minEcdsaBits+=(-1)
curves+=("X25519:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072")
requiresSha2+=(false)
current+=(true) current+=(true)
names+=("Safari 12.1 (iOS 12.2)") names+=("Safari 12.1 (iOS 12.2)")

42
t/00_testssl_help.t Executable file
View File

@ -0,0 +1,42 @@
#!/usr/bin/env perl
# Basics: is there a synatx error where alerady bash hiccups on?
use strict;
use Test::More;
my $tests = 0;
my $fileout="";
# Blacklists we use to trigger an error:
my $error_regexp1='(syntax|parse) (e|E)rror';
my $error_regexp2='testssl.sh: line';
my $error_regexp3='bash: warning';
my $error_regexp4='command not found';
my $error_regexp5='(syntax error|unexpected token)';
printf "\n%s\n", "Testing whether just calling \"./testssl.sh\" produces no error ...";
$fileout = `timeout 10 bash ./testssl.sh 2>&1`;
my $retval=$?;
unlike($fileout, qr/$error_regexp1/, "regex 1");
$tests++;
unlike($fileout, qr/$error_regexp2/, "regex 2");
$tests++;
unlike($fileout, qr/$error_regexp3/, "regex 3");
$tests++;
unlike($fileout, qr/$error_regexp4/, "regex 4");
$tests++;
unlike($fileout, qr/$error_regexp5/, "regex 5");
$tests++;
is($retval, 0, "return value should be equal zero: \"$retval\"");
$tests++;
printf "\n";
done_testing($tests);

View File

@ -1,9 +0,0 @@
#!/usr/bin/env perl
use strict;
use Test::More tests => 1;
my $newer_bundles=`find etc/*.pem -newer etc/ca_hashes.txt`;
is($newer_bundles,"","List of CA bundles newer then etc/ca_hashes.txt should be empty. If not run utils/create_ca_hashes.sh");
done_testing;

48
t/01_testssl_banner.t Executable file
View File

@ -0,0 +1,48 @@
#!/usr/bin/env perl
# Basics: is there a synatx error where already bash hiccups on?
# --banner is equal to --version
use strict;
use Test::More;
my $tests = 0;
my $fileout="";
# Blacklists we use to trigger an error:
my $error_regexp1='(syntax|parse) (e|E)rror';
my $error_regexp2='testssl.sh: line';
my $error_regexp3='bash: warning';
my $error_regexp4='command not found';
my $error_regexp5='(syntax error|unexpected token)';
# my $good_regexp='free software.*USAGE w/o ANY WARRANTY.*OWN RISK.*Using.*ciphers.*built(.*)platform';
my $good_regexp='free software([\s\S]*)USAGE w/o ANY WARRANTY([\s\S]*)OWN RISK([\s\S]*)Using([\s\S]*)ciphers([\s\S]*)built([\s\S]*)platform';
printf "\n%s\n", "Testing whether just calling \"./testssl.sh --banner\" produces no error ...";
$fileout = `timeout 10 bash ./testssl.sh --banner 2>&1`;
my $retval=$?;
unlike($fileout, qr/$error_regexp1/, "regex 1");
$tests++;
unlike($fileout, qr/$error_regexp2/, "regex 2");
$tests++;
unlike($fileout, qr/$error_regexp3/, "regex 3");
$tests++;
unlike($fileout, qr/$error_regexp4/, "regex 4");
$tests++;
unlike($fileout, qr/$error_regexp5/, "regex 5");
$tests++;
like($fileout, qr/$good_regexp/, "regex positive");
$tests++;
is($retval, 0, "return value should be equal zero: \"$retval\"");
$tests++;
printf "\n";
done_testing($tests);

26
t/02_clientsim_txt_parsable.t Executable file
View File

@ -0,0 +1,26 @@
#!/usr/bin/env perl
# Just a functional test, whether ~/etc/client-simulation.txt
# doesn't have any synatx errors
use strict;
use Test::More;
my $tests = 0;
my $fileout="";
# Blacklists we use to trigger an error:
my $error_regexp1='(syntax|parse) (e|E)rror';
my $error_regexp2='client-simulation.txt:';
printf "\n%s\n", "Testing whether \"~/etc/client-simulation.txt\" isn't broken ...";
$fileout = `bash ./etc/client-simulation.txt 2>&1`;
unlike($fileout, qr/$error_regexp1/, "regex 1");
$tests++;
unlike($fileout, qr/$error_regexp2/, "regex 2");
$tests++;
printf "\n";
done_testing($tests);

12
t/05_ca_hashes_up_to_date.t Executable file
View File

@ -0,0 +1,12 @@
#!/usr/bin/env perl
use strict;
use Test::More;
printf "\n%s\n", "Testing whether CA certificates are newer their SPKI hashes \"~/etc/ca_hashes.txt\" ...";
my $newer_bundles=`find etc/*.pem -newer etc/ca_hashes.txt`;
is($newer_bundles,"","If there's an output with a *.pem file run \"~/utils/create_ca_hashes.sh\"");
printf "\n";
done_testing;

View File

@ -21,8 +21,10 @@ die "Unable to open $prg" unless -f $prg;
my $uri="cloudflare.com"; my $uri="cloudflare.com";
printf "\n%s\n", "Unit testing JSON output ...";
#1 #1
printf "\n%s\n", "Unit testing plain JSON output --> $uri ..."; printf "%s\n", ".. plain JSON --> $uri ";
$out = `./testssl.sh $check2run --jsonfile tmp.json $uri`; $out = `./testssl.sh $check2run --jsonfile tmp.json $uri`;
$json = json('tmp.json'); $json = json('tmp.json');
unlink 'tmp.json'; unlink 'tmp.json';
@ -31,7 +33,7 @@ is(@errors,0,"no errors");
$tests++; $tests++;
#2 #2
printf "\n%s\n", "Unit testing pretty JSON output --> $uri ..."; printf "%s\n", ".. pretty JSON --> $uri ";
$out = `./testssl.sh $check2run --jsonfile-pretty tmp.json $uri`; $out = `./testssl.sh $check2run --jsonfile-pretty tmp.json $uri`;
$json = json('tmp.json'); $json = json('tmp.json');
unlink 'tmp.json'; unlink 'tmp.json';
@ -43,7 +45,7 @@ $tests++;
#3 #3
# This testss.sh run deliberately does NOT work as travis-ci.org blocks port 25 egress. # This testss.sh run deliberately does NOT work as travis-ci.org blocks port 25 egress.
# but the output should be fine. The idea is to have a unit test for a failed connection. # but the output should be fine. The idea is to have a unit test for a failed connection.
printf "\n%s\n", "Checking plain JSON output for a failed run '--mx $uri' ..."; printf "%s\n", ".. plain JSON for a failed run: '--mx $uri' ...";
$out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile tmp.json --mx $uri`; $out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile tmp.json --mx $uri`;
$json = json('tmp.json'); $json = json('tmp.json');
unlink 'tmp.json'; unlink 'tmp.json';
@ -53,7 +55,7 @@ $tests++;
#4 #4
# Same as above but with pretty JSON # Same as above but with pretty JSON
printf "\n%s\n", "Checking pretty JSON output for a failed run '--mx $uri' ..."; printf "%s\n", ".. pretty JSON for a failed run '--mx $uri' ...";
$out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile-pretty tmp.json --mx $uri`; $out = `./testssl.sh --ssl-native --openssl-timeout=10 $check2run --jsonfile-pretty tmp.json --mx $uri`;
$json = json('tmp.json'); $json = json('tmp.json');
unlink 'tmp.json'; unlink 'tmp.json';
@ -63,7 +65,7 @@ $tests++;
#5 #5
my $uri = "smtp-relay.gmail.com:587"; my $uri = "smtp-relay.gmail.com:587";
printf "\n%s\n", " Unit testing plain JSON output --> $uri ..."; printf "%s\n", " .. plain JSON and STARTTLS --> $uri ...";
$out = `./testssl.sh --jsonfile tmp.json $check2run -t smtp $uri`; $out = `./testssl.sh --jsonfile tmp.json $check2run -t smtp $uri`;
$json = json('tmp.json'); $json = json('tmp.json');
unlink 'tmp.json'; unlink 'tmp.json';
@ -71,7 +73,7 @@ unlink 'tmp.json';
is(@errors,0,"no errors"); is(@errors,0,"no errors");
$tests++; $tests++;
printf "\n";
done_testing($tests); done_testing($tests);
sub json($) { sub json($) {

View File

@ -18,8 +18,10 @@ my $check2run="--color 0 --htmlfile tmp.html";
die "Unable to open $prg" unless -f $prg; die "Unable to open $prg" unless -f $prg;
printf "\n%s\n", "Doing HTML output checks";
#1 #1
printf "\n%s\n", "Running $prg against $uri to create HTML and terminal outputs (may take 2~3 minutes) ..."; printf "%s\n", " .. running $prg against $uri to create HTML and terminal outputs (may take 2~3 minutes)";
# specify a TERM_WIDTH so that the two calls to testssl.sh don't create HTML files with different values of TERM_WIDTH # specify a TERM_WIDTH so that the two calls to testssl.sh don't create HTML files with different values of TERM_WIDTH
$out = `TERM_WIDTH=120 $prg $check2run $uri`; $out = `TERM_WIDTH=120 $prg $check2run $uri`;
$html = `cat tmp.html`; $html = `cat tmp.html`;
@ -41,12 +43,12 @@ $edited_html =~ s/>/>/g;
$edited_html =~ s/"/"/g; $edited_html =~ s/"/"/g;
$edited_html =~ s/'/'/g; $edited_html =~ s/'/'/g;
printf "\n%s\n", "Comparing HTML and terminal outputs"; printf "\n%s\n", " .. comparing HTML and terminal outputs";
cmp_ok($edited_html, "eq", $out, "HTML file matches terminal output"); cmp_ok($edited_html, "eq", $out, "HTML file matches terminal output");
$tests++; $tests++;
#2 #2
printf "\n%s\n", "Running $prg against $uri with --debug 4 to create HTML output (may take 2~3 minutes)"; printf "\n%s\n", " .. running $prg against $uri with --debug 4 to create HTML output (may take another 2~3 minutes)";
# Redirect stderr to /dev/null in order to avoid some unexplained "date: invalid date" error messages # Redirect stderr to /dev/null in order to avoid some unexplained "date: invalid date" error messages
$out = `TERM_WIDTH=120 $prg $check2run --debug 4 $uri 2> /dev/null`; $out = `TERM_WIDTH=120 $prg $check2run --debug 4 $uri 2> /dev/null`;
$debughtml = `cat tmp.html`; $debughtml = `cat tmp.html`;
@ -66,9 +68,9 @@ $debughtml =~ s/HTTP clock skew \+?-?[0-9]* /HTTP clock skew
$debughtml =~ s/ Pre-test: .*\n//g; $debughtml =~ s/ Pre-test: .*\n//g;
$debughtml =~ s/.*OK: below 825 days.*\n//g; $debughtml =~ s/.*OK: below 825 days.*\n//g;
printf "\n%s\n", "Checking that using the --debug option doesn't affect the HTML file"; printf "\n%s\n", " .. checking that using the --debug option doesn't affect the HTML file";
cmp_ok($debughtml, "eq", $html, "HTML file created with --debug 4 matches HTML file created without --debug"); cmp_ok($debughtml, "eq", $html, "HTML file created with --debug 4 matches HTML file created without --debug");
$tests++; $tests++;
printf "\n%s\n";
printf "\n";
done_testing($tests); done_testing($tests);

View File

@ -15,8 +15,11 @@ my (
$tests = 0; $tests = 0;
printf "\n%s\n", "Doing severity level checks";
#1 #1
pass("Running testssl.sh against badssl.com to create a JSON report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++; pass(" .. running testssl.sh against badssl.com to create a JSON report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++;
$out = `./testssl.sh -S -e -U --jsonfile tmp.json --severity LOW --color 0 badssl.com`; $out = `./testssl.sh -S -e -U --jsonfile tmp.json --severity LOW --color 0 badssl.com`;
$json = json('tmp.json'); $json = json('tmp.json');
unlink 'tmp.json'; unlink 'tmp.json';
@ -31,7 +34,7 @@ foreach my $f ( @$json ) {
is($found,0,"We should not have any finding with INFO level"); $tests++; is($found,0,"We should not have any finding with INFO level"); $tests++;
#2 #2
pass("Running testssl.sh against badssl.com to create a JSON-PRETTY report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++; pass(" .. running testssl.sh against badssl.com to create a JSON-PRETTY report with severity level equal greater than LOW (may take 2~3 minutes)"); $tests++;
$out = `./testssl.sh -S -e -U --jsonfile-pretty tmp.json --severity LOW --color 0 badssl.com`; $out = `./testssl.sh -S -e -U --jsonfile-pretty tmp.json --severity LOW --color 0 badssl.com`;
$json_pretty = json('tmp.json'); $json_pretty = json('tmp.json');
unlink 'tmp.json'; unlink 'tmp.json';
@ -45,6 +48,7 @@ foreach my $f ( @$vulnerabilities ) {
} }
is($found,0,"We should not have any finding with INFO level"); $tests++; is($found,0,"We should not have any finding with INFO level"); $tests++;
printf "\n";
done_testing($tests); done_testing($tests);
sub json($) { sub json($) {

View File

@ -1,6 +1,7 @@
### Naming scheme ### Naming scheme
* 00-09: Does the reporting work at all? * 00-05: Does the bare testssl.sh work at all?
* 06-09: Does the reporting work at all?
* 20-39: Do scans work fine (client side)? * 20-39: Do scans work fine (client side)?
* 50-69: Are the results what I expect (server side)? * 50-69: Are the results what I expect (server side)?

View File

@ -17,7 +17,11 @@ for ((i=0; i<len ; i+=4)); do
grepstr="0x${hs:$i:2},0x${hs:$((i+2)):2}" grepstr="0x${hs:$i:2},0x${hs:$((i+2)):2}"
echo -n " --> $grepstr --> " echo -n " --> $grepstr --> "
cip=$(grep -i -E "^ *${grepstr}" $mapfile | awk '{ print $3 }') cip=$(grep -i -E "^ *${grepstr}" $mapfile | awk '{ print $3 }')
if [[ $grepstr == 0x00,0xff ]]; then
echo TLS_EMPTY_RENEGOTIATION_INFO_SCSV
else
echo $cip echo $cip
fi
if "$first"; then if "$first"; then
ciphers="$cip" ciphers="$cip"
first=false first=false
@ -27,4 +31,4 @@ for ((i=0; i<len ; i+=4)); do
done done
echo echo
echo $ciphers echo ${ciphers%:}