From 694e4c7b6ef3ed3857ad0fc5d5249a0df2171292 Mon Sep 17 00:00:00 2001 From: AlGreed Date: Fri, 28 Oct 2016 15:30:07 +0200 Subject: [PATCH 1/4] pretty json format + severity levels filter --- t/01_badssl.com.t | 10 +- testssl.sh | 1178 ++++++++++++++++++++++++++------------------- 2 files changed, 686 insertions(+), 502 deletions(-) diff --git a/t/01_badssl.com.t b/t/01_badssl.com.t index dc6c362..8c91e07 100755 --- a/t/01_badssl.com.t +++ b/t/01_badssl.com.t @@ -28,7 +28,7 @@ foreach my $f ( @$json ) { if ( $f->{id} eq "expiration" ) { $found = 1; like($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding reads expired."); $tests++; - is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++; + is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++; last; } } @@ -56,7 +56,7 @@ foreach my $f ( @$json ) { if ( $f->{id} eq "chain_of_trust" ) { $found = 1; like($f->{finding},qr/^All certificate trust checks failed/,"Finding says certificate cannot be trusted."); $tests++; - is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++; + is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++; last; } } @@ -100,7 +100,7 @@ foreach my $f ( @$json ) { if ( $f->{id} eq "chain_of_trust" ) { $found = 1; like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++; - is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++; + is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++; last; } } @@ -118,7 +118,7 @@ is($found,1,"We had a finding for this in the JSON output"); $tests++; # if ( $f->{id} eq "chain_of_trust" ) { # $found = 1; # like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++; -# is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++; +# is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++; # last; # } #} @@ -132,4 +132,4 @@ sub json($) { $file = `cat $file`; unlink $file; return from_json($file); -} +} \ No newline at end of file diff --git a/testssl.sh b/testssl.sh index a0573f8..f4a2dcd 100755 --- a/testssl.sh +++ b/testssl.sh @@ -146,7 +146,7 @@ BUGS=${BUGS:-""} # -bugs option from openssl, needed for DEBUG=${DEBUG:-0} # 1: normal putput the files in /tmp/ are kept for further debugging purposes # 2: list more what's going on , also lists some errors of connections # 3: slight hexdumps + other info, - # 4: display bytes sent via sockets + # 4: display bytes sent via sockets # 5: display bytes received via sockets # 6: whole 9 yards WIDE=${WIDE:-false} # whether to display for some options just ciphers or a table w hexcode/KX,Enc,strength etc. @@ -155,7 +155,7 @@ JSONFILE=${JSONFILE:-""} # jsonfile if used CSVFILE=${CSVFILE:-""} # csvfile if used APPEND=${APPEND:-false} # append to csv/json file instead of overwriting it HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes -UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses +UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or cipher limit of ~128 ciphers (e.g. old ASAs) # tuning vars, can not be set by a cmd line switch @@ -252,6 +252,8 @@ HEAD_REQ10="" readonly UA_STD="TLS tester from $SWURL" readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0" FIRST_FINDING=true # Is this the first finding we are outputting to file? +START_TIME=0 +END_TIME=0 # Devel stuff, see -q below TLS_LOW_BYTE="" @@ -261,6 +263,45 @@ HEX_CIPHER="" HEXDUMP=(hexdump -ve '16/1 "%02x " " \n"') # This is used to analyze the reply HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:print:]' +#################### SEVERITY #################### +INFO=0 +OK=0 +LOW=1 +MEDIUM=2 +HIGH=3 +CRITICAL=4 + +SEVERITY_LEVEL=0 + +set_severity_level() { + local severity=$1 + + if [[ "$severity" == "LOW" ]]; then + SEVERITY_LEVEL=$LOW + elif [[ "$severity" == "MEDIUM" ]]; then + SEVERITY_LEVEL=$MEDIUM + elif [[ "$severity" == "HIGH" ]]; then + SEVERITY_LEVEL=$HIGH + elif [[ "$severity" == "CRITICAL" ]]; then + SEVERITY_LEVEL=$CRITICAL + else + echo "Supported severity levels are LOW, MEDIUM, HIGH, CRITICAL!" + help + fi +} + +show_finding() { + local severity=$1 + + ([[ "$severity" == "DEBUG" ]]) || + ([[ "$severity" == "WARN" ]]) || + ([[ "$severity" == "INFO" ]] && [[ $SEVERITY_LEVEL -le $INFO ]]) || + ([[ "$severity" == "OK" ]] && [[ $SEVERITY_LEVEL -le $OK ]]) || + ([[ "$severity" == "LOW" ]] && [[ $SEVERITY_LEVEL -le $LOW ]]) || + ([[ "$severity" == "MEDIUM" ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]]) || + ([[ "$severity" == "HIGH" ]] && [[ $SEVERITY_LEVEL -le $HIGH ]]) || + ([[ "$severity" == "CRITICAL" ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]]) +} ###### some hexbytes for bash network sockets follow ###### @@ -312,7 +353,7 @@ declare TLS_CIPHER_EXPORT=() ###### output functions ###### # a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%' and '--' does the rest. -out(){ +out(){ # if [[ "$BASH_VERSINFO" -eq 4 ]]; then printf -- "%b" "${1//%/%%}" # else @@ -346,10 +387,10 @@ pr_greyln() { pr_grey "$1"; outln; } pr_done_good() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[0;34m$1" || out "\033[0;32m$1" ) || out "$1"; pr_off; } # litegreen (liteblue), This is good pr_done_goodln() { pr_done_good "$1"; outln; } -pr_done_best() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;34m$1" || out "\033[1;32m$1" ) || out "$1"; pr_off; } # green (blue), This is the best +pr_done_best() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;34m$1" || out "\033[1;32m$1" ) || out "$1"; pr_off; } # green (blue), This is the best pr_done_bestln() { pr_done_best "$1"; outln; } -pr_svrty_minor() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # yellow brown | academic or minor problem +pr_svrty_minor() { [[ "$COLOR" -eq 2 ]] && out "\033[1;33m$1" || out "$1"; pr_off; } # yellow brown | academic or minor problem pr_svrty_minorln() { pr_svrty_minor "$1"; outln; } pr_svrty_medium() { [[ "$COLOR" -eq 2 ]] && out "\033[0;33m$1" || out "$1"; pr_off; } # brown | it is not a bad problem but you shouldn't do this pr_svrty_mediumln() { pr_svrty_medium "$1"; outln; } @@ -448,20 +489,125 @@ set_color_functions() { } strip_quote() { - # remove color codes (see http://www.commandlinefu.com/commands/view/3584/remove-color-codes-special-characters-with-sed) + # remove color codes (see http://www.commandlinefu.com/commands/view/3584/remove-color-codes-special-characters-with-sed) # \', leading and all trailing spaces sed -e "s,\x1B\[[0-9;]*[a-zA-Z],,g" \ -e "s/\"/\\'/g" \ -e 's/^ *//g' \ - -e 's/ *$//g' <<< "$1" + -e 's/ *$//g' <<< "$1" } +#################### JSON FILE FORMATING #################### +fileout_pretty_json_header() { + START_TIME=$(date +%s) + + echo -e " \"host\" : \"$NODE\", + \"port\" : \"$PORT\", + \"startTime\" : \"$START_TIME\", + \"version\" : \"$VERSION\", + \"scanResult\" : { + " +} + +fileout_pretty_json_footer() { + local scan_time=$((END_TIME - START_TIME)) + echo -e " }, + \"ip\" : \"$NODEIP\", + \"scanTime\" : \"$scan_time\"\n}" +} + +fileout_json_header() { + "$do_json" && printf "[\n" > "$JSONFILE" + "$do_pretty_json" && (printf "{\n%s" "$(fileout_pretty_json_header)") > "$JSONFILE" +} + +fileout_json_footer() { + "$do_json" && printf "]\n" >> "$JSONFILE" + "$do_pretty_json" && (printf "\n%s" "$(fileout_pretty_json_footer)") >> "$JSONFILE" +} + +fileout_json_section() { + case $1 in + 1) + echo -e " \"service\" : [" + ;; + 2) + echo -e ",\n \"protocols\" : [" + ;; + 3) + echo -e ",\n \"ciphers\" : [" + ;; + 4) + echo -e ",\n \"pfs\" : [" + ;; + 5) + echo -e ",\n \"serverPreferences\" : [" + ;; + 6) + echo -e ",\n \"serverDefaults\" : [" + ;; + 7) + echo -e ",\n \"headerResponse\" : [" + ;; + 8) + echo -e ",\n \"vulnerabilities\" : [" + ;; + 9) + echo -e ",\n \"cipherTests\" : [" + ;; + 10) + echo -e ",\n \"browserSimulations\": [" + ;; + *) + echo "invalid section" + ;; + esac +} + +fileout_section_header(){ + local str="" + $2 && str="$(fileout_section_footer)" + "$do_pretty_json" && FIRST_FINDING=true && (printf "%s%s\n" "$str" "$(fileout_json_section "$1")") >> "$JSONFILE" +} + +fileout_section_footer() { + "$do_pretty_json" && printf "\n ]" >> "$JSONFILE" +} + +fileout_json_finding() { + if "$do_json"; then + "$FIRST_FINDING" || echo -n "," >> "$JSONFILE" + echo -e " { + \"id\" : \"$1\", + \"ip\" : \"$NODE/$NODEIP\", + \"port\" : \"$PORT\", + \"severity\" : \"$2\", + \"finding\" : \"$finding\" + }" >> "$JSONFILE" + fi + if "$do_pretty_json"; then + ("$FIRST_FINDING" && echo -n " {" >> "$JSONFILE") || echo -n ",{" >> "$JSONFILE" + echo -e -n " + \"id\" : \"$1\", + \"severity\" : \"$2\", + \"finding\" : \"$finding\" + }" >> "$JSONFILE" + fi +} + +is_json_format() { + ([[ -f "$JSONFILE" ]] && ("$do_json" || "$do_pretty_json")) +} + +################# JSON FILE FORMATING END #################### + +##################### FILE FORMATING ######################### fileout_header() { if "$APPEND"; then if [[ -f "$JSONFILE" ]]; then FIRST_FINDING=false # We need to insert a comma, because there is file content already else - "$do_json" && printf "[\n" > "$JSONFILE" + fileout_json_header fi if "$do_csv"; then if [[ -f "$CSVFILE" ]]; then @@ -473,34 +619,31 @@ fileout_header() { fi fi else - "$do_json" && printf "[\n" > "$JSONFILE" + fileout_json_header "$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" fi } fileout_footer() { - "$do_json" && [[ -f "$JSONFILE" ]] && printf "]\n" >> "$JSONFILE" + is_json_format && fileout_json_footer } fileout() { # ID, SEVERITY, FINDING - local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")") + local severity="$2" - if "$do_json"; then - "$FIRST_FINDING" || echo -n "," >> $JSONFILE - echo -e " { - \"id\" : \"$1\", - \"ip\" : \"$NODE/$NODEIP\", - \"port\" : \"$PORT\", - \"severity\" : \"$2\", - \"finding\" : \"$finding\" - }" >> $JSONFILE + if show_finding "$severity"; then + local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")") + + is_json_format && (fileout_json_finding "$1" "$severity" "$finding") + + # does the following do any sanitization? + if "$do_csv"; then + echo -e \""$1\"",\"$NODE/$NODEIP\",\"$PORT"\",\""$severity"\",\""$finding"\"" >> "$CSVFILE" + fi + "$FIRST_FINDING" && FIRST_FINDING=false fi - # does the following do any sanitization? - if "$do_csv"; then - echo -e \""$1\"",\"$NODE/$NODEIP\",\"$PORT"\",\""$2"\",\""$finding"\"" >>$CSVFILE - fi - "$FIRST_FINDING" && FIRST_FINDING=false } +################### FILE FORMATING END ######################### ###### helper function definitions ###### @@ -778,7 +921,7 @@ run_http_header() { # populate vars for HTTP time debugme echo "$NOW_TIME: $HTTP_TIME" - + # delete from pattern til the end. We ignore any leading spaces (e.g. www.amazon.de) sed -e '//,$d' -e '//,$d' -e '/$HEADERFILE.2 @@ -801,7 +944,7 @@ run_http_header() { out ", redirecting to \"$redirect\"" if [[ $redirect == "http://"* ]]; then pr_svrty_high " -- Redirect to insecure URL (NOT ok)" - fileout "HTTP_STATUS_CODE" "NOT ok" \, "Redirect to insecure URL (NOT ok). Url: \"$redirect\"" + fileout "HTTP_STATUS_CODE" "HIGH" \, "Redirect to insecure URL (NOT ok). Url: \"$redirect\"" fi fileout "HTTP_STATUS_CODE" "INFO" \ "Testing HTTP header response @ \"$URL_PATH\", $HTTP_STATUS_CODE$msg_thereafter, redirecting to \"$redirect\"" @@ -885,7 +1028,7 @@ detect_ipv4() { fi pr_svrty_high "$result" outln "\n$spaces$your_ip_msg" - fileout "ip_in_header_$count" "NOT ok" "IPv4 address in header $result $your_ip_msg" + fileout "ip_in_header_$count" "HIGH" "IPv4 address in header $result $your_ip_msg" fi count=$count+1 done < $HEADERFILE @@ -988,7 +1131,7 @@ run_hsts() { # and https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json else out "--" - fileout "hsts" "NOT ok" "No support for HTTP Strict Transport Security" + fileout "hsts" "HIGH" "No support for HTTP Strict Transport Security" fi outln @@ -1044,7 +1187,7 @@ run_hpkp() { out "# of keys: " if [[ $hpkp_nr_keys -eq 1 ]]; then pr_svrty_high "1 (NOT ok), " - fileout "hpkp_keys" "NOT ok" "Only one key pinned in HPKP header, this means the site may become unavailable if the key is revoked" + fileout "hpkp_keys" "HIGH" "Only one key pinned in HPKP header, this means the site may become unavailable if the key is revoked" else out "$hpkp_nr_keys, " fileout "hpkp_keys" "OK" "$hpkp_nr_keys keys pinned in HPKP header, additional keys are available if the current key is revoked" @@ -1473,7 +1616,7 @@ std_cipherlists() { 1) # the ugly ones if [[ $sclient_success -eq 0 ]]; then pr_svrty_critical "offered (NOT ok)" - fileout "std_$4" "NOT ok" "$2 offered (NOT ok) - ugly" + fileout "std_$4" "CRITICAL" "$2 offered (NOT ok) - ugly" else pr_done_best "not offered (OK)" fileout "std_$4" "OK" "$2 not offered (OK)" @@ -1482,7 +1625,7 @@ std_cipherlists() { 2) # bad but not worst if [[ $sclient_success -eq 0 ]]; then pr_svrty_high "offered (NOT ok)" - fileout "std_$4" "NOT ok" "$2 offered (NOT ok) - bad" + fileout "std_$4" "HIGH" "$2 offered (NOT ok) - bad" else pr_done_good "not offered (OK)" fileout "std_$4" "OK" "$2 not offered (OK)" @@ -1498,7 +1641,7 @@ std_cipherlists() { fi ;; *) # we shouldn't reach this - pr_warning "?: $3 (please report this)" + pr_warning "?: $3 (please report this)" fileout "std_$4" "WARN" "return condition $3 unclear" ;; esac @@ -1830,7 +1973,7 @@ run_cipher_per_proto() { locally_supported "$proto" "$proto_text" || continue outln has_server_protocol "${proto:1}" || continue - + # The OpenSSL ciphers function, prior to version 1.1.0, could only understand -ssl2, -ssl3, and -tls1. if [[ "$proto" == "-ssl2" ]] || [[ "$proto" == "-ssl3" ]] || \ [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.1"* ]]; then @@ -1972,7 +2115,7 @@ create_client_simulation_tls_clienthello() { len=2*$(hex2dec "${tls_handshake_ascii:$offset:2}")+2 tls_compression_methods="${tls_handshake_ascii:$offset:$len}" offset=$offset+$len - + if [[ $offset -ge $tls_handshake_ascii_len ]]; then # No extensions out "$tls_handshake_ascii" @@ -3034,11 +3177,11 @@ run_protocols() { add_tls_offered "ssl2" if [[ 0 -eq "$nr_ciphers_detected" ]]; then pr_svrty_highln "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 "; - fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to CVE-2015-3197" + fileout "sslv2" "HIGH" "SSLv2 offered (NOT ok), vulnerable to CVE-2015-3197" else pr_svrty_critical "offered (NOT ok), also VULNERABLE to DROWN attack"; outln " -- $nr_ciphers_detected ciphers" - fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to DROWN attack. Detected ciphers: $nr_ciphers_detected" + fileout "sslv2" "CRITICAL" "SSLv2 offered (NOT ok), vulnerable to DROWN attack. Detected ciphers: $nr_ciphers_detected" fi fi ;; esac @@ -3049,7 +3192,7 @@ run_protocols() { case $? in 0) pr_svrty_criticalln "offered (NOT ok)" - fileout "sslv2" "NOT ok" "SSLv2 is offered (NOT ok)" + fileout "sslv2" "CRITICAL" "SSLv2 is offered (NOT ok)" add_tls_offered "ssl2" ;; 1) @@ -3058,7 +3201,7 @@ run_protocols() { ;; 5) pr_svrty_high "CVE-2015-3197: $supported_no_ciph2"; - fileout "sslv2" "WARN" "CVE-2015-3197: SSLv2 is $supported_no_ciph2" + fileout "sslv2" "HIGH" "CVE-2015-3197: SSLv2 is $supported_no_ciph2" add_tls_offered "ssl2" ;; 7) @@ -3076,7 +3219,7 @@ run_protocols() { case $? in 0) pr_svrty_highln "offered (NOT ok)" - fileout "sslv3" "NOT ok" "SSLv3 is offered (NOT ok)" + fileout "sslv3" "HIGH" "SSLv3 is offered (NOT ok)" latest_supported="0300" latest_supported_string="SSLv3" add_tls_offered "ssl3" @@ -3089,18 +3232,18 @@ run_protocols() { if [[ "$DETECTED_TLS_VERSION" == 03* ]]; then detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" pr_svrty_criticalln "server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" - fileout "sslv3" "NOT ok" "SSLv3: server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" + fileout "sslv3" "CRITICAL" "SSLv3: server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" else pr_svrty_criticalln "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" - fileout "sslv3" "NOT ok" "SSLv3: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + fileout "sslv3" "CRITICAL" "SSLv3: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" fi ;; 5) - fileout "sslv3" "WARN" "SSLv3 is $supported_no_ciph1" pr_svrty_high "$supported_no_ciph2" + fileout "sslv3" "HIGH" "SSLv3 is $supported_no_ciph1" outln "(may need debugging)" add_tls_offered "ssl3" - ;; + ;; 7) fileout "sslv3" "INFO" "SSLv3 is not tested due to lack of local support" ;; # no local support @@ -3127,7 +3270,7 @@ run_protocols() { fileout "tls1" "INFO" "TLSv1.0 is not offered" # neither good or bad else pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string (NOT ok)" - fileout "tls1" "NOT ok" "TLSv1.0: connection failed rather than downgrading to $latest_supported_string (NOT ok)" + fileout "tls1" "CRITICAL" "TLSv1.0: connection failed rather than downgrading to $latest_supported_string (NOT ok)" fi ;; 2) @@ -3139,10 +3282,10 @@ run_protocols() { elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client" - fileout "tls1" "NOT ok" "TLSv1.0: server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" + fileout "tls1" "CRITICAL" "TLSv1.0: server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" else pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" - fileout "tls1" "NOT ok" "TLSv1.0: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + fileout "tls1" "CRITICAL" "TLSv1.0: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" fi ;; 5) @@ -3176,7 +3319,7 @@ run_protocols() { fileout "tls1_1" "INFO" "TLSv1.1 is not offered" # neither good or bad else pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string" - fileout "tls1_1" "NOT ok" "TLSv1.1: connection failed rather than downgrading to $latest_supported_string (NOT ok)" + fileout "tls1_1" "CRITICAL" "TLSv1.1: connection failed rather than downgrading to $latest_supported_string (NOT ok)" fi ;; 2) @@ -3184,17 +3327,17 @@ run_protocols() { if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then [[ $DEBUG -eq 1 ]] && out " -- downgraded" outln - fileout "tls1_1" "NOT ok" "TLSv1.1 is not offered, and downgraded to a weaker protocol (NOT ok)" + fileout "tls1_1" "CRITICAL" "TLSv1.1 is not offered, and downgraded to a weaker protocol (NOT ok)" elif [[ "$DETECTED_TLS_VERSION" == "0300" ]] && [[ "$latest_supported" == "0301" ]]; then pr_svrty_criticalln " -- server supports TLSv1.0, but downgraded to SSLv3 (NOT ok)" - fileout "tls1_1" "NOT ok" "TLSv1.1 is not offered, and downgraded to SSLv3 rather than TLSv1.0 (NOT ok)" + fileout "tls1_1" "CRITICAL" "TLSv1.1 is not offered, and downgraded to SSLv3 rather than TLSv1.0 (NOT ok)" elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0302 ]]; then detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" - fileout "tls1_1" "NOT ok" "TLSv1.1 is not offered, server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" + fileout "tls1_1" "CRITICAL" "TLSv1.1 is not offered, server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" else pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" - fileout "tls1" "NOT ok" "TLSv1.1: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + fileout "tls1" "CRITICAL" "TLSv1.1: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" fi ;; 5) @@ -3227,7 +3370,7 @@ run_protocols() { fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty else pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string" - fileout "tls1_1" "NOT ok" "TLSv1.2: connection failed rather than downgrading to $latest_supported_string" + fileout "tls1_1" "CRITICAL" "TLSv1.2: connection failed rather than downgrading to $latest_supported_string" fi ;; 2) @@ -3243,13 +3386,13 @@ run_protocols() { fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered and downgraded to a weaker protocol" elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then pr_svrty_criticalln " -- server supports $latest_supported_string, but downgraded to $detected_version_string" - fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered, and downgraded to $detected_version_string rather than $latest_supported_string (NOT ok)" + fileout "tls1_2" "CRITICAL" "TLSv1.2 is not offered, and downgraded to $detected_version_string rather than $latest_supported_string (NOT ok)" elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0303 ]]; then pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client" - fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered, server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" + fileout "tls1_2" "CRITICAL" "TLSv1.2 is not offered, server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" else pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" - fileout "tls1" "NOT ok" "TLSv1.2: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + fileout "tls1" "CRITICAL" "TLSv1.2: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" fi ;; 5) @@ -3271,19 +3414,19 @@ run_protocols() { pr_bold " Version tolerance " tls_sockets "05" "$TLS12_CIPHER" case $? in - 0) + 0) pr_svrty_criticalln "server claims support for non-existent TLSv1.4" - fileout "TLS Version Negotiation" "NOT ok" "Server claims support for non-existent TLSv1.4 (NOT ok)" + fileout "TLS Version Negotiation" "CRITICAL" "Server claims support for non-existent TLSv1.4 (NOT ok)" ;; 1) pr_svrty_criticalln "version negotiation did not work -- connection failed rather than downgrading to $latest_supported_string (NOT ok)" - fileout "TLS Version Negotiation" "NOT ok" "Version negotiation did not work -- connection failed rather than downgrading to $latest_supported_string (NOT ok)" + fileout "TLS Version Negotiation" "CRITICAL" "Version negotiation did not work -- connection failed rather than downgrading to $latest_supported_string (NOT ok)" ;; 2) case $DETECTED_TLS_VERSION in 0304) pr_svrty_criticalln "server claims support for TLSv1.3, which is still a working draft (NOT ok)" - fileout "TLS Version Negotiation" "NOT ok" "Server claims support for TLSv1.3, which is still a working draft (NOT ok)" + fileout "TLS Version Negotiation" "CRITICAL" "Server claims support for TLSv1.3, which is still a working draft (NOT ok)" ;; 0303|0302|0301|0300) if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then @@ -3293,7 +3436,7 @@ run_protocols() { fi if [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then pr_svrty_criticalln "server supports $latest_supported_string, but downgraded to $detected_version_string (NOT ok)" - fileout "TLS Version Negotiation" "NOT ok" "Downgraded to $detected_version_string rather than $latest_supported_string (NOT ok)" + fileout "TLS Version Negotiation" "CRITICAL" "Downgraded to $detected_version_string rather than $latest_supported_string (NOT ok)" else pr_done_bestln "downgraded to $detected_version_string (OK)" fileout "TLS Version Negotiation" "OK" "Downgraded to $detected_version_string" @@ -3301,12 +3444,12 @@ run_protocols() { ;; *) pr_svrty_criticalln "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" - fileout "TLS Version Negotiation" "NOT ok" "TLSv1.4: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + fileout "TLS Version Negotiation" "CRITICAL" "TLSv1.4: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" ;; esac ;; 5) pr_svrty_criticalln "server claims support for non-existent TLSv1.4 (NOT ok)" - fileout "TLS Version Negotiation" "NOT ok" "Server claims support for non-existent TLSv1.4 (NOT ok)" + fileout "TLS Version Negotiation" "CRITICAL" "Server claims support for non-existent TLSv1.4 (NOT ok)" ;; esac fi @@ -3385,7 +3528,7 @@ read_dhbits_from_file() { elif [[ "$bits" -le 193 ]]; then # hmm, according to https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography it should ok pr_svrty_minor "$bits $add" # but openssl removed it https://github.com/drwetter/testssl.sh/issues/299#issuecomment-220905416 elif [[ "$bits" -le 224 ]]; then - out "$bits $add" + out "$bits $add" elif [[ "$bits" -gt 224 ]]; then pr_done_good "$bits $add" else @@ -3415,8 +3558,8 @@ run_server_preference() { outln pr_bold " Has server cipher order? " - [[ "$OPTIMAL_PROTO" == "-ssl2" ]] && addcmd="$OPTIMAL_PROTO" - if [[ ! "$OPTIMAL_PROTO" =~ ssl ]]; then + [[ "$OPTIMAL_PROTO" == "-ssl2" ]] && addcmd="$OPTIMAL_PROTO" + if [[ ! "$OPTIMAL_PROTO" =~ ssl ]]; then addcmd="$SNI" sni="$SNI" if "$HAS_NO_SSL2" && [[ -z "$SNI" ]]; then @@ -3468,7 +3611,7 @@ run_server_preference() { if [[ "$cipher1" != "$cipher2" ]]; then pr_svrty_high "nope (NOT ok)" remark4default_cipher=" (limited sense as client will pick)" - fileout "order" "NOT ok" "Server does NOT set a cipher order (NOT ok)" + fileout "order" "HIGH" "Server does NOT set a cipher order (NOT ok)" else pr_done_best "yes (OK)" remark4default_cipher="" @@ -3500,11 +3643,11 @@ run_server_preference() { ;; *SSLv2) pr_svrty_criticalln $default_proto - fileout "order_proto" "NOT ok" "Default protocol SSLv2" + fileout "order_proto" "CRITICAL" "Default protocol SSLv2" ;; *SSLv3) pr_svrty_criticalln $default_proto - fileout "order_proto" "NOT ok" "Default protocol SSLv3" + fileout "order_proto" "CRITICAL" "Default protocol SSLv3" ;; "") pr_warning "default proto empty" @@ -3526,11 +3669,11 @@ run_server_preference() { case "$default_cipher" in *NULL*|*EXP*) pr_svrty_critical "$default_cipher" - fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" + fileout "order_cipher" "CRITICAL" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" ;; *RC4*) pr_svrty_high "$default_cipher" - fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) remark4default_cipher" + fileout "order_cipher" "HIGH" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) remark4default_cipher" ;; *CBC*) pr_svrty_medium "$default_cipher" @@ -3542,7 +3685,7 @@ run_server_preference() { ;; # best ones ECDHE*AES*) pr_svrty_minor "$default_cipher" - fileout "order_cipher" "WARN" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc) $remark4default_cipher" + fileout "order_cipher" "LOW" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc) $remark4default_cipher" ;; # it's CBC. --> lucky13 "") pr_warning "default cipher empty" ; @@ -3741,7 +3884,7 @@ cipher_pref_check() { if [[ $p == tls1_2 ]]; then # for some servers the ClientHello is limited to 128 ciphers or the ClientHello itself has a length restriction. # So far, this was only observed in TLS 1.2, affected are e.g. old Cisco LBs or ASAs, see issue #189 - # To check whether a workaround is needed we send a laaarge list of ciphers/big client hello. If connect fails, + # To check whether a workaround is needed we send a laaarge list of ciphers/big client hello. If connect fails, # we hit the bug and automagically do the workround. Cost: this is for all servers only 1x more connect $OPENSSL s_client $STARTTLS -tls1_2 $BUGS -cipher "$overflow_probe_cipherlist" -connect $NODEIP:$PORT $PROXY $SNI >$ERRFILE >$TMPFILE if ! sclient_connect_successful $? $TMPFILE; then @@ -3852,8 +3995,8 @@ determine_trust() { local spaces=" " local -i certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem) local addtl_warning - - # If $json_prefix is not empty, then there is more than one certificate + + # If $json_prefix is not empty, then there is more than one certificate # and the output should should be indented by two more spaces. [[ -n $json_prefix ]] && spaces=" " @@ -3907,7 +4050,7 @@ determine_trust() { # all failed (we assume with the same issue), we're displaying the reason out " " verify_retcode_helper "${verify_retcode[1]}" - fileout "${json_prefix}chain_of_trust" "NOT ok" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[1]}"). $addtl_warning" + fileout "${json_prefix}chain_of_trust" "CRITICAL" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[1]}"). $addtl_warning" else # is one ok and the others not ==> display the culprit store if $some_ok ; then @@ -3930,7 +4073,7 @@ determine_trust() { [[ "$DEBUG" -eq 0 ]] && out "$spaces" pr_done_good "OK: $ok_was" fi - fileout "${json_prefix}chain_of_trust" "NOT ok" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning" + fileout "${json_prefix}chain_of_trust" "CRITICAL" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning" fi [[ -n "$addtl_warning" ]] && out "\n$spaces" && pr_warning "$addtl_warning" fi @@ -4010,7 +4153,7 @@ determine_tls_extensions() { savedir=$(pwd); cd $TEMPDIR # http://backreference.org/2010/05/09/ocsp-verification-with-openssl/ awk -v n=-1 '/Server certificate/ {start=1} - /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } + /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } inc { print > ("level" n ".crt") } /---END CERTIFICATE-----/{ inc=0 }' $TMPFILE nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)") @@ -4039,12 +4182,12 @@ determine_tls_extensions() { $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug $alpn_params -status $ERRFILE >$TMPFILE if sclient_connect_successful $? $TMPFILE; then success=0 - grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext-alpn.txt + grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext-alpn.txt fi $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug $npn_params -status $ERRFILE >$TMPFILE if sclient_connect_successful $? $TMPFILE ; then - success=0 - grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext-npn.txt + success=0 + grep -a 'TLS server extension' $TMPFILE >$TEMPDIR/tlsext-npn.txt break fi done # this loop is needed for IIS6 and others which have a handshake size limitations @@ -4074,7 +4217,7 @@ determine_tls_extensions() { savedir=$(pwd); cd $TEMPDIR # http://backreference.org/2010/05/09/ocsp-verification-with-openssl/ awk -v n=-1 '/Certificate chain/ {start=1} - /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } + /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } inc { print > ("level" n ".crt") } /---END CERTIFICATE-----/{ inc=0 }' $TMPFILE nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)") @@ -4102,7 +4245,7 @@ get_cn_from_cert() { local subject # attention! openssl 1.0.2 doesn't properly handle online output from certifcates from trustwave.com/github.com - #FIXME: use -nameopt oid for robustness + #FIXME: use -nameopt oid for robustness # for e.g. russian sites -esc_msb,utf8 works in an UTF8 terminal -- any way to check platform indepedent? # see x509(1ssl): @@ -4164,7 +4307,7 @@ wildcard_match() basename_offset=$len_servername-$len_basename # Check that initial part of $servername matches initial part of $certname - # and that final part of $servername matches final part of $certname. + # and that final part of $servername matches final part of $certname. [[ "${servername:0:len_part1}" != "${certname:0:len_part1}" ]] && return 1 [[ "${servername:basename_offset:len_basename}" != "$basename" ]] && return 1 @@ -4272,7 +4415,7 @@ certificate_info() { else spaces=" " fi - + cert_sig_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u ) cert_key_algo=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | awk -F':' '/Public Key Algorithm:/ { print $2 }' | sort -u ) @@ -4365,15 +4508,15 @@ certificate_info() { ;; md2*) pr_svrty_criticalln "MD2" - fileout "${json_prefix}algorithm" "NOT ok" "Signature Algorithm: MD2 (NOT ok)" + fileout "${json_prefix}algorithm" "CRITICAL" "Signature Algorithm: MD2 (NOT ok)" ;; md4*) pr_svrty_criticalln "MD4" - fileout "${json_prefix}algorithm" "NOT ok" "Signature Algorithm: MD4 (NOT ok)" + fileout "${json_prefix}algorithm" "CRITICAL" "Signature Algorithm: MD4 (NOT ok)" ;; md5*) pr_svrty_criticalln "MD5" - fileout "${json_prefix}algorithm" "NOT ok" "Signature Algorithm: MD5 (NOT ok)" + fileout "${json_prefix}algorithm" "CRITICAL" "Signature Algorithm: MD5 (NOT ok)" ;; *) out "$cert_sig_algo (" @@ -4402,12 +4545,12 @@ certificate_info() { # see http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf # Table 2 @ chapter 5.6.1 (~ p64) if [[ $cert_key_algo =~ ecdsa ]] || [[ $cert_key_algo =~ ecPublicKey ]]; then - if [[ "$cert_keysize" -le 110 ]]; then # a guess + if [[ "$cert_keysize" -le 110 ]]; then # a guess pr_svrty_critical "$cert_keysize" - fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize EC bits (NOT ok)" + fileout "${json_prefix}key_size" "CRITICAL" "Server keys $cert_keysize EC bits (NOT ok)" elif [[ "$cert_keysize" -le 123 ]]; then # a guess pr_svrty_high "$cert_keysize" - fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize EC bits (NOT ok)" + fileout "${json_prefix}key_size" "HIGH" "Server keys $cert_keysize EC bits (NOT ok)" elif [[ "$cert_keysize" -le 163 ]]; then pr_svrty_medium "$cert_keysize" fileout "${json_prefix}key_size" "MEDIUM" "Server keys $cert_keysize EC bits" @@ -4427,11 +4570,11 @@ certificate_info() { if [[ "$cert_keysize" -le 512 ]]; then pr_svrty_critical "$cert_keysize" outln " bits" - fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize bits (NOT ok)" + fileout "${json_prefix}key_size" "CRITICAL" "Server keys $cert_keysize bits (NOT ok)" elif [[ "$cert_keysize" -le 768 ]]; then pr_svrty_high "$cert_keysize" outln " bits" - fileout "${json_prefix}key_size" "NOT ok" "Server keys $cert_keysize bits (NOT ok)" + fileout "${json_prefix}key_size" "HIGH" "Server keys $cert_keysize bits (NOT ok)" elif [[ "$cert_keysize" -le 1024 ]]; then pr_svrty_medium "$cert_keysize" outln " bits" @@ -4463,7 +4606,7 @@ certificate_info() { outln "$spaces$cert_fingerprint_sha2" fileout "${json_prefix}fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2" [[ -z $CERT_FINGERPRINT_SHA2 ]] && \ - CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2" || + CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2" || CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2 $CERT_FINGERPRINT_SHA2" out "$indent"; pr_bold " Common Name (CN) " @@ -4541,7 +4684,7 @@ certificate_info() { if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$cn" ]]; then pr_svrty_criticalln "self-signed (NOT ok)" - fileout "${json_prefix}issuer" "NOT ok" "Issuer: selfsigned (NOT ok)" + fileout "${json_prefix}issuer" "CRITICAL" "Issuer: selfsigned (NOT ok)" else issuerfinding="$(pr_dquoted "$issuer_CN")" if [[ -z "$issuer_O" ]] && [[ -n "$issuer_DC" ]]; then @@ -4695,7 +4838,7 @@ certificate_info() { if ! echo $expire | grep -qw not; then pr_svrty_critical "expired!" expfinding="expired!" - expok="NOT ok" + expok="CRITICAL" else secs2warn=$((24 * 60 * 60 * days2warn2)) # low threshold first expire=$($OPENSSL x509 -in $HOSTCERT -checkend $secs2warn 2>>$ERRFILE) @@ -4708,12 +4851,12 @@ certificate_info() { else pr_svrty_medium "expires < $days2warn1 days ($days2expire)" expfinding+="expires < $days2warn1 days ($days2expire)" - expok="WARN" + expok="MEDIUM" fi else pr_svrty_high "expires < $days2warn2 days ($days2expire) !" expfinding+="expires < $days2warn2 days ($days2expire) !" - expok="NOT ok" + expok="HIGH" fi fi outln " ($startdate --> $enddate)" @@ -4727,7 +4870,7 @@ certificate_info() { crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')" if [[ -z "$crl" ]]; then pr_svrty_highln "--" - fileout "${json_prefix}crl" "NOT ok" "No CRL provided (NOT ok)" + fileout "${json_prefix}crl" "HIGH" "No CRL provided (NOT ok)" elif grep -q http <<< "$crl"; then if [[ $(count_lines "$crl") -eq 1 ]]; then outln "$crl" @@ -4745,7 +4888,7 @@ certificate_info() { ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE) if [[ -z "$ocsp_uri" ]]; then pr_svrty_highln "--" - fileout "${json_prefix}ocsp_uri" "NOT ok" "OCSP URI : -- (NOT ok)" + fileout "${json_prefix}ocsp_uri" "HIGH" "OCSP URI : -- (NOT ok)" else outln "$ocsp_uri" fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : $ocsp_uri" @@ -4754,7 +4897,7 @@ certificate_info() { out "$indent"; pr_bold " OCSP stapling " if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then pr_svrty_minor "--" - fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered" + fileout "${json_prefix}ocsp_stapling" "LOW" "OCSP stapling : not offered" else if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then pr_done_good "offered" @@ -4848,7 +4991,7 @@ run_server_defaults() { all_tls_extensions="${all_tls_extensions} \"${line}\"" fi done <<<$TLS_EXTENSIONS - + cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE >$ERRFILE if [[ -z "$sessticket_str" ]]; then @@ -4917,7 +5060,7 @@ run_server_defaults() { fi fi done - + if [[ $certs_found -eq 0 ]]; then [[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions [[ -n "$TLS_EXTENSIONS" ]] && all_tls_extensions=" $TLS_EXTENSIONS" @@ -4952,9 +5095,9 @@ run_server_defaults() { unit=$(echo $sessticket_str | grep -a lifetime | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g') out "$lifetime $unit " pr_svrty_minorln "(PFS requires session ticket keys to be rotated <= daily)" - fileout "session_ticket" "INFO" "TLS session tickes RFC 5077 valid for $lifetime $unit (PFS requires session ticket keys to be rotated at least daily)" + fileout "session_ticket" "LOW" "TLS session tickes RFC 5077 valid for $lifetime $unit (PFS requires session ticket keys to be rotated at least daily)" fi - + pr_bold " SSL Session ID support " if "$NO_SSL_SESSIONID"; then outln "no" @@ -4963,9 +5106,9 @@ run_server_defaults() { outln "yes" fileout "session_id" "INFO" "SSL session ID support: yes" fi - + tls_time - + i=1 while [[ $i -le $certs_found ]]; do echo "${previous_hostcert[i]}" > $HOSTCERT @@ -5064,7 +5207,7 @@ run_pfs() { if ! "$pfs_offered"; then pr_svrty_medium "WARN: no PFS ciphers found" - fileout "pfs_ciphers" "NOT ok" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)" + fileout "pfs_ciphers" "MEDIUM" "(Perfect) Forward Secrecy Ciphers: no PFS ciphers found (NOT ok)" else fileout "pfs_ciphers" "INFO" "(Perfect) Forward Secrecy Ciphers: $pfs_ciphers" fi @@ -5615,7 +5758,7 @@ parse_sslv2_serverhello() { echo "SSLv2 cipher spec length: 0x$v2_hello_cipherspec_length" fi fi - + certificate_len=2*$(hex2dec "$v2_hello_cert_length") [[ -e $HOSTCERT ]] && rm $HOSTCERT [[ -e $TEMPDIR/intermediatecerts.pem ]] && rm $TEMPDIR/intermediatecerts.pem @@ -5637,7 +5780,7 @@ parse_sslv2_serverhello() { let offset=$offset+6 done echo "======================================" >> $TMPFILE - + tmpfile_handle $FUNCNAME.txt fi return $ret @@ -6089,10 +6232,10 @@ socksend_tls_clienthello() { 00, 18, 00, 09, 00, 0a, 00, 1a, 00, 16, 00, 17, 00, 1d, 00, 08, 00, 06, 00, 07, 00, 14, 00, 15, 00, 04, 00, 05, 00, 12, 00, 13, 00, 01, 00, 02, 00, 03, 00, 0f, 00, 10, 00, 11, - 00, 0b, # Type: Supported Point Formats , see RFC 4492 + 00, 0b, # Type: Supported Point Formats , see RFC 4492 00, 02, # len 01, 00" - + all_extensions=" $extension_heartbeat ,$extension_session_ticket @@ -6149,7 +6292,7 @@ socksend_tls_clienthello() { all_extensions=" ,$LEN_STR # first the len of all extentions. ,$all_extensions" - + fi # RFC 3546 doesn't specify SSLv3 to have SNI, openssl just ignores the switch if supplied @@ -6275,7 +6418,7 @@ tls_sockets() { # mainly adapted from https://gist.github.com/takeshixx/10107280 run_heartbleed(){ local tls_proto_offered tls_hexcode - local heartbleed_payload client_hello + local heartbleed_payload client_hello local -i n ret lines_returned local -i hb_rounds=3 local append="" @@ -6396,7 +6539,7 @@ run_heartbleed(){ else rm "$SOCK_REPLY_FILE" pr_svrty_critical "VULNERABLE (NOT ok)" - fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok)$append" + fileout "heartbleed" "CRITICAL" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok)$append" ret=1 break fi @@ -6422,7 +6565,7 @@ run_heartbleed(){ out "likely " pr_svrty_critical "VULNERABLE (NOT ok)" [[ $DEBUG -ge 1 ]] && out " use debug >=2 to confirm" - fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): likely VULNERABLE (NOT ok)$append" + fileout "heartbleed" "CRITICAL" "Heartbleed (CVE-2014-0160): likely VULNERABLE (NOT ok)$append" fi else # for the repeated tries we did that already @@ -6557,9 +6700,9 @@ run_ccs_injection(){ else pr_svrty_critical "VULNERABLE (NOT ok)" if [[ $retval -eq 3 ]]; then - fileout "ccs" "NOT ok" "CCS (CVE-2014-0224): VULNERABLE (NOT ok) (timed out)" + fileout "ccs" "CRITICAL" "CCS (CVE-2014-0224): VULNERABLE (NOT ok) (timed out)" else - fileout "ccs" "NOT ok" "CCS (CVE-2014-0224): VULNERABLE (NOT ok)" + fileout "ccs" "CRITICAL" "CCS (CVE-2014-0224): VULNERABLE (NOT ok)" fi ret=1 fi @@ -6590,7 +6733,7 @@ run_renego() { case $sec_renego in 0) pr_svrty_criticalln "VULNERABLE (NOT ok)" - fileout "secure_renego" "NOT ok" "Secure Renegotiation (CVE-2009-3555) : VULNERABLE (NOT ok)" + fileout "secure_renego" "CRITICAL" "Secure Renegotiation (CVE-2009-3555) : VULNERABLE (NOT ok)" ;; 1) pr_done_bestln "not vulnerable (OK)" @@ -6648,7 +6791,7 @@ run_renego() { case "$sec_client_renego" in 0) pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat" - fileout "sec_client_renego" "NOT ok" "Secure Client-Initiated Renegotiation : VULNERABLE (NOT ok), DoS threat" + fileout "sec_client_renego" "HIGH" "Secure Client-Initiated Renegotiation : VULNERABLE (NOT ok), DoS threat" ;; 1) pr_done_goodln "not vulnerable (OK)" @@ -6703,7 +6846,7 @@ run_crime() { else if [[ $SERVICE == "HTTP" ]]; then pr_svrty_high "VULNERABLE (NOT ok)" - fileout "crime" "NOT ok" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)" + fileout "crime" "HIGH" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (NOT ok)" else pr_svrty_medium "VULNERABLE but not using HTTP: probably no exploit known" fileout "crime" "MEDIUM" "CRIME, TLS (CVE-2012-4929) : VULNERABLE (WARN), but not using HTTP: probably no exploit known" @@ -6804,7 +6947,7 @@ run_breach() { pr_svrty_high "potentially NOT ok, uses $result HTTP compression." outln "$disclaimer" outln "$spaces$when_makesense" - fileout "breach" "NOT ok" "BREACH (CVE-2013-3587) : potentially VULNERABLE, uses $result HTTP compression. $disclaimer ($when_makesense)" + fileout "breach" "HIGH" "BREACH (CVE-2013-3587) : potentially VULNERABLE, uses $result HTTP compression. $disclaimer ($when_makesense)" ret=1 fi # Any URL can be vulnerable. I am testing now only the given URL! @@ -6830,7 +6973,7 @@ run_ssl_poodle() { [[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" if [[ $sclient_success -eq 0 ]]; then pr_svrty_high "VULNERABLE (NOT ok)"; out ", uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)" - fileout "poodle_ssl" "NOT ok" "POODLE, SSL (CVE-2014-3566) : VULNERABLE (NOT ok), uses SSLv3+CBC (check if TLS_FALLBACK_SCSV mitigation is used)" + fileout "poodle_ssl" "HIGH" "POODLE, SSL (CVE-2014-3566) : VULNERABLE (NOT ok), uses SSLv3+CBC (check if TLS_FALLBACK_SCSV mitigation is used)" else pr_done_best "not vulnerable (OK)" fileout "poodle_ssl" "OK" "POODLE, SSL (CVE-2014-3566) : not vulnerable (OK)" @@ -6951,7 +7094,7 @@ run_freak() { [[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" if [[ $sclient_success -eq 0 ]]; then pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses EXPORT RSA ciphers" - fileout "freak" "NOT ok" "FREAK (CVE-2015-0204) : VULNERABLE (NOT ok), uses EXPORT RSA ciphers" + fileout "freak" "CRITICAL" "FREAK (CVE-2015-0204) : VULNERABLE (NOT ok), uses EXPORT RSA ciphers" else pr_done_best "not vulnerable (OK)"; out "$addtl_warning" fileout "freak" "OK" "FREAK (CVE-2015-0204) : not vulnerable (OK) $addtl_warning" @@ -7003,7 +7146,7 @@ run_logjam() { if [[ $sclient_success -eq 0 ]]; then pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked." - fileout "logjam" "NOT ok" "LOGJAM (CVE-2015-4000) : VULNERABLE (NOT ok), uses DHE EXPORT ciphers, common primes not checked." + fileout "logjam" "CRITICAL" "LOGJAM (CVE-2015-4000) : VULNERABLE (NOT ok), uses DHE EXPORT ciphers, common primes not checked." else pr_done_best "not vulnerable (OK)"; out "$addtl_warning" fileout "logjam" "OK" "LOGJAM (CVE-2015-4000) : not vulnerable (OK) $addtl_warning" @@ -7040,7 +7183,7 @@ run_drown() { outln " (rerun with DEBUG >=2)" [[ $DEBUG -ge 3 ]] && hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" | head -1 ret=7 - fileout "drown" "MINOR_ERROR" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)" + fileout "drown" "WARN" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)" ;; 3) # vulnerable lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)") @@ -7049,10 +7192,10 @@ run_drown() { nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) if [[ 0 -eq "$nr_ciphers_detected" ]]; then pr_svrty_highln "CVE-2015-3197: SSLv2 supported but couldn't detect a cipher (NOT ok)"; - fileout "drown" "NOT ok" "SSLv2 offered (NOT ok), CVE-2015-3197: but could not detect a cipher" + fileout "drown" "HIGH" "SSLv2 offered (NOT ok), CVE-2015-3197: but could not detect a cipher" else pr_svrty_criticalln "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"; - fileout "drown" "NOT ok" "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers" + fileout "drown" "CRITICAL" "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers" fi fi ret=1 @@ -7158,7 +7301,7 @@ run_beast(){ sclient_connect_successful $? $TMPFILE sclient_success=$? if [[ $sclient_success -eq 0 ]]; then - vuln_beast=true + vuln_beast=true "$WIDE" && first=false fi if "$WIDE"; then @@ -7168,7 +7311,7 @@ run_beast(){ neat_list "$HEXC" "$cbc_cipher" "$kx" "$enc" #why this is needed? if [[ $sclient_success -eq 0 ]]; then if [[ -n "$higher_proto_supported" ]]; then - pr_svrty_minorln "available" + pr_svrty_minorln "available" else pr_svrty_mediumln "available" fi @@ -7230,7 +7373,7 @@ run_beast(){ pr_svrty_minor "VULNERABLE" outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported" fi - fileout "beast" "MINOR" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported" + fileout "beast" "LOW" "BEAST (CVE-2011-3389) : VULNERABLE -- but also supports higher protocols (possible mitigation):$higher_proto_supported" else if "$WIDE"; then outln @@ -7326,7 +7469,7 @@ run_rc4() { done < <($OPENSSL ciphers -V $rc4_ciphers_list:@STRENGTH) outln "$WIDE" && pr_svrty_high "VULNERABLE (NOT ok)" - fileout "rc4" "NOT ok" "RC4 (CVE-2013-2566, CVE-2015-2808) : VULNERABLE (NOT ok) Detected ciphers: $rc4_detected" + fileout "rc4" "HIGH" "RC4 (CVE-2013-2566, CVE-2015-2808) : VULNERABLE (NOT ok) Detected ciphers: $rc4_detected" else pr_done_goodln "no RC4 ciphers detected (OK)" fileout "rc4" "OK" "RC4 (CVE-2013-2566, CVE-2015-2808) : not vulnerable (OK)" @@ -7357,7 +7500,7 @@ run_tls_truncation() { old_fart() { outln "Get precompiled bins or compile https://github.com/PeterMosmans/openssl ." - fileout "old_fart" "ERROR" "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed. Get precompiled bins or compile https://github.com/PeterMosmans/openssl ." + fileout "old_fart" "WARN" "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed. Get precompiled bins or compile https://github.com/PeterMosmans/openssl ." fatal "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed." -5 } @@ -7544,7 +7687,7 @@ check4openssl_oldfarts() { # FreeBSD needs to have /dev/fd mounted. This is a friendly hint, see #258 check_bsd_mount() { - if [[ "$(uname)" == FreeBSD ]]; then + if [[ "$(uname)" == FreeBSD ]]; then if ! mount | grep -q "^devfs"; then outln "you seem to run $PROG_NAME= in a jail. Hopefully you're did \"mount -t fdescfs fdesc /dev/fd\"" elif mount | grep '/dev/fd' | grep -q fdescfs; then @@ -7610,7 +7753,7 @@ special invocations: partly mandatory parameters: URI host|host:port|URL|URL:port (port 443 is assumed unless otherwise specified) pattern an ignore case word pattern of cipher hexcode or any other string in the name, kx or bits - protocol is one of the STARTTLS protocols ftp,smtp,pop3,imap,xmpp,telnet,ldap + protocol is one of the STARTTLS protocols ftp,smtp,pop3,imap,xmpp,telnet,ldap (for the latter two you need e.g. the supplied openssl) tuning options (can also be preset via environment variables): @@ -7638,9 +7781,12 @@ file output options (can also be preset via environment variables): --logfile logs stdout to if file is a dir or to specified log file --json additional output of findings to JSON file in cwd --jsonfile additional output to JSON and output JSON to the specified file + --json-pretty additional pretty structed output of findings to JSON file in cwd + --jsonfile-pretty additional pretty structed output to JSON and output JSON to the specified file --csv additional output of findings to CSV file in cwd --csvfile set output to CSV and output CSV to the specified file --append if or exists rather append then overwrite + --severity severities with lower level will be filtered All options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl . @@ -7745,365 +7891,365 @@ EOF CIPHERS_BY_STRENGTH_FILE=$(mktemp $TEMPDIR/ciphers_by_strength.XXXXXX) cat >$CIPHERS_BY_STRENGTH_FILE << EOF - 0xCC,0x14 - ECDHE-ECDSA-CHACHA20-POLY1305 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD TLSv1.2 Kx=ECDH Au=ECDSA Enc=ChaCha20(256) Mac=AEAD - 0xCC,0x13 - ECDHE-RSA-CHACHA20-POLY1305 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20(256) Mac=AEAD - 0xCC,0x15 - DHE-RSA-CHACHA20-POLY1305 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD TLSv1.2 Kx=DH Au=RSA Enc=ChaCha20(256) Mac=AEAD - 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD - 0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD - 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 - 0xC0,0x24 - ECDHE-ECDSA-AES256-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 - 0xC0,0x14 - ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 - 0xC0,0x0A - ECDHE-ECDSA-AES256-SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 - 0xC0,0x22 - SRP-DSS-AES-256-CBC-SHA TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1 - 0xC0,0x21 - SRP-RSA-AES-256-CBC-SHA TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1 - 0xC0,0x20 - SRP-AES-256-CBC-SHA TLS_SRP_SHA_WITH_AES_256_CBC_SHA SSLv3 Kx=SRP Au=SRP Enc=AES(256) Mac=SHA1 - 0x00,0xB7 - RSA-PSK-AES256-CBC-SHA384 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA384 - 0x00,0xB3 - DHE-PSK-AES256-CBC-SHA384 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA384 - 0x00,0x91 - DHE-PSK-AES256-CBC-SHA TLS_DHE_PSK_WITH_AES_256_CBC_SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA1 - 0xC0,0x9B - ECDHE-PSK-CAMELLIA256-SHA384 TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=Camellia(256) Mac=SHA384 - 0xC0,0x99 - RSA-PSK-CAMELLIA256-SHA384 TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=Camellia(256) Mac=SHA384 - 0xC0,0x97 - DHE-PSK-CAMELLIA256-SHA384 TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=Camellia(256) Mac=SHA384 - 0x00,0xAF - PSK-AES256-CBC-SHA384 TLS_PSK_WITH_AES_256_CBC_SHA384 TLSv1 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA384 - 0xC0,0x95 - PSK-CAMELLIA256-SHA384 TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLSv1 Kx=PSK Au=PSK Enc=Camellia(256) Mac=SHA384 - 0x00,0xA5 - DH-DSS-AES256-GCM-SHA384 TLS_DH_DSS_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(256) Mac=AEAD - 0x00,0xA3 - DHE-DSS-AES256-GCM-SHA384 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD - 0x00,0xA1 - DH-RSA-AES256-GCM-SHA384 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(256) Mac=AEAD - 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD - 0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ChaCha20(256) Mac=AEAD - 0xCC,0xA8 - ECDHE-RSA-CHACHA20-POLY1305 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20(256) Mac=AEAD - 0xCC,0xAA - DHE-RSA-CHACHA20-POLY1305 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=ChaCha20(256) Mac=AEAD - 0xC0,0xAF - ECDHE-ECDSA-AES256-CCM8 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD - 0xC0,0xAD - ECDHE-ECDSA-AES256-CCM TLS_ECDHE_ECDSA_WITH_AES_256_CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD - 0xC0,0xA3 - DHE-RSA-AES256-CCM8 TLS_DHE_RSA_WITH_AES_256_CCM_8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD - 0xC0,0x9F - DHE-RSA-AES256-CCM TLS_DHE_RSA_WITH_AES_256_CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(256) Mac=AEAD - 0x00,0x6B - DHE-RSA-AES256-SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 - 0x00,0x6A - DHE-DSS-AES256-SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 - 0x00,0x69 - DH-RSA-AES256-SHA256 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA256 - 0x00,0x68 - DH-DSS-AES256-SHA256 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA256 - 0x00,0x39 - DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 - 0x00,0x38 - DHE-DSS-AES256-SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 - 0x00,0x37 - DH-RSA-AES256-SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA1 - 0x00,0x36 - DH-DSS-AES256-SHA TLS_DH_DSS_WITH_AES_256_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA1 - 0xC0,0x77 - ECDHE-RSA-CAMELLIA256-SHA384 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384 - 0xC0,0x73 - ECDHE-ECDSA-CAMELLIA256-SHA384 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(256) Mac=SHA384 - 0x00,0xC4 - DHE-RSA-CAMELLIA256-SHA256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256 - 0x00,0xC3 - DHE-DSS-CAMELLIA256-SHA256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA256 - 0x00,0xC2 - DH-RSA-CAMELLIA256-SHA256 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=Camellia(256) Mac=SHA256 - 0x00,0xC1 - DH-DSS-CAMELLIA256-SHA256 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=Camellia(256) Mac=SHA256 - 0x00,0x88 - DHE-RSA-CAMELLIA256-SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 - 0x00,0x87 - DHE-DSS-CAMELLIA256-SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1 - 0x00,0x86 - DH-RSA-CAMELLIA256-SHA TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=Camellia(256) Mac=SHA1 - 0x00,0x85 - DH-DSS-CAMELLIA256-SHA TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=Camellia(256) Mac=SHA1 - 0xC0,0x19 - AECDH-AES256-SHA TLS_ECDH_anon_WITH_AES_256_CBC_SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1 - 0x00,0xA7 - ADH-AES256-GCM-SHA384 TLS_DH_anon_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD - 0x00,0x6D - ADH-AES256-SHA256 TLS_DH_anon_WITH_AES_256_CBC_SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256 - 0x00,0x3A - ADH-AES256-SHA TLS_DH_anon_WITH_AES_256_CBC_SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1 - 0x00,0xC5 - ADH-CAMELLIA256-SHA256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(256) Mac=SHA256 - 0x00,0x89 - ADH-CAMELLIA256-SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1 - 0x00,0xAD - RSA-PSK-AES256-GCM-SHA384 TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(256) Mac=AEAD - 0x00,0xAB - DHE-PSK-AES256-GCM-SHA384 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(256) Mac=AEAD - 0xCC,0xAE - RSA-PSK-CHACHA20-POLY1305 TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=ChaCha20(256) Mac=AEAD - 0xCC,0xAD - DHE-PSK-CHACHA20-POLY1305 TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=ChaCha20(256) Mac=AEAD - 0xCC,0xAC - ECDHE-PSK-CHACHA20-POLY1305 TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=ECDHEPSK Au=PSK Enc=ChaCha20(256) Mac=AEAD - 0xC0,0xAB - DHE-PSK-AES256-CCM8 TLS_PSK_DHE_WITH_AES_256_CCM_8 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM8(256) Mac=AEAD - 0xC0,0xA7 - DHE-PSK-AES256-CCM TLS_DHE_PSK_WITH_AES_256_CCM TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM(256) Mac=AEAD - 0xC0,0x32 - ECDH-RSA-AES256-GCM-SHA384 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD - 0xC0,0x2E - ECDH-ECDSA-AES256-GCM-SHA384 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD - 0xC0,0x2A - ECDH-RSA-AES256-SHA384 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384 - 0xC0,0x26 - ECDH-ECDSA-AES256-SHA384 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384 - 0xC0,0x0F - ECDH-RSA-AES256-SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1 - 0xC0,0x05 - ECDH-ECDSA-AES256-SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1 - 0xC0,0x79 - ECDH-RSA-CAMELLIA256-SHA384 TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=Camellia(256) Mac=SHA384 - 0xC0,0x75 - ECDH-ECDSA-CAMELLIA256-SHA384 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=Camellia(256) Mac=SHA384 - 0x00,0x9D - AES256-GCM-SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD - 0xC0,0xA1 - AES256-CCM8 TLS_RSA_WITH_AES_256_CCM_8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(256) Mac=AEAD - 0xC0,0x9D - AES256-CCM TLS_RSA_WITH_AES_256_CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(256) Mac=AEAD - 0x00,0xA9 - PSK-AES256-GCM-SHA384 TLS_PSK_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(256) Mac=AEAD - 0xCC,0xAB - PSK-CHACHA20-POLY1305 TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=ChaCha20(256) Mac=AEAD - 0xC0,0xA9 - PSK-AES256-CCM8 TLS_PSK_WITH_AES_256_CCM_8 TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM8(256) Mac=AEAD - 0xC0,0xA5 - PSK-AES256-CCM TLS_PSK_WITH_AES_256_CCM TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM(256) Mac=AEAD - 0x00,0x3D - AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 - 0x00,0x35 - AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 - 0x00,0xC0 - CAMELLIA256-SHA256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256 - 0xC0,0x38 - ECDHE-PSK-AES256-CBC-SHA384 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA384 - 0xC0,0x36 - ECDHE-PSK-AES256-CBC-SHA TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA SSLv3 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA1 - 0x00,0x84 - CAMELLIA256-SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 - 0x00,0x95 - RSA-PSK-AES256-CBC-SHA TLS_RSA_PSK_WITH_AES_256_CBC_SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA1 - 0x00,0x8D - PSK-AES256-CBC-SHA TLS_PSK_WITH_AES_256_CBC_SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1 - 0xC0,0x3D - - TLS_RSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=ARIA(256) Mac=SHA384 - 0xC0,0x3F - - TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=ARIA(256) Mac=SHA384 - 0xC0,0x41 - - TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=ARIA(256) Mac=SHA384 - 0xC0,0x43 - - TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=DH Au=DSS Enc=ARIA(256) Mac=SHA384 - 0xC0,0x45 - - TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=DH Au=RSA Enc=ARIA(256) Mac=SHA384 - 0xC0,0x47 - - TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=DH Au=None Enc=ARIA(256) Mac=SHA384 - 0xC0,0x49 - - TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ARIA(256) Mac=SHA384 - 0xC0,0x4B - - TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=ARIA(256) Mac=SHA384 - 0xC0,0x4D - - TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=ARIA(256) Mac=SHA384 - 0xC0,0x4F - - TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=ARIA(256) Mac=SHA384 - 0xC0,0x51 - - TLS_RSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=ARIA(256) Mac=AEAD - 0xC0,0x53 - - TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=DH Au=RSA Enc=ARIA(256) Mac=AEAD - 0xC0,0x55 - - TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=ARIA(256) Mac=AEAD - 0xC0,0x57 - - TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=DH Au=DSS Enc=ARIA(256) Mac=AEAD - 0xC0,0x59 - - TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=ARIA(256) Mac=AEAD - 0xC0,0x5B - - TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=DH Au=None Enc=ARIA(256) Mac=AEAD - 0xC0,0x5D - - TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ARIA(256) Mac=AEAD - 0xC0,0x5F - - TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=ARIA(256) Mac=AEAD - 0xC0,0x61 - - TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=ARIA(256) Mac=AEAD - 0xC0,0x63 - - TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=ARIA(256) Mac=AEAD - 0xC0,0x65 - - TLS_PSK_WITH_ARIA_256_CBC_SHA384 TLSv1 Kx=PSK Au=PSK Enc=ARIA(256) Mac=SHA384 - 0xC0,0x67 - - TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=ARIA(256) Mac=SHA384 - 0xC0,0x69 - - TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=ARIA(256) Mac=SHA384 - 0xC0,0x6B - - TLS_PSK_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=ARIA(256) Mac=AEAD - 0xC0,0x6D - - TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=ARIA(256) Mac=AEAD - 0xC0,0x6F - - TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=ARIA(256) Mac=AEAD - 0xC0,0x71 - - TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=ARIA(256) Mac=SHA384 - 0xC0,0x7B - - TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=CamelliaGCM(256) Mac=AEAD - 0xC0,0x7D - - TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=DH Au=RSA Enc=CamelliaGCM(256) Mac=AEAD - 0xC0,0x7F - - TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=CamelliaGCM(256) Mac=AEAD - 0xC0,0x81 - - TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=DH Au=DSS Enc=CamelliaGCM(256) Mac=AEAD - 0xC0,0x83 - - TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=CamelliaGCM(256) Mac=AEAD - 0xC0,0x85 - - TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=DH Au=None Enc=CamelliaGCM(256) Mac=AEAD - 0xC0,0x87 - - TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CamelliaGCM(256) Mac=AEAD - 0xC0,0x89 - - TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=CamelliaGCM(256) Mac=AEAD - 0xC0,0x8B - - TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=CamelliaGCM(256) Mac=AEAD - 0xC0,0x8D - - TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=CamelliaGCM(256) Mac=AEAD - 0xC0,0x8F - - TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=CamelliaGCM(256) Mac=AEAD - 0xC0,0x91 - - TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=CamelliaGCM(256) Mac=AEAD - 0xC0,0x93 - - TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=CamelliaGCM(256) Mac=AEAD - 0x00,0x80 - GOST94-GOST89-GOST89 TLS_GOSTR341094_WITH_28147_CNT_IMIT TLSv1 Kx=GOST Au=GOST94 Enc=GOST(256) Mac=GOST89IMIT - 0x00,0x81 - GOST2001-GOST89-GOST89 TLS_GOSTR341001_WITH_28147_CNT_IMIT SSLv3 Kx=GOST Au=GOST01 Enc=GOST(256) Mac=GOST89IMIT - 0xFF,0x00 - GOST-MD5 TLS_GOSTR341094_RSA_WITH_28147_CNT_MD5 TLSv1 Kx=RSA Au=RSA Enc=GOST(256) Mac=MD5 - 0xFF,0x01 - GOST-GOST94 TLS_RSA_WITH_28147_CNT_GOST94 TLSv1 Kx=RSA Au=RSA Enc=GOST(256) Mac=GOST94 - 0xFF,0x02 - GOST-GOST89MAC - TLSv1 Kx=RSA Au=RSA Enc=GOST(256) Mac=GOST89IMIT - 0xFF,0x03 - GOST-GOST89STREAM - TLSv1 Kx=RSA Au=RSA Enc=GOST(256) Mac=GOST89IMIT - 0xFF,0x85 - GOST2012256-GOST89-GOST89 - SSLv3 Kx=GOST Au=GOST01 Enc=GOST(256) Mac=GOST89IMIT - 0x16,0xB7 - - TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=CECPQ1 Au=RSA Enc=ChaCha20(256) Mac=AEAD - 0x16,0xB8 - - TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=CECPQ1 Au=ECDSA Enc=ChaCha20(256) Mac=AEAD - 0x16,0xB9 - - TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=CECPQ1 Au=RSA Enc=AESGCM(256) Mac=AEAD - 0x16,0xBA - - TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=CECPQ1 Au=ECDSA Enc=AESGCM(256) Mac=AEAD - 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD - 0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD - 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 - 0xC0,0x23 - ECDHE-ECDSA-AES128-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 - 0xC0,0x13 - ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 - 0xC0,0x09 - ECDHE-ECDSA-AES128-SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 - 0xC0,0x1F - SRP-DSS-AES-128-CBC-SHA TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA SSLv3 Kx=SRP Au=DSS Enc=AES(128) Mac=SHA1 - 0xC0,0x1E - SRP-RSA-AES-128-CBC-SHA TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1 - 0xC0,0x1D - SRP-AES-128-CBC-SHA TLS_SRP_SHA_WITH_AES_128_CBC_SHA SSLv3 Kx=SRP Au=SRP Enc=AES(128) Mac=SHA1 - 0x00,0xA4 - DH-DSS-AES128-GCM-SHA256 TLS_DH_DSS_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(128) Mac=AEAD - 0x00,0xA2 - DHE-DSS-AES128-GCM-SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD - 0x00,0xA0 - DH-RSA-AES128-GCM-SHA256 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(128) Mac=AEAD - 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD - 0xC0,0xAE - ECDHE-ECDSA-AES128-CCM8 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(128) Mac=AEAD - 0xC0,0xAC - ECDHE-ECDSA-AES128-CCM TLS_ECDHE_ECDSA_WITH_AES_128_CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD - 0xC0,0xA2 - DHE-RSA-AES128-CCM8 TLS_DHE_RSA_WITH_AES_128_CCM_8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(128) Mac=AEAD - 0xC0,0x9E - DHE-RSA-AES128-CCM TLS_DHE_RSA_WITH_AES_128_CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(128) Mac=AEAD - 0x00,0xAC - RSA-PSK-AES128-GCM-SHA256 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(128) Mac=AEAD - 0x00,0xAA - DHE-PSK-AES128-GCM-SHA256 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(128) Mac=AEAD - 0xC0,0xAA - DHE-PSK-AES128-CCM8 TLS_PSK_DHE_WITH_AES_128_CCM_8 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM8(128) Mac=AEAD - 0xC0,0xA6 - DHE-PSK-AES128-CCM TLS_DHE_PSK_WITH_AES_128_CCM TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM(128) Mac=AEAD - 0xC0,0xA0 - AES128-CCM8 TLS_RSA_WITH_AES_128_CCM_8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(128) Mac=AEAD - 0xC0,0x9C - AES128-CCM TLS_RSA_WITH_AES_128_CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(128) Mac=AEAD - 0x00,0xA8 - PSK-AES128-GCM-SHA256 TLS_PSK_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(128) Mac=AEAD - 0xC0,0xA8 - PSK-AES128-CCM8 TLS_PSK_WITH_AES_128_CCM_8 TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM8(128) Mac=AEAD - 0xC0,0xA4 - PSK-AES128-CCM TLS_PSK_WITH_AES_128_CCM TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM(128) Mac=AEAD - 0x00,0x67 - DHE-RSA-AES128-SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 - 0x00,0x40 - DHE-DSS-AES128-SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256 - 0x00,0x3F - DH-RSA-AES128-SHA256 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA256 - 0x00,0x3E - DH-DSS-AES128-SHA256 TLS_DH_DSS_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA256 - 0x00,0x33 - DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 - 0x00,0x32 - DHE-DSS-AES128-SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 - 0x00,0x31 - DH-RSA-AES128-SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA1 - 0x00,0x30 - DH-DSS-AES128-SHA TLS_DH_DSS_WITH_AES_128_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA1 - 0xC0,0x76 - ECDHE-RSA-CAMELLIA128-SHA256 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256 - 0xC0,0x72 - ECDHE-ECDSA-CAMELLIA128-SHA256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(128) Mac=SHA256 - 0x00,0xBE - DHE-RSA-CAMELLIA128-SHA256 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256 - 0x00,0xBD - DHE-DSS-CAMELLIA128-SHA256 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA256 - 0x00,0xBC - DH-RSA-CAMELLIA128-SHA256 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=Camellia(128) Mac=SHA256 - 0x00,0xBB - DH-DSS-CAMELLIA128-SHA256 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=Camellia(128) Mac=SHA256 - 0x00,0x9A - DHE-RSA-SEED-SHA TLS_DHE_RSA_WITH_SEED_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1 - 0x00,0x99 - DHE-DSS-SEED-SHA TLS_DHE_DSS_WITH_SEED_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1 - 0x00,0x98 - DH-RSA-SEED-SHA TLS_DH_RSA_WITH_SEED_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=SEED(128) Mac=SHA1 - 0x00,0x97 - DH-DSS-SEED-SHA TLS_DH_DSS_WITH_SEED_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=SEED(128) Mac=SHA1 - 0x00,0x45 - DHE-RSA-CAMELLIA128-SHA TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 - 0x00,0x44 - DHE-DSS-CAMELLIA128-SHA TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1 - 0x00,0x43 - DH-RSA-CAMELLIA128-SHA TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=Camellia(128) Mac=SHA1 - 0x00,0x42 - DH-DSS-CAMELLIA128-SHA TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=Camellia(128) Mac=SHA1 - 0xC0,0x18 - AECDH-AES128-SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA SSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1 - 0x00,0xA6 - ADH-AES128-GCM-SHA256 TLS_DH_anon_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD - 0x00,0x6C - ADH-AES128-SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256 - 0x00,0x34 - ADH-AES128-SHA TLS_DH_anon_WITH_AES_128_CBC_SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1 - 0x00,0xBF - ADH-CAMELLIA128-SHA256 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(128) Mac=SHA256 - 0x00,0x9B - ADH-SEED-SHA TLS_DH_anon_WITH_SEED_CBC_SHA SSLv3 Kx=DH Au=None Enc=SEED(128) Mac=SHA1 - 0x00,0x46 - ADH-CAMELLIA128-SHA TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1 - 0xC0,0x31 - ECDH-RSA-AES128-GCM-SHA256 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD - 0xC0,0x2D - ECDH-ECDSA-AES128-GCM-SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD - 0xC0,0x29 - ECDH-RSA-AES128-SHA256 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256 - 0xC0,0x25 - ECDH-ECDSA-AES128-SHA256 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256 - 0xC0,0x0E - ECDH-RSA-AES128-SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1 - 0xC0,0x04 - ECDH-ECDSA-AES128-SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1 - 0xC0,0x78 - ECDH-RSA-CAMELLIA128-SHA256 TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=Camellia(128) Mac=SHA256 - 0xC0,0x74 - ECDH-ECDSA-CAMELLIA128-SHA256 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=Camellia(128) Mac=SHA256 - 0x00,0x9C - AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD - 0x00,0x3C - AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 - 0x00,0x2F - AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 - 0x00,0xBA - CAMELLIA128-SHA256 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA256 - 0xC0,0x37 - ECDHE-PSK-AES128-CBC-SHA256 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA256 - 0xC0,0x35 - ECDHE-PSK-AES128-CBC-SHA TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA SSLv3 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA1 - 0x00,0xB6 - RSA-PSK-AES128-CBC-SHA256 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA256 - 0x00,0xB2 - DHE-PSK-AES128-CBC-SHA256 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA256 - 0x00,0x90 - DHE-PSK-AES128-CBC-SHA TLS_DHE_PSK_WITH_AES_128_CBC_SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA1 - 0x00,0x96 - SEED-SHA TLS_RSA_WITH_SEED_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 - 0x00,0x41 - CAMELLIA128-SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1 - 0xC0,0x9A - ECDHE-PSK-CAMELLIA128-SHA256 TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=Camellia(128) Mac=SHA256 - 0xC0,0x98 - RSA-PSK-CAMELLIA128-SHA256 TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=Camellia(128) Mac=SHA256 - 0xC0,0x96 - DHE-PSK-CAMELLIA128-SHA256 TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=Camellia(128) Mac=SHA256 - 0x00,0xAE - PSK-AES128-CBC-SHA256 TLS_PSK_WITH_AES_128_CBC_SHA256 TLSv1 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA256 - 0xC0,0x94 - PSK-CAMELLIA128-SHA256 TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLSv1 Kx=PSK Au=PSK Enc=Camellia(128) Mac=SHA256 - 0x00,0x07 - IDEA-CBC-SHA TLS_RSA_WITH_IDEA_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 - 0x05,0x00,0x80 - IDEA-CBC-MD5 SSL_CK_IDEA_128_CBC_WITH_MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 - 0x03,0x00,0x80 - RC2-CBC-MD5 SSL_CK_RC2_128_CBC_WITH_MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 - 0x00,0x94 - RSA-PSK-AES128-CBC-SHA TLS_RSA_PSK_WITH_AES_128_CBC_SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA1 - 0x00,0x8C - PSK-AES128-CBC-SHA TLS_PSK_WITH_AES_128_CBC_SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1 - 0x00,0x21 - KRB5-IDEA-CBC-SHA TLS_KRB5_WITH_IDEA_CBC_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=IDEA(128) Mac=SHA1 - 0x00,0x25 - KRB5-IDEA-CBC-MD5 TLS_KRB5_WITH_IDEA_CBC_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=IDEA(128) Mac=MD5 - 0xC0,0x3C - - TLS_RSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=ARIA(128) Mac=SHA256 - 0xC0,0x3E - - TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=ARIA(128) Mac=SHA256 - 0xC0,0x40 - - TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=ARIA(128) Mac=SHA256 - 0xC0,0x42 - - TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=ARIA(128) Mac=SHA256 - 0xC0,0x44 - - TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=ARIA(128) Mac=SHA256 - 0xC0,0x46 - - TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=DH Au=None Enc=ARIA(128) Mac=SHA256 - 0xC0,0x48 - - TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ARIA(128) Mac=SHA256 - 0xC0,0x4A - - TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=ARIA(128) Mac=SHA256 - 0xC0,0x4C - - TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=ARIA(128) Mac=SHA256 - 0xC0,0x4E - - TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=ARIA(128) Mac=SHA256 - 0xC0,0x50 - - TLS_RSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=ARIA(128) Mac=AEAD - 0xC0,0x52 - - TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=ARIA(128) Mac=AEAD - 0xC0,0x54 - - TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=ARIA(128) Mac=AEAD - 0xC0,0x56 - - TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=ARIA(128) Mac=AEAD - 0xC0,0x58 - - TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=ARIA(128) Mac=AEAD - 0xC0,0x5A - - TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=DH Au=None Enc=ARIA(128) Mac=AEAD - 0xC0,0x5C - - TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ARIA(128) Mac=AEAD - 0xC0,0x5E - - TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=ARIA(128) Mac=AEAD - 0xC0,0x60 - - TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=ARIA(128) Mac=AEAD - 0xC0,0x62 - - TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=ARIA(128) Mac=AEAD - 0xC0,0x64 - - TLS_PSK_WITH_ARIA_128_CBC_SHA256 TLSv1 Kx=PSK Au=PSK Enc=ARIA(128) Mac=SHA256 - 0xC0,0x66 - - TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=ARIA(128) Mac=SHA256 - 0xC0,0x68 - - TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=ARIA(128) Mac=SHA256 - 0xC0,0x6A - - TLS_PSK_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=ARIA(128) Mac=AEAD - 0xC0,0x6C - - TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=ARIA(128) Mac=AEAD - 0xC0,0x6E - - TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=ARIA(128) Mac=AEAD - 0xC0,0x70 - - TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=ARIA(128) Mac=SHA256 - 0xC0,0x7A - - TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=CamelliaGCM(128) Mac=AEAD - 0xC0,0x7C - - TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=CamelliaGCM(128) Mac=AEAD - 0xC0,0x7E - - TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=CamelliaGCM(128) Mac=AEAD - 0xC0,0x80 - - TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=CamelliaGCM(128) Mac=AEAD - 0xC0,0x82 - - TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=CamelliaGCM(128) Mac=AEAD - 0xC0,0x84 - - TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=DH Au=None Enc=CamelliaGCM(128) Mac=AEAD - 0xC0,0x86 - - TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CamelliaGCM(128) Mac=AEAD - 0xC0,0x88 - - TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=CamelliaGCM(128) Mac=AEAD - 0xC0,0x8A - - TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=CamelliaGCM(128) Mac=AEAD - 0xC0,0x8C - - TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=CamelliaGCM(128) Mac=AEAD - 0xC0,0x8E - - TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=CamelliaGCM(128) Mac=AEAD - 0xC0,0x90 - - TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=CamelliaGCM(128) Mac=AEAD - 0xC0,0x92 - - TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=CamelliaGCM(128) Mac=AEAD - 0xC0,0x11 - ECDHE-RSA-RC4-SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 - 0xC0,0x07 - ECDHE-ECDSA-RC4-SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1 - 0x00,0x66 - DHE-DSS-RC4-SHA TLS_DHE_DSS_WITH_RC4_128_SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 - 0xC0,0x16 - AECDH-RC4-SHA TLS_ECDH_anon_WITH_RC4_128_SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1 - 0x00,0x18 - ADH-RC4-MD5 TLS_DH_anon_WITH_RC4_128_MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 - 0xC0,0x0C - ECDH-RSA-RC4-SHA TLS_ECDH_RSA_WITH_RC4_128_SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1 - 0xC0,0x02 - ECDH-ECDSA-RC4-SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1 - 0x00,0x05 - RC4-SHA TLS_RSA_WITH_RC4_128_SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 - 0x00,0x04 - RC4-MD5 TLS_RSA_WITH_RC4_128_MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 - 0x01,0x00,0x80 - RC4-MD5 SSL_CK_RC4_128_WITH_MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 - 0x00,0x92 - RSA-PSK-RC4-SHA TLS_RSA_PSK_WITH_RC4_128_SHA SSLv3 Kx=RSAPSK Au=RSA Enc=RC4(128) Mac=SHA1 - 0x00,0x8A - PSK-RC4-SHA TLS_PSK_WITH_RC4_128_SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 - 0x00,0x20 - KRB5-RC4-SHA TLS_KRB5_WITH_RC4_128_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1 - 0x00,0x24 - KRB5-RC4-MD5 TLS_KRB5_WITH_RC4_128_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5 - 0xC0,0x33 - ECDHE-PSK-RC4-SHA TLS_ECDHE_PSK_WITH_RC4_128_SHA SSLv3 Kx=ECDHEPSK Au=PSK Enc=RC4(128) Mac=SHA1 - 0x00,0x8E - DHE-PSK-RC4-SHA TLS_DHE_PSK_WITH_RC4_128_SHA SSLv3 Kx=DHEPSK Au=PSK Enc=RC4(128) Mac=SHA1 - 0xC0,0x12 - ECDHE-RSA-DES-CBC3-SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1 - 0xC0,0x08 - ECDHE-ECDSA-DES-CBC3-SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 - 0xC0,0x1C - SRP-DSS-3DES-EDE-CBC-SHA TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1 - 0xC0,0x1B - SRP-RSA-3DES-EDE-CBC-SHA TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1 - 0xC0,0x1A - SRP-3DES-EDE-CBC-SHA TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=SRP Au=SRP Enc=3DES(168) Mac=SHA1 - 0x00,0x16 - EDH-RSA-DES-CBC3-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 - 0x00,0x13 - EDH-DSS-DES-CBC3-SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 - 0x00,0x10 - DH-RSA-DES-CBC3-SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=3DES(168) Mac=SHA1 - 0x00,0x0D - DH-DSS-DES-CBC3-SHA TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=3DES(168) Mac=SHA1 - 0xC0,0x17 - AECDH-DES-CBC3-SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1 - 0x00,0x1B - ADH-DES-CBC3-SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1 - 0xC0,0x0D - ECDH-RSA-DES-CBC3-SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1 - 0xC0,0x03 - ECDH-ECDSA-DES-CBC3-SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1 - 0x00,0x0A - DES-CBC3-SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 - 0x07,0x00,0xC0 - DES-CBC3-MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 - 0x00,0x93 - RSA-PSK-3DES-EDE-CBC-SHA TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=RSAPSK Au=RSA Enc=3DES(168) Mac=SHA1 - 0x00,0x8B - PSK-3DES-EDE-CBC-SHA TLS_PSK_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1 - 0x00,0x1F - KRB5-DES-CBC3-SHA TLS_KRB5_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1 - 0x00,0x23 - KRB5-DES-CBC3-MD5 TLS_KRB5_WITH_3DES_EDE_CBC_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5 - 0xC0,0x34 - ECDHE-PSK-3DES-EDE-CBC-SHA TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=ECDHEPSK Au=PSK Enc=3DES(168) Mac=SHA1 - 0x00,0x8F - DHE-PSK-3DES-EDE-CBC-SHA TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=DHEPSK Au=PSK Enc=3DES(168) Mac=SHA1 - 0xFE,0xFF - - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 - 0xFF,0xE0 - - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 - 0x08,0x00,0x80 - RC4-64-MD5 SSL_CK_RC4_64_WITH_MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 - 0x00,0x63 - EXP1024-DHE-DSS-DES-CBC-SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA SSLv3 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 export - 0x00,0x15 - EDH-RSA-DES-CBC-SHA TLS_DHE_RSA_WITH_DES_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 - 0x00,0x12 - EDH-DSS-DES-CBC-SHA TLS_DHE_DSS_WITH_DES_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 - 0x00,0x0F - DH-RSA-DES-CBC-SHA TLS_DH_RSA_WITH_DES_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=DES(56) Mac=SHA1 - 0x00,0x0C - DH-DSS-DES-CBC-SHA TLS_DH_DSS_WITH_DES_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=DES(56) Mac=SHA1 - 0x00,0x1A - ADH-DES-CBC-SHA TLS_DH_anon_WITH_DES_CBC_SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1 - 0x00,0x62 - EXP1024-DES-CBC-SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export - 0x00,0x09 - DES-CBC-SHA TLS_RSA_WITH_DES_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 - 0x00,0x61 - EXP1024-RC2-CBC-MD5 TLS_RSA_EXPORT1024_WITH_RC2_56_MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 export - 0x06,0x00,0x40 - DES-CBC-MD5 SSL_CK_DES_64_CBC_WITH_MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 - 0x00,0x1E - KRB5-DES-CBC-SHA TLS_KRB5_WITH_DES_CBC_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(56) Mac=SHA1 - 0x00,0x22 - KRB5-DES-CBC-MD5 TLS_KRB5_WITH_DES_CBC_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(56) Mac=MD5 - 0xFE,0xFE - - SSL_RSA_FIPS_WITH_DES_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 - 0xFF,0xE1 - - SSL_RSA_FIPS_WITH_DES_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 - 0x00,0x65 - EXP1024-DHE-DSS-RC4-SHA TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA SSLv3 Kx=DH(1024) Au=DSS Enc=RC4(56) Mac=SHA1 export - 0x00,0x64 - EXP1024-RC4-SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export - 0x00,0x60 - EXP1024-RC4-MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=MD5 export - 0x00,0x14 - EXP-EDH-RSA-DES-CBC-SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export - 0x00,0x11 - EXP-EDH-DSS-DES-CBC-SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export - 0x00,0x19 - EXP-ADH-DES-CBC-SHA TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export - 0x00,0x08 - EXP-DES-CBC-SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export - 0x00,0x06 - EXP-RC2-CBC-MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export - 0x04,0x00,0x80 - EXP-RC2-CBC-MD5 SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export - 0x00,0x27 - EXP-KRB5-RC2-CBC-SHA TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=SHA1 export - 0x00,0x26 - EXP-KRB5-DES-CBC-SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=SHA1 export - 0x00,0x2A - EXP-KRB5-RC2-CBC-MD5 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=MD5 export - 0x00,0x29 - EXP-KRB5-DES-CBC-MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=MD5 export - 0x00,0x0B - - TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=DES(40) Mac=SHA1 export - 0x00,0x0E - - TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=DES(40) Mac=SHA1 export - 0x00,0x17 - EXP-ADH-RC4-MD5 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export - 0x00,0x03 - EXP-RC4-MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export - 0x02,0x00,0x80 - EXP-RC4-MD5 SSL_CK_RC4_128_EXPORT40_WITH_MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export - 0x00,0x28 - EXP-KRB5-RC4-SHA TLS_KRB5_EXPORT_WITH_RC4_40_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 export - 0x00,0x2B - EXP-KRB5-RC4-MD5 TLS_KRB5_EXPORT_WITH_RC4_40_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 export - 0xC0,0x10 - ECDHE-RSA-NULL-SHA TLS_ECDHE_RSA_WITH_NULL_SHA SSLv3 Kx=ECDH Au=RSA Enc=None Mac=SHA1 - 0xC0,0x06 - ECDHE-ECDSA-NULL-SHA TLS_ECDHE_ECDSA_WITH_NULL_SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1 - 0xC0,0x15 - AECDH-NULL-SHA TLS_ECDH_anon_WITH_NULL_SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1 - 0xC0,0x0B - ECDH-RSA-NULL-SHA TLS_ECDH_RSA_WITH_NULL_SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None Mac=SHA1 - 0xC0,0x01 - ECDH-ECDSA-NULL-SHA TLS_ECDH_ECDSA_WITH_NULL_SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None Mac=SHA1 - 0xC0,0x3B - ECDHE-PSK-NULL-SHA384 TLS_ECDHE_PSK_WITH_NULL_SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=None Mac=SHA384 - 0xC0,0x3A - ECDHE-PSK-NULL-SHA256 TLS_ECDHE_PSK_WITH_NULL_SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=None Mac=SHA256 - 0xC0,0x39 - ECDHE-PSK-NULL-SHA TLS_ECDHE_PSK_WITH_NULL_SHA SSLv3 Kx=ECDHEPSK Au=PSK Enc=None Mac=SHA1 - 0x00,0xB9 - RSA-PSK-NULL-SHA384 TLS_RSA_PSK_WITH_NULL_SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=None Mac=SHA384 - 0x00,0xB8 - RSA-PSK-NULL-SHA256 TLS_RSA_PSK_WITH_NULL_SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=None Mac=SHA256 - 0x00,0xB5 - DHE-PSK-NULL-SHA384 TLS_DHE_PSK_WITH_NULL_SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=None Mac=SHA384 - 0x00,0xB4 - DHE-PSK-NULL-SHA256 TLS_DHE_PSK_WITH_NULL_SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=None Mac=SHA256 - 0x00,0x2E - RSA-PSK-NULL-SHA TLS_RSA_PSK_WITH_NULL_SHA SSLv3 Kx=RSAPSK Au=RSA Enc=None Mac=SHA1 - 0x00,0x2D - DHE-PSK-NULL-SHA TLS_DHE_PSK_WITH_NULL_SHA SSLv3 Kx=DHEPSK Au=PSK Enc=None Mac=SHA1 - 0x00,0xB1 - PSK-NULL-SHA384 TLS_PSK_WITH_NULL_SHA384 TLSv1 Kx=PSK Au=PSK Enc=None Mac=SHA384 - 0x00,0xB0 - PSK-NULL-SHA256 TLS_PSK_WITH_NULL_SHA256 TLSv1 Kx=PSK Au=PSK Enc=None Mac=SHA256 - 0x00,0x2C - PSK-NULL-SHA TLS_PSK_WITH_NULL_SHA SSLv3 Kx=PSK Au=PSK Enc=None Mac=SHA1 - 0x00,0x3B - NULL-SHA256 TLS_RSA_WITH_NULL_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=None Mac=SHA256 - 0x00,0x02 - NULL-SHA TLS_RSA_WITH_NULL_SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 - 0x00,0x01 - NULL-MD5 TLS_RSA_WITH_NULL_MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 - 0x00,0x82 - GOST94-NULL-GOST94 TLS_GOSTR341094_WITH_NULL_GOSTR3411 TLSv1 Kx=GOST Au=GOST94 Enc=None Mac=GOSTR3411 - 0x00,0x83 - GOST2001-NULL-GOST94 TLS_GOSTR341001_WITH_NULL_GOSTR3411 SSLv3 Kx=GOST Au=GOST01 Enc=None Mac=GOST94 - 0xFF,0x87 - GOST2012256-NULL-STREEBOG256 - SSLv3 Kx=GOST Au=GOST01 Enc=None Mac=STREEBOG256 + 0xCC,0x14 - ECDHE-ECDSA-CHACHA20-POLY1305 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD TLSv1.2 Kx=ECDH Au=ECDSA Enc=ChaCha20(256) Mac=AEAD + 0xCC,0x13 - ECDHE-RSA-CHACHA20-POLY1305 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20(256) Mac=AEAD + 0xCC,0x15 - DHE-RSA-CHACHA20-POLY1305 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD TLSv1.2 Kx=DH Au=RSA Enc=ChaCha20(256) Mac=AEAD + 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD + 0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD + 0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 + 0xC0,0x24 - ECDHE-ECDSA-AES256-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 + 0xC0,0x14 - ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 + 0xC0,0x0A - ECDHE-ECDSA-AES256-SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 + 0xC0,0x22 - SRP-DSS-AES-256-CBC-SHA TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1 + 0xC0,0x21 - SRP-RSA-AES-256-CBC-SHA TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1 + 0xC0,0x20 - SRP-AES-256-CBC-SHA TLS_SRP_SHA_WITH_AES_256_CBC_SHA SSLv3 Kx=SRP Au=SRP Enc=AES(256) Mac=SHA1 + 0x00,0xB7 - RSA-PSK-AES256-CBC-SHA384 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA384 + 0x00,0xB3 - DHE-PSK-AES256-CBC-SHA384 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA384 + 0x00,0x91 - DHE-PSK-AES256-CBC-SHA TLS_DHE_PSK_WITH_AES_256_CBC_SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA1 + 0xC0,0x9B - ECDHE-PSK-CAMELLIA256-SHA384 TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=Camellia(256) Mac=SHA384 + 0xC0,0x99 - RSA-PSK-CAMELLIA256-SHA384 TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=Camellia(256) Mac=SHA384 + 0xC0,0x97 - DHE-PSK-CAMELLIA256-SHA384 TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=Camellia(256) Mac=SHA384 + 0x00,0xAF - PSK-AES256-CBC-SHA384 TLS_PSK_WITH_AES_256_CBC_SHA384 TLSv1 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA384 + 0xC0,0x95 - PSK-CAMELLIA256-SHA384 TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLSv1 Kx=PSK Au=PSK Enc=Camellia(256) Mac=SHA384 + 0x00,0xA5 - DH-DSS-AES256-GCM-SHA384 TLS_DH_DSS_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(256) Mac=AEAD + 0x00,0xA3 - DHE-DSS-AES256-GCM-SHA384 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD + 0x00,0xA1 - DH-RSA-AES256-GCM-SHA384 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(256) Mac=AEAD + 0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD + 0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ChaCha20(256) Mac=AEAD + 0xCC,0xA8 - ECDHE-RSA-CHACHA20-POLY1305 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20(256) Mac=AEAD + 0xCC,0xAA - DHE-RSA-CHACHA20-POLY1305 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=ChaCha20(256) Mac=AEAD + 0xC0,0xAF - ECDHE-ECDSA-AES256-CCM8 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD + 0xC0,0xAD - ECDHE-ECDSA-AES256-CCM TLS_ECDHE_ECDSA_WITH_AES_256_CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD + 0xC0,0xA3 - DHE-RSA-AES256-CCM8 TLS_DHE_RSA_WITH_AES_256_CCM_8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD + 0xC0,0x9F - DHE-RSA-AES256-CCM TLS_DHE_RSA_WITH_AES_256_CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(256) Mac=AEAD + 0x00,0x6B - DHE-RSA-AES256-SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 + 0x00,0x6A - DHE-DSS-AES256-SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 + 0x00,0x69 - DH-RSA-AES256-SHA256 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA256 + 0x00,0x68 - DH-DSS-AES256-SHA256 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA256 + 0x00,0x39 - DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 + 0x00,0x38 - DHE-DSS-AES256-SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 + 0x00,0x37 - DH-RSA-AES256-SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA1 + 0x00,0x36 - DH-DSS-AES256-SHA TLS_DH_DSS_WITH_AES_256_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA1 + 0xC0,0x77 - ECDHE-RSA-CAMELLIA256-SHA384 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384 + 0xC0,0x73 - ECDHE-ECDSA-CAMELLIA256-SHA384 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(256) Mac=SHA384 + 0x00,0xC4 - DHE-RSA-CAMELLIA256-SHA256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256 + 0x00,0xC3 - DHE-DSS-CAMELLIA256-SHA256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA256 + 0x00,0xC2 - DH-RSA-CAMELLIA256-SHA256 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=Camellia(256) Mac=SHA256 + 0x00,0xC1 - DH-DSS-CAMELLIA256-SHA256 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=Camellia(256) Mac=SHA256 + 0x00,0x88 - DHE-RSA-CAMELLIA256-SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 + 0x00,0x87 - DHE-DSS-CAMELLIA256-SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1 + 0x00,0x86 - DH-RSA-CAMELLIA256-SHA TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=Camellia(256) Mac=SHA1 + 0x00,0x85 - DH-DSS-CAMELLIA256-SHA TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=Camellia(256) Mac=SHA1 + 0xC0,0x19 - AECDH-AES256-SHA TLS_ECDH_anon_WITH_AES_256_CBC_SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1 + 0x00,0xA7 - ADH-AES256-GCM-SHA384 TLS_DH_anon_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD + 0x00,0x6D - ADH-AES256-SHA256 TLS_DH_anon_WITH_AES_256_CBC_SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256 + 0x00,0x3A - ADH-AES256-SHA TLS_DH_anon_WITH_AES_256_CBC_SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1 + 0x00,0xC5 - ADH-CAMELLIA256-SHA256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(256) Mac=SHA256 + 0x00,0x89 - ADH-CAMELLIA256-SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1 + 0x00,0xAD - RSA-PSK-AES256-GCM-SHA384 TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(256) Mac=AEAD + 0x00,0xAB - DHE-PSK-AES256-GCM-SHA384 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(256) Mac=AEAD + 0xCC,0xAE - RSA-PSK-CHACHA20-POLY1305 TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=ChaCha20(256) Mac=AEAD + 0xCC,0xAD - DHE-PSK-CHACHA20-POLY1305 TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=ChaCha20(256) Mac=AEAD + 0xCC,0xAC - ECDHE-PSK-CHACHA20-POLY1305 TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=ECDHEPSK Au=PSK Enc=ChaCha20(256) Mac=AEAD + 0xC0,0xAB - DHE-PSK-AES256-CCM8 TLS_PSK_DHE_WITH_AES_256_CCM_8 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM8(256) Mac=AEAD + 0xC0,0xA7 - DHE-PSK-AES256-CCM TLS_DHE_PSK_WITH_AES_256_CCM TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM(256) Mac=AEAD + 0xC0,0x32 - ECDH-RSA-AES256-GCM-SHA384 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD + 0xC0,0x2E - ECDH-ECDSA-AES256-GCM-SHA384 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD + 0xC0,0x2A - ECDH-RSA-AES256-SHA384 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384 + 0xC0,0x26 - ECDH-ECDSA-AES256-SHA384 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384 + 0xC0,0x0F - ECDH-RSA-AES256-SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1 + 0xC0,0x05 - ECDH-ECDSA-AES256-SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1 + 0xC0,0x79 - ECDH-RSA-CAMELLIA256-SHA384 TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=Camellia(256) Mac=SHA384 + 0xC0,0x75 - ECDH-ECDSA-CAMELLIA256-SHA384 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=Camellia(256) Mac=SHA384 + 0x00,0x9D - AES256-GCM-SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD + 0xC0,0xA1 - AES256-CCM8 TLS_RSA_WITH_AES_256_CCM_8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(256) Mac=AEAD + 0xC0,0x9D - AES256-CCM TLS_RSA_WITH_AES_256_CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(256) Mac=AEAD + 0x00,0xA9 - PSK-AES256-GCM-SHA384 TLS_PSK_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(256) Mac=AEAD + 0xCC,0xAB - PSK-CHACHA20-POLY1305 TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=ChaCha20(256) Mac=AEAD + 0xC0,0xA9 - PSK-AES256-CCM8 TLS_PSK_WITH_AES_256_CCM_8 TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM8(256) Mac=AEAD + 0xC0,0xA5 - PSK-AES256-CCM TLS_PSK_WITH_AES_256_CCM TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM(256) Mac=AEAD + 0x00,0x3D - AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 + 0x00,0x35 - AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 + 0x00,0xC0 - CAMELLIA256-SHA256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256 + 0xC0,0x38 - ECDHE-PSK-AES256-CBC-SHA384 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA384 + 0xC0,0x36 - ECDHE-PSK-AES256-CBC-SHA TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA SSLv3 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA1 + 0x00,0x84 - CAMELLIA256-SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 + 0x00,0x95 - RSA-PSK-AES256-CBC-SHA TLS_RSA_PSK_WITH_AES_256_CBC_SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA1 + 0x00,0x8D - PSK-AES256-CBC-SHA TLS_PSK_WITH_AES_256_CBC_SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1 + 0xC0,0x3D - - TLS_RSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=ARIA(256) Mac=SHA384 + 0xC0,0x3F - - TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=ARIA(256) Mac=SHA384 + 0xC0,0x41 - - TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=ARIA(256) Mac=SHA384 + 0xC0,0x43 - - TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=DH Au=DSS Enc=ARIA(256) Mac=SHA384 + 0xC0,0x45 - - TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=DH Au=RSA Enc=ARIA(256) Mac=SHA384 + 0xC0,0x47 - - TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=DH Au=None Enc=ARIA(256) Mac=SHA384 + 0xC0,0x49 - - TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ARIA(256) Mac=SHA384 + 0xC0,0x4B - - TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=ARIA(256) Mac=SHA384 + 0xC0,0x4D - - TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=ARIA(256) Mac=SHA384 + 0xC0,0x4F - - TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=ARIA(256) Mac=SHA384 + 0xC0,0x51 - - TLS_RSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=ARIA(256) Mac=AEAD + 0xC0,0x53 - - TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=DH Au=RSA Enc=ARIA(256) Mac=AEAD + 0xC0,0x55 - - TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=ARIA(256) Mac=AEAD + 0xC0,0x57 - - TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=DH Au=DSS Enc=ARIA(256) Mac=AEAD + 0xC0,0x59 - - TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=ARIA(256) Mac=AEAD + 0xC0,0x5B - - TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=DH Au=None Enc=ARIA(256) Mac=AEAD + 0xC0,0x5D - - TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ARIA(256) Mac=AEAD + 0xC0,0x5F - - TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=ARIA(256) Mac=AEAD + 0xC0,0x61 - - TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=ARIA(256) Mac=AEAD + 0xC0,0x63 - - TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=ARIA(256) Mac=AEAD + 0xC0,0x65 - - TLS_PSK_WITH_ARIA_256_CBC_SHA384 TLSv1 Kx=PSK Au=PSK Enc=ARIA(256) Mac=SHA384 + 0xC0,0x67 - - TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=ARIA(256) Mac=SHA384 + 0xC0,0x69 - - TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=ARIA(256) Mac=SHA384 + 0xC0,0x6B - - TLS_PSK_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=ARIA(256) Mac=AEAD + 0xC0,0x6D - - TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=ARIA(256) Mac=AEAD + 0xC0,0x6F - - TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=ARIA(256) Mac=AEAD + 0xC0,0x71 - - TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=ARIA(256) Mac=SHA384 + 0xC0,0x7B - - TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=CamelliaGCM(256) Mac=AEAD + 0xC0,0x7D - - TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=DH Au=RSA Enc=CamelliaGCM(256) Mac=AEAD + 0xC0,0x7F - - TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=CamelliaGCM(256) Mac=AEAD + 0xC0,0x81 - - TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=DH Au=DSS Enc=CamelliaGCM(256) Mac=AEAD + 0xC0,0x83 - - TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=CamelliaGCM(256) Mac=AEAD + 0xC0,0x85 - - TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=DH Au=None Enc=CamelliaGCM(256) Mac=AEAD + 0xC0,0x87 - - TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CamelliaGCM(256) Mac=AEAD + 0xC0,0x89 - - TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=CamelliaGCM(256) Mac=AEAD + 0xC0,0x8B - - TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=CamelliaGCM(256) Mac=AEAD + 0xC0,0x8D - - TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=CamelliaGCM(256) Mac=AEAD + 0xC0,0x8F - - TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=CamelliaGCM(256) Mac=AEAD + 0xC0,0x91 - - TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=CamelliaGCM(256) Mac=AEAD + 0xC0,0x93 - - TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=CamelliaGCM(256) Mac=AEAD + 0x00,0x80 - GOST94-GOST89-GOST89 TLS_GOSTR341094_WITH_28147_CNT_IMIT TLSv1 Kx=GOST Au=GOST94 Enc=GOST(256) Mac=GOST89IMIT + 0x00,0x81 - GOST2001-GOST89-GOST89 TLS_GOSTR341001_WITH_28147_CNT_IMIT SSLv3 Kx=GOST Au=GOST01 Enc=GOST(256) Mac=GOST89IMIT + 0xFF,0x00 - GOST-MD5 TLS_GOSTR341094_RSA_WITH_28147_CNT_MD5 TLSv1 Kx=RSA Au=RSA Enc=GOST(256) Mac=MD5 + 0xFF,0x01 - GOST-GOST94 TLS_RSA_WITH_28147_CNT_GOST94 TLSv1 Kx=RSA Au=RSA Enc=GOST(256) Mac=GOST94 + 0xFF,0x02 - GOST-GOST89MAC - TLSv1 Kx=RSA Au=RSA Enc=GOST(256) Mac=GOST89IMIT + 0xFF,0x03 - GOST-GOST89STREAM - TLSv1 Kx=RSA Au=RSA Enc=GOST(256) Mac=GOST89IMIT + 0xFF,0x85 - GOST2012256-GOST89-GOST89 - SSLv3 Kx=GOST Au=GOST01 Enc=GOST(256) Mac=GOST89IMIT + 0x16,0xB7 - - TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=CECPQ1 Au=RSA Enc=ChaCha20(256) Mac=AEAD + 0x16,0xB8 - - TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLSv1.2 Kx=CECPQ1 Au=ECDSA Enc=ChaCha20(256) Mac=AEAD + 0x16,0xB9 - - TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=CECPQ1 Au=RSA Enc=AESGCM(256) Mac=AEAD + 0x16,0xBA - - TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=CECPQ1 Au=ECDSA Enc=AESGCM(256) Mac=AEAD + 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD + 0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD + 0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 + 0xC0,0x23 - ECDHE-ECDSA-AES128-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 + 0xC0,0x13 - ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 + 0xC0,0x09 - ECDHE-ECDSA-AES128-SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 + 0xC0,0x1F - SRP-DSS-AES-128-CBC-SHA TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA SSLv3 Kx=SRP Au=DSS Enc=AES(128) Mac=SHA1 + 0xC0,0x1E - SRP-RSA-AES-128-CBC-SHA TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1 + 0xC0,0x1D - SRP-AES-128-CBC-SHA TLS_SRP_SHA_WITH_AES_128_CBC_SHA SSLv3 Kx=SRP Au=SRP Enc=AES(128) Mac=SHA1 + 0x00,0xA4 - DH-DSS-AES128-GCM-SHA256 TLS_DH_DSS_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(128) Mac=AEAD + 0x00,0xA2 - DHE-DSS-AES128-GCM-SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD + 0x00,0xA0 - DH-RSA-AES128-GCM-SHA256 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(128) Mac=AEAD + 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD + 0xC0,0xAE - ECDHE-ECDSA-AES128-CCM8 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(128) Mac=AEAD + 0xC0,0xAC - ECDHE-ECDSA-AES128-CCM TLS_ECDHE_ECDSA_WITH_AES_128_CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD + 0xC0,0xA2 - DHE-RSA-AES128-CCM8 TLS_DHE_RSA_WITH_AES_128_CCM_8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(128) Mac=AEAD + 0xC0,0x9E - DHE-RSA-AES128-CCM TLS_DHE_RSA_WITH_AES_128_CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(128) Mac=AEAD + 0x00,0xAC - RSA-PSK-AES128-GCM-SHA256 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(128) Mac=AEAD + 0x00,0xAA - DHE-PSK-AES128-GCM-SHA256 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(128) Mac=AEAD + 0xC0,0xAA - DHE-PSK-AES128-CCM8 TLS_PSK_DHE_WITH_AES_128_CCM_8 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM8(128) Mac=AEAD + 0xC0,0xA6 - DHE-PSK-AES128-CCM TLS_DHE_PSK_WITH_AES_128_CCM TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESCCM(128) Mac=AEAD + 0xC0,0xA0 - AES128-CCM8 TLS_RSA_WITH_AES_128_CCM_8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(128) Mac=AEAD + 0xC0,0x9C - AES128-CCM TLS_RSA_WITH_AES_128_CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(128) Mac=AEAD + 0x00,0xA8 - PSK-AES128-GCM-SHA256 TLS_PSK_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(128) Mac=AEAD + 0xC0,0xA8 - PSK-AES128-CCM8 TLS_PSK_WITH_AES_128_CCM_8 TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM8(128) Mac=AEAD + 0xC0,0xA4 - PSK-AES128-CCM TLS_PSK_WITH_AES_128_CCM TLSv1.2 Kx=PSK Au=PSK Enc=AESCCM(128) Mac=AEAD + 0x00,0x67 - DHE-RSA-AES128-SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 + 0x00,0x40 - DHE-DSS-AES128-SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256 + 0x00,0x3F - DH-RSA-AES128-SHA256 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA256 + 0x00,0x3E - DH-DSS-AES128-SHA256 TLS_DH_DSS_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA256 + 0x00,0x33 - DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 + 0x00,0x32 - DHE-DSS-AES128-SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 + 0x00,0x31 - DH-RSA-AES128-SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA1 + 0x00,0x30 - DH-DSS-AES128-SHA TLS_DH_DSS_WITH_AES_128_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA1 + 0xC0,0x76 - ECDHE-RSA-CAMELLIA128-SHA256 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256 + 0xC0,0x72 - ECDHE-ECDSA-CAMELLIA128-SHA256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(128) Mac=SHA256 + 0x00,0xBE - DHE-RSA-CAMELLIA128-SHA256 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256 + 0x00,0xBD - DHE-DSS-CAMELLIA128-SHA256 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA256 + 0x00,0xBC - DH-RSA-CAMELLIA128-SHA256 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=Camellia(128) Mac=SHA256 + 0x00,0xBB - DH-DSS-CAMELLIA128-SHA256 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=Camellia(128) Mac=SHA256 + 0x00,0x9A - DHE-RSA-SEED-SHA TLS_DHE_RSA_WITH_SEED_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1 + 0x00,0x99 - DHE-DSS-SEED-SHA TLS_DHE_DSS_WITH_SEED_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1 + 0x00,0x98 - DH-RSA-SEED-SHA TLS_DH_RSA_WITH_SEED_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=SEED(128) Mac=SHA1 + 0x00,0x97 - DH-DSS-SEED-SHA TLS_DH_DSS_WITH_SEED_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=SEED(128) Mac=SHA1 + 0x00,0x45 - DHE-RSA-CAMELLIA128-SHA TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 + 0x00,0x44 - DHE-DSS-CAMELLIA128-SHA TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1 + 0x00,0x43 - DH-RSA-CAMELLIA128-SHA TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=Camellia(128) Mac=SHA1 + 0x00,0x42 - DH-DSS-CAMELLIA128-SHA TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=Camellia(128) Mac=SHA1 + 0xC0,0x18 - AECDH-AES128-SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA SSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1 + 0x00,0xA6 - ADH-AES128-GCM-SHA256 TLS_DH_anon_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD + 0x00,0x6C - ADH-AES128-SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256 + 0x00,0x34 - ADH-AES128-SHA TLS_DH_anon_WITH_AES_128_CBC_SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1 + 0x00,0xBF - ADH-CAMELLIA128-SHA256 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(128) Mac=SHA256 + 0x00,0x9B - ADH-SEED-SHA TLS_DH_anon_WITH_SEED_CBC_SHA SSLv3 Kx=DH Au=None Enc=SEED(128) Mac=SHA1 + 0x00,0x46 - ADH-CAMELLIA128-SHA TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1 + 0xC0,0x31 - ECDH-RSA-AES128-GCM-SHA256 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD + 0xC0,0x2D - ECDH-ECDSA-AES128-GCM-SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD + 0xC0,0x29 - ECDH-RSA-AES128-SHA256 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256 + 0xC0,0x25 - ECDH-ECDSA-AES128-SHA256 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256 + 0xC0,0x0E - ECDH-RSA-AES128-SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1 + 0xC0,0x04 - ECDH-ECDSA-AES128-SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1 + 0xC0,0x78 - ECDH-RSA-CAMELLIA128-SHA256 TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=Camellia(128) Mac=SHA256 + 0xC0,0x74 - ECDH-ECDSA-CAMELLIA128-SHA256 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=Camellia(128) Mac=SHA256 + 0x00,0x9C - AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD + 0x00,0x3C - AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 + 0x00,0x2F - AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 + 0x00,0xBA - CAMELLIA128-SHA256 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA256 + 0xC0,0x37 - ECDHE-PSK-AES128-CBC-SHA256 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA256 + 0xC0,0x35 - ECDHE-PSK-AES128-CBC-SHA TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA SSLv3 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA1 + 0x00,0xB6 - RSA-PSK-AES128-CBC-SHA256 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA256 + 0x00,0xB2 - DHE-PSK-AES128-CBC-SHA256 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA256 + 0x00,0x90 - DHE-PSK-AES128-CBC-SHA TLS_DHE_PSK_WITH_AES_128_CBC_SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA1 + 0x00,0x96 - SEED-SHA TLS_RSA_WITH_SEED_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 + 0x00,0x41 - CAMELLIA128-SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1 + 0xC0,0x9A - ECDHE-PSK-CAMELLIA128-SHA256 TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=Camellia(128) Mac=SHA256 + 0xC0,0x98 - RSA-PSK-CAMELLIA128-SHA256 TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=Camellia(128) Mac=SHA256 + 0xC0,0x96 - DHE-PSK-CAMELLIA128-SHA256 TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=Camellia(128) Mac=SHA256 + 0x00,0xAE - PSK-AES128-CBC-SHA256 TLS_PSK_WITH_AES_128_CBC_SHA256 TLSv1 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA256 + 0xC0,0x94 - PSK-CAMELLIA128-SHA256 TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLSv1 Kx=PSK Au=PSK Enc=Camellia(128) Mac=SHA256 + 0x00,0x07 - IDEA-CBC-SHA TLS_RSA_WITH_IDEA_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 + 0x05,0x00,0x80 - IDEA-CBC-MD5 SSL_CK_IDEA_128_CBC_WITH_MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 + 0x03,0x00,0x80 - RC2-CBC-MD5 SSL_CK_RC2_128_CBC_WITH_MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 + 0x00,0x94 - RSA-PSK-AES128-CBC-SHA TLS_RSA_PSK_WITH_AES_128_CBC_SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA1 + 0x00,0x8C - PSK-AES128-CBC-SHA TLS_PSK_WITH_AES_128_CBC_SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1 + 0x00,0x21 - KRB5-IDEA-CBC-SHA TLS_KRB5_WITH_IDEA_CBC_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=IDEA(128) Mac=SHA1 + 0x00,0x25 - KRB5-IDEA-CBC-MD5 TLS_KRB5_WITH_IDEA_CBC_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=IDEA(128) Mac=MD5 + 0xC0,0x3C - - TLS_RSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=ARIA(128) Mac=SHA256 + 0xC0,0x3E - - TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=ARIA(128) Mac=SHA256 + 0xC0,0x40 - - TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=ARIA(128) Mac=SHA256 + 0xC0,0x42 - - TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=ARIA(128) Mac=SHA256 + 0xC0,0x44 - - TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=ARIA(128) Mac=SHA256 + 0xC0,0x46 - - TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=DH Au=None Enc=ARIA(128) Mac=SHA256 + 0xC0,0x48 - - TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ARIA(128) Mac=SHA256 + 0xC0,0x4A - - TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=ARIA(128) Mac=SHA256 + 0xC0,0x4C - - TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=ARIA(128) Mac=SHA256 + 0xC0,0x4E - - TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=ARIA(128) Mac=SHA256 + 0xC0,0x50 - - TLS_RSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=ARIA(128) Mac=AEAD + 0xC0,0x52 - - TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=ARIA(128) Mac=AEAD + 0xC0,0x54 - - TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=ARIA(128) Mac=AEAD + 0xC0,0x56 - - TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=ARIA(128) Mac=AEAD + 0xC0,0x58 - - TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=ARIA(128) Mac=AEAD + 0xC0,0x5A - - TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=DH Au=None Enc=ARIA(128) Mac=AEAD + 0xC0,0x5C - - TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ARIA(128) Mac=AEAD + 0xC0,0x5E - - TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=ARIA(128) Mac=AEAD + 0xC0,0x60 - - TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=ARIA(128) Mac=AEAD + 0xC0,0x62 - - TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=ARIA(128) Mac=AEAD + 0xC0,0x64 - - TLS_PSK_WITH_ARIA_128_CBC_SHA256 TLSv1 Kx=PSK Au=PSK Enc=ARIA(128) Mac=SHA256 + 0xC0,0x66 - - TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=ARIA(128) Mac=SHA256 + 0xC0,0x68 - - TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=ARIA(128) Mac=SHA256 + 0xC0,0x6A - - TLS_PSK_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=ARIA(128) Mac=AEAD + 0xC0,0x6C - - TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=ARIA(128) Mac=AEAD + 0xC0,0x6E - - TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=ARIA(128) Mac=AEAD + 0xC0,0x70 - - TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=ARIA(128) Mac=SHA256 + 0xC0,0x7A - - TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=CamelliaGCM(128) Mac=AEAD + 0xC0,0x7C - - TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=DH Au=RSA Enc=CamelliaGCM(128) Mac=AEAD + 0xC0,0x7E - - TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=CamelliaGCM(128) Mac=AEAD + 0xC0,0x80 - - TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=DH Au=DSS Enc=CamelliaGCM(128) Mac=AEAD + 0xC0,0x82 - - TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=CamelliaGCM(128) Mac=AEAD + 0xC0,0x84 - - TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=DH Au=None Enc=CamelliaGCM(128) Mac=AEAD + 0xC0,0x86 - - TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CamelliaGCM(128) Mac=AEAD + 0xC0,0x88 - - TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=CamelliaGCM(128) Mac=AEAD + 0xC0,0x8A - - TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=CamelliaGCM(128) Mac=AEAD + 0xC0,0x8C - - TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=CamelliaGCM(128) Mac=AEAD + 0xC0,0x8E - - TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=CamelliaGCM(128) Mac=AEAD + 0xC0,0x90 - - TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=CamelliaGCM(128) Mac=AEAD + 0xC0,0x92 - - TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=CamelliaGCM(128) Mac=AEAD + 0xC0,0x11 - ECDHE-RSA-RC4-SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 + 0xC0,0x07 - ECDHE-ECDSA-RC4-SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1 + 0x00,0x66 - DHE-DSS-RC4-SHA TLS_DHE_DSS_WITH_RC4_128_SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 + 0xC0,0x16 - AECDH-RC4-SHA TLS_ECDH_anon_WITH_RC4_128_SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1 + 0x00,0x18 - ADH-RC4-MD5 TLS_DH_anon_WITH_RC4_128_MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 + 0xC0,0x0C - ECDH-RSA-RC4-SHA TLS_ECDH_RSA_WITH_RC4_128_SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1 + 0xC0,0x02 - ECDH-ECDSA-RC4-SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1 + 0x00,0x05 - RC4-SHA TLS_RSA_WITH_RC4_128_SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 + 0x00,0x04 - RC4-MD5 TLS_RSA_WITH_RC4_128_MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 + 0x01,0x00,0x80 - RC4-MD5 SSL_CK_RC4_128_WITH_MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 + 0x00,0x92 - RSA-PSK-RC4-SHA TLS_RSA_PSK_WITH_RC4_128_SHA SSLv3 Kx=RSAPSK Au=RSA Enc=RC4(128) Mac=SHA1 + 0x00,0x8A - PSK-RC4-SHA TLS_PSK_WITH_RC4_128_SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 + 0x00,0x20 - KRB5-RC4-SHA TLS_KRB5_WITH_RC4_128_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1 + 0x00,0x24 - KRB5-RC4-MD5 TLS_KRB5_WITH_RC4_128_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5 + 0xC0,0x33 - ECDHE-PSK-RC4-SHA TLS_ECDHE_PSK_WITH_RC4_128_SHA SSLv3 Kx=ECDHEPSK Au=PSK Enc=RC4(128) Mac=SHA1 + 0x00,0x8E - DHE-PSK-RC4-SHA TLS_DHE_PSK_WITH_RC4_128_SHA SSLv3 Kx=DHEPSK Au=PSK Enc=RC4(128) Mac=SHA1 + 0xC0,0x12 - ECDHE-RSA-DES-CBC3-SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1 + 0xC0,0x08 - ECDHE-ECDSA-DES-CBC3-SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 + 0xC0,0x1C - SRP-DSS-3DES-EDE-CBC-SHA TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1 + 0xC0,0x1B - SRP-RSA-3DES-EDE-CBC-SHA TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1 + 0xC0,0x1A - SRP-3DES-EDE-CBC-SHA TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=SRP Au=SRP Enc=3DES(168) Mac=SHA1 + 0x00,0x16 - EDH-RSA-DES-CBC3-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 + 0x00,0x13 - EDH-DSS-DES-CBC3-SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 + 0x00,0x10 - DH-RSA-DES-CBC3-SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=3DES(168) Mac=SHA1 + 0x00,0x0D - DH-DSS-DES-CBC3-SHA TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=3DES(168) Mac=SHA1 + 0xC0,0x17 - AECDH-DES-CBC3-SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1 + 0x00,0x1B - ADH-DES-CBC3-SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1 + 0xC0,0x0D - ECDH-RSA-DES-CBC3-SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1 + 0xC0,0x03 - ECDH-ECDSA-DES-CBC3-SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1 + 0x00,0x0A - DES-CBC3-SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 + 0x07,0x00,0xC0 - DES-CBC3-MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 + 0x00,0x93 - RSA-PSK-3DES-EDE-CBC-SHA TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=RSAPSK Au=RSA Enc=3DES(168) Mac=SHA1 + 0x00,0x8B - PSK-3DES-EDE-CBC-SHA TLS_PSK_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1 + 0x00,0x1F - KRB5-DES-CBC3-SHA TLS_KRB5_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1 + 0x00,0x23 - KRB5-DES-CBC3-MD5 TLS_KRB5_WITH_3DES_EDE_CBC_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5 + 0xC0,0x34 - ECDHE-PSK-3DES-EDE-CBC-SHA TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=ECDHEPSK Au=PSK Enc=3DES(168) Mac=SHA1 + 0x00,0x8F - DHE-PSK-3DES-EDE-CBC-SHA TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=DHEPSK Au=PSK Enc=3DES(168) Mac=SHA1 + 0xFE,0xFF - - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 + 0xFF,0xE0 - - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 + 0x08,0x00,0x80 - RC4-64-MD5 SSL_CK_RC4_64_WITH_MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 + 0x00,0x63 - EXP1024-DHE-DSS-DES-CBC-SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA SSLv3 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 export + 0x00,0x15 - EDH-RSA-DES-CBC-SHA TLS_DHE_RSA_WITH_DES_CBC_SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 + 0x00,0x12 - EDH-DSS-DES-CBC-SHA TLS_DHE_DSS_WITH_DES_CBC_SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 + 0x00,0x0F - DH-RSA-DES-CBC-SHA TLS_DH_RSA_WITH_DES_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=DES(56) Mac=SHA1 + 0x00,0x0C - DH-DSS-DES-CBC-SHA TLS_DH_DSS_WITH_DES_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=DES(56) Mac=SHA1 + 0x00,0x1A - ADH-DES-CBC-SHA TLS_DH_anon_WITH_DES_CBC_SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1 + 0x00,0x62 - EXP1024-DES-CBC-SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export + 0x00,0x09 - DES-CBC-SHA TLS_RSA_WITH_DES_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 + 0x00,0x61 - EXP1024-RC2-CBC-MD5 TLS_RSA_EXPORT1024_WITH_RC2_56_MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 export + 0x06,0x00,0x40 - DES-CBC-MD5 SSL_CK_DES_64_CBC_WITH_MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 + 0x00,0x1E - KRB5-DES-CBC-SHA TLS_KRB5_WITH_DES_CBC_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(56) Mac=SHA1 + 0x00,0x22 - KRB5-DES-CBC-MD5 TLS_KRB5_WITH_DES_CBC_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(56) Mac=MD5 + 0xFE,0xFE - - SSL_RSA_FIPS_WITH_DES_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 + 0xFF,0xE1 - - SSL_RSA_FIPS_WITH_DES_CBC_SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 + 0x00,0x65 - EXP1024-DHE-DSS-RC4-SHA TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA SSLv3 Kx=DH(1024) Au=DSS Enc=RC4(56) Mac=SHA1 export + 0x00,0x64 - EXP1024-RC4-SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export + 0x00,0x60 - EXP1024-RC4-MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=MD5 export + 0x00,0x14 - EXP-EDH-RSA-DES-CBC-SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export + 0x00,0x11 - EXP-EDH-DSS-DES-CBC-SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export + 0x00,0x19 - EXP-ADH-DES-CBC-SHA TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export + 0x00,0x08 - EXP-DES-CBC-SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export + 0x00,0x06 - EXP-RC2-CBC-MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export + 0x04,0x00,0x80 - EXP-RC2-CBC-MD5 SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export + 0x00,0x27 - EXP-KRB5-RC2-CBC-SHA TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=SHA1 export + 0x00,0x26 - EXP-KRB5-DES-CBC-SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=SHA1 export + 0x00,0x2A - EXP-KRB5-RC2-CBC-MD5 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=MD5 export + 0x00,0x29 - EXP-KRB5-DES-CBC-MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=MD5 export + 0x00,0x0B - - TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH/DSS Au=DH Enc=DES(40) Mac=SHA1 export + 0x00,0x0E - - TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA SSLv3 Kx=DH/RSA Au=DH Enc=DES(40) Mac=SHA1 export + 0x00,0x17 - EXP-ADH-RC4-MD5 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export + 0x00,0x03 - EXP-RC4-MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export + 0x02,0x00,0x80 - EXP-RC4-MD5 SSL_CK_RC4_128_EXPORT40_WITH_MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export + 0x00,0x28 - EXP-KRB5-RC4-SHA TLS_KRB5_EXPORT_WITH_RC4_40_SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 export + 0x00,0x2B - EXP-KRB5-RC4-MD5 TLS_KRB5_EXPORT_WITH_RC4_40_MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 export + 0xC0,0x10 - ECDHE-RSA-NULL-SHA TLS_ECDHE_RSA_WITH_NULL_SHA SSLv3 Kx=ECDH Au=RSA Enc=None Mac=SHA1 + 0xC0,0x06 - ECDHE-ECDSA-NULL-SHA TLS_ECDHE_ECDSA_WITH_NULL_SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1 + 0xC0,0x15 - AECDH-NULL-SHA TLS_ECDH_anon_WITH_NULL_SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1 + 0xC0,0x0B - ECDH-RSA-NULL-SHA TLS_ECDH_RSA_WITH_NULL_SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None Mac=SHA1 + 0xC0,0x01 - ECDH-ECDSA-NULL-SHA TLS_ECDH_ECDSA_WITH_NULL_SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None Mac=SHA1 + 0xC0,0x3B - ECDHE-PSK-NULL-SHA384 TLS_ECDHE_PSK_WITH_NULL_SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=None Mac=SHA384 + 0xC0,0x3A - ECDHE-PSK-NULL-SHA256 TLS_ECDHE_PSK_WITH_NULL_SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=None Mac=SHA256 + 0xC0,0x39 - ECDHE-PSK-NULL-SHA TLS_ECDHE_PSK_WITH_NULL_SHA SSLv3 Kx=ECDHEPSK Au=PSK Enc=None Mac=SHA1 + 0x00,0xB9 - RSA-PSK-NULL-SHA384 TLS_RSA_PSK_WITH_NULL_SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=None Mac=SHA384 + 0x00,0xB8 - RSA-PSK-NULL-SHA256 TLS_RSA_PSK_WITH_NULL_SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=None Mac=SHA256 + 0x00,0xB5 - DHE-PSK-NULL-SHA384 TLS_DHE_PSK_WITH_NULL_SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=None Mac=SHA384 + 0x00,0xB4 - DHE-PSK-NULL-SHA256 TLS_DHE_PSK_WITH_NULL_SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=None Mac=SHA256 + 0x00,0x2E - RSA-PSK-NULL-SHA TLS_RSA_PSK_WITH_NULL_SHA SSLv3 Kx=RSAPSK Au=RSA Enc=None Mac=SHA1 + 0x00,0x2D - DHE-PSK-NULL-SHA TLS_DHE_PSK_WITH_NULL_SHA SSLv3 Kx=DHEPSK Au=PSK Enc=None Mac=SHA1 + 0x00,0xB1 - PSK-NULL-SHA384 TLS_PSK_WITH_NULL_SHA384 TLSv1 Kx=PSK Au=PSK Enc=None Mac=SHA384 + 0x00,0xB0 - PSK-NULL-SHA256 TLS_PSK_WITH_NULL_SHA256 TLSv1 Kx=PSK Au=PSK Enc=None Mac=SHA256 + 0x00,0x2C - PSK-NULL-SHA TLS_PSK_WITH_NULL_SHA SSLv3 Kx=PSK Au=PSK Enc=None Mac=SHA1 + 0x00,0x3B - NULL-SHA256 TLS_RSA_WITH_NULL_SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=None Mac=SHA256 + 0x00,0x02 - NULL-SHA TLS_RSA_WITH_NULL_SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 + 0x00,0x01 - NULL-MD5 TLS_RSA_WITH_NULL_MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 + 0x00,0x82 - GOST94-NULL-GOST94 TLS_GOSTR341094_WITH_NULL_GOSTR3411 TLSv1 Kx=GOST Au=GOST94 Enc=None Mac=GOSTR3411 + 0x00,0x83 - GOST2001-NULL-GOST94 TLS_GOSTR341001_WITH_NULL_GOSTR3411 SSLv3 Kx=GOST Au=GOST01 Enc=None Mac=GOST94 + 0xFF,0x87 - GOST2012256-NULL-STREEBOG256 - SSLv3 Kx=GOST Au=GOST01 Enc=None Mac=STREEBOG256 EOF while read TLS_CIPHER_HEXCODE[TLS_NR_CIPHERS] n TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS] TLS_CIPHER_RFC_NAME[TLS_NR_CIPHERS] TLS_CIPHER_SSLVERS[TLS_NR_CIPHERS] TLS_CIPHER_KX[TLS_NR_CIPHERS] TLS_CIPHER_AUTH[TLS_NR_CIPHERS] TLS_CIPHER_ENC[TLS_NR_CIPHERS] TLS_CIPHER_EXPORT[TLS_NR_CIPHERS]; do @@ -8308,7 +8454,7 @@ prepare_logging() { #exec 2> >(tee -a ${LOGFILE} >&2) fi - if "$do_json"; then + if "$do_json" || "$do_pretty_json"; then if [[ -z "$JSONFILE" ]]; then JSONFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".json) elif [[ -d "$JSONFILE" ]]; then @@ -8329,7 +8475,7 @@ prepare_logging() { return 0 } - + # args: string containing ip addresses filter_ip6_address() { local a @@ -8835,7 +8981,7 @@ run_mass_testing_parallel() { fi pr_reverse "====== Running in parallel file batch mode with file=\"$FNAME\" ======"; outln outln "(output is in ....\n)" -#FIXME: once this function is being called we need a handler which does the right thing +#FIXME: once this function is being called we need a handler which does the right thing # ==> not overwrite while read cmdline; do cmdline=$(filter_input "$cmdline") @@ -8896,6 +9042,7 @@ initialize_globals() { do_mass_testing=false do_logging=false do_json=false + do_pretty_json=false do_csv=false do_pfs=false do_protocols=false @@ -9236,6 +9383,18 @@ parse_cmd_line() { [[ $? -eq 0 ]] && shift do_json=true ;; + --json-pretty) + do_pretty_json=true + ;; + --jsonfile-pretty|--jsonfile-pretty=*) + JSONFILE=$(parse_opt_equal_sign "$1" "$2") + [[ $? -eq 0 ]] && shift + do_pretty_json=true + ;; + --severity|--severity=*) + set_severity_level "$(parse_opt_equal_sign "$1" "$2")" + [[ $? -eq 0 ]] && shift + ;; --csv) do_csv=true ;; # DEFINITION of CSVFILE is not arg specified: automagically in parse_hn_port() @@ -9330,11 +9489,16 @@ reset_hostdepended_vars() { lets_roll() { local ret + local section_number=1 [[ -z "$NODEIP" ]] && fatal "$NODE doesn't resolve to an IP address" 2 nodeip_to_proper_ip6 reset_hostdepended_vars determine_rdns + + START_TIME=$(date +%s) + + fileout_section_header $section_number false && ((section_number++)) determine_service "$1" # any starttls service goes here $do_tls_sockets && [[ $TLS_LOW_BYTE -eq 22 ]] && { sslv2_sockets "" "true"; echo "$?" ; exit 0; } @@ -9342,16 +9506,26 @@ lets_roll() { $do_test_just_one && test_just_one ${single_cipher} # all top level functions now following have the prefix "run_" + fileout_section_header $section_number true && ((section_number++)) $do_protocols && { run_protocols; ret=$(($? + ret)); } $do_spdy && { run_spdy; ret=$(($? + ret)); } $do_http2 && { run_http2; ret=$(($? + ret)); } + + fileout_section_header $section_number true && ((section_number++)) $do_std_cipherlists && { run_std_cipherlists; ret=$(($? + ret)); } + + fileout_section_header $section_number true && ((section_number++)) $do_pfs && { run_pfs; ret=$(($? + ret)); } + + fileout_section_header $section_number true && ((section_number++)) $do_server_preference && { run_server_preference; ret=$(($? + ret)); } + + fileout_section_header $section_number true && ((section_number++)) $do_server_defaults && { run_server_defaults; ret=$(($? + ret)); } if $do_header; then #TODO: refactor this into functions + fileout_section_header $section_number true && ((section_number++)) if [[ $SERVICE == "HTTP" ]]; then run_http_header "$URL_PATH" run_http_date "$URL_PATH" @@ -9363,6 +9537,8 @@ lets_roll() { run_more_flags "$URL_PATH" run_rp_banner "$URL_PATH" fi + else + ((section_number++)) fi # vulnerabilities @@ -9370,6 +9546,8 @@ lets_roll() { outln; pr_headlineln " Testing vulnerabilities " outln fi + + fileout_section_header $section_number true && ((section_number++)) $do_heartbleed && { run_heartbleed; ret=$(($? + ret)); } $do_ccs_injection && { run_ccs_injection; ret=$(($? + ret)); } $do_renego && { run_renego; ret=$(($? + ret)); } @@ -9383,11 +9561,17 @@ lets_roll() { $do_beast && { run_beast; ret=$(($? + ret)); } $do_rc4 && { run_rc4; ret=$(($? + ret)); } + fileout_section_header $section_number true && ((section_number++)) $do_allciphers && { run_allciphers; ret=$(($? + ret)); } $do_cipher_per_proto && { run_cipher_per_proto; ret=$(($? + ret)); } + + fileout_section_header $section_number true && ((section_number++)) $do_client_simulation && { run_client_simulation; ret=$(($? + ret)); } + fileout_section_footer + outln + END_TIME=$(date +%s) datebanner " Done" return $ret From a6addba038bb533873c1c3f406a846ee8962bca9 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 3 Nov 2016 16:14:14 -0400 Subject: [PATCH 2/4] Extend TLS ServerHello parsing (part 2) This PR adds initial parsing of the ServerKeyExchange message to `parse_tls_serverhello()`. For ephemeral DH keys, it extracts the length of the key. For ephemeral ECDH keys that are encoded using the named_curve option, it extracts the length of the key and the name of the curve. --- testssl.sh | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 103 insertions(+), 5 deletions(-) diff --git a/testssl.sh b/testssl.sh index c6e9eb7..9beec3f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -5864,13 +5864,17 @@ parse_tls_serverhello() { local tls_handshake_ascii="" tls_alert_ascii="" local -i tls_hello_ascii_len tls_handshake_ascii_len tls_alert_ascii_len msg_len local tls_serverhello_ascii="" + local tls_serverkeyexchange_ascii="" local -i tls_serverhello_ascii_len=0 + local -i tls_serverkeyexchange_ascii_len=0 local tls_alert_descrip tls_sid_len_hex local -i tls_sid_len offset extns_offset local tls_msg_type tls_content_type tls_protocol tls_protocol2 tls_hello_time - local tls_err_level tls_err_descr tls_cipher_suite tls_compression_method - local tls_extensions="" extension_type + local tls_err_level tls_err_descr tls_cipher_suite rfc_cipher_suite tls_compression_method + local tls_extensions="" extension_type named_curve_str="" local -i i j extension_len tls_extensions_len + local -i curve_type named_curve + local -i dh_bits=0 msb mask TLS_TIME="" DETECTED_TLS_VERSION="" @@ -6028,7 +6032,7 @@ parse_tls_serverhello() { done fi - # Now extract just the server hello handshake message. + # Now extract just the server hello and server key exchange handshake messages. tls_handshake_ascii_len=${#tls_handshake_ascii} if [[ $DEBUG -ge 2 ]] && [[ $tls_handshake_ascii_len -gt 0 ]]; then echo "TLS handshake messages:" @@ -6095,6 +6099,13 @@ parse_tls_serverhello() { fi tls_serverhello_ascii="${tls_handshake_ascii:i:msg_len}" tls_serverhello_ascii_len=$msg_len + elif ( [[ "$process_full" == "all" ]] || [[ "$process_full" == "ephemeralkey" ]] ) && [[ "$tls_msg_type" == "0C" ]]; then + if [[ -n "$tls_serverkeyexchange_ascii" ]]; then + debugme pr_warningln "Response contained more than one ServerKeyExchange handshake message." + return 1 + fi + tls_serverkeyexchange_ascii="${tls_handshake_ascii:i:msg_len}" + tls_serverkeyexchange_ascii_len=$msg_len fi done @@ -6224,10 +6235,11 @@ parse_tls_serverhello() { fi echo "===============================================================================" >> $TMPFILE if [[ "${tls_cipher_suite:0:2}" == "00" ]]; then - echo "Cipher : $(show_rfc_style "x${tls_cipher_suite:2:2}")" >> $TMPFILE + rfc_cipher_suite="$(show_rfc_style "x${tls_cipher_suite:2:2}")" else - echo "Cipher : $(show_rfc_style "x${tls_cipher_suite:0:4}")" >> $TMPFILE + rfc_cipher_suite="$(show_rfc_style "x${tls_cipher_suite:0:4}")" fi + echo "Cipher : $rfc_cipher_suite" >> $TMPFILE if [[ "0x${tls_protocol2:2:2}" -le "0x03" ]]; then case $tls_compression_method in 00) echo "Compression: NONE" >> $TMPFILE ;; @@ -6263,6 +6275,92 @@ parse_tls_serverhello() { fi outln fi + + # Now parse the server key exchange message + if [[ $tls_serverkeyexchange_ascii_len -ne 0 ]]; then + if [[ $rfc_cipher_suite =~ "TLS_ECDHE_" ]] || [[ $rfc_cipher_suite =~ "TLS_ECDH_anon" ]]; then + if [[ $tls_serverkeyexchange_ascii_len -lt 6 ]]; then + debugme echo "Malformed ServerKeyExchange Handshake message in ServerHello." + tmpfile_handle $FUNCNAME.txt + return 1 + fi + curve_type=$(hex2dec "${tls_serverkeyexchange_ascii:0:2}") + if [[ $curve_type -eq 3 ]]; then + # named_curve - the curve is identified by a 2-byte number + named_curve=$(hex2dec "${tls_serverkeyexchange_ascii:2:4}") + # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + case $named_curve in + 1) dh_bits=163 ; named_curve_str="K-163" ;; + 2) dh_bits=163 ; named_curve_str="sect163r1" ;; + 3) dh_bits=163 ; named_curve_str="B-163" ;; + 4) dh_bits=193 ; named_curve_str="sect193r1" ;; + 5) dh_bits=193 ; named_curve_str="sect193r2" ;; + 6) dh_bits=233 ; named_curve_str="K-233" ;; + 7) dh_bits=233 ; named_curve_str="B-233" ;; + 8) dh_bits=239 ; named_curve_str="sect239k1" ;; + 9) dh_bits=283 ; named_curve_str="K-283" ;; + 10) dh_bits=283 ; named_curve_str="B-283" ;; + 11) dh_bits=409 ; named_curve_str="K-409" ;; + 12) dh_bits=409 ; named_curve_str="B-409" ;; + 13) dh_bits=571 ; named_curve_str="K-571" ;; + 14) dh_bits=571 ; named_curve_str="B-571" ;; + 15) dh_bits=160 ; named_curve_str="secp160k1" ;; + 16) dh_bits=160 ; named_curve_str="secp160r1" ;; + 17) dh_bits=160 ; named_curve_str="secp160r2" ;; + 18) dh_bits=192 ; named_curve_str="secp192k1" ;; + 19) dh_bits=192 ; named_curve_str="P-192" ;; + 20) dh_bits=224 ; named_curve_str="secp224k1" ;; + 21) dh_bits=224 ; named_curve_str="P-224" ;; + 22) dh_bits=256 ; named_curve_str="secp256k1" ;; + 23) dh_bits=256 ; named_curve_str="P-256" ;; + 24) dh_bits=384 ; named_curve_str="P-384" ;; + 25) dh_bits=521 ; named_curve_str="P-521" ;; + 26) dh_bits=256 ; named_curve_str="brainpoolP256r1" ;; + 27) dh_bits=384 ; named_curve_str="brainpoolP384r1" ;; + 28) dh_bits=512 ; named_curve_str="brainpoolP512r1" ;; + 29) dh_bits=256 ; named_curve_str="X25519" ;; + 30) dh_bits=448 ; named_curve_str="X448" ;; + esac + fi + [[ $DEBUG -ge 2 ]] && [[ $dh_bits -ne 0 ]] && echo "dh_bits: ECDH, $named_curve_str, $dh_bits bits" + [[ $dh_bits -ne 0 ]] && echo "Server Temp Key: ECDH, $named_curve_str, $dh_bits bits" >> $TMPFILE + elif [[ $rfc_cipher_suite =~ "TLS_DHE_" ]] || [[ $rfc_cipher_suite =~ "TLS_DH_anon" ]]; then + # For DH ephemeral keys the first field is p, and the length of + # p is the same as the length of the public key. + if [[ $tls_serverkeyexchange_ascii_len -lt 4 ]]; then + debugme echo "Malformed ServerKeyExchange Handshake message in ServerHello." + tmpfile_handle $FUNCNAME.txt + return 1 + fi + dh_bits=$(hex2dec "${tls_serverkeyexchange_ascii:0:4}") + offset=4+2*$dh_bits + if [[ $tls_serverkeyexchange_ascii_len -lt $offset ]]; then + debugme echo "Malformed ServerKeyExchange Handshake message in ServerHello." + tmpfile_handle $FUNCNAME.txt + return 1 + fi + + # Subtract any leading 0 bits + for (( i=4; i < offset; i=i+2 )); do + [[ "${tls_serverkeyexchange_ascii:i:2}" != "00" ]] && break + dh_bits=$dh_bits-1 + done + if [[ $i -ge $offset ]]; then + debugme echo "Malformed ServerKeyExchange Handshake message in ServerHello." + tmpfile_handle $FUNCNAME.txt + return 1 + fi + + dh_bits=8*$dh_bits + msb=$(hex2dec "${tls_serverkeyexchange_ascii:i:2}") + for (( mask=128; msb < mask; mask/=2 )); do + dh_bits=$dh_bits-1 + done + + [[ $DEBUG -ge 2 ]] && [[ $dh_bits -ne 0 ]] && echo "dh_bits: DH,$named_curve_str $dh_bits bits" + [[ $dh_bits -ne 0 ]] && echo "Server Temp Key: DH,$named_curve_str $dh_bits bits" >> $TMPFILE + fi + fi tmpfile_handle $FUNCNAME.txt return 0 } From ebc1f691b9d09c757de881c2028c10a261c23b8a Mon Sep 17 00:00:00 2001 From: AlGreed Date: Fri, 4 Nov 2016 03:05:37 +0100 Subject: [PATCH 3/4] Merge remote-tracking branch 'drwetter/2.9dev' into 2.9dev --- .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index adad0cf..cf8dc88 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,7 @@ .DS_Store tmp.json *.bak + +*.xml + +*.iml From e8d7e16a9d84c6a7d9a8a82fdccf7d9a71b53970 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 4 Nov 2016 08:35:27 +0100 Subject: [PATCH 4/4] handle better missing ca_hashes.txt --- testssl.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 16703cc..d1ba2b3 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1335,7 +1335,7 @@ run_hpkp() { # we compare now against a precompiled list of SPKIs against the ROOT CAs we have in $ca_hashes if ! "$certificate_found"; then - hpkp_matches=$(grep -h "$hpkp_spki" $ca_hashes | sort -u) + hpkp_matches=$(grep -h "$hpkp_spki" $ca_hashes 2>/dev/null | sort -u) if [[ -n $hpkp_matches ]]; then certificate_found=true # root CA found spki_match=true @@ -1397,6 +1397,11 @@ run_hpkp() { outln "$spaces_indented ${backup_spki[i]}" fi done + if [[ ! -f "$ca_hashes" ]] && "$spki_match"; then + out "$spaces " + pr_warningln "Attribution of further hashes couldn't be done as $ca_hashes could not be found" + fileout "hpkp_spkimatch" "WARN" "Attribution of further hashes couldn't be done as $ca_hashes could not be found" + fi # If all else fails... if ! "$spki_match"; then