Testing TLS supported cipher remotely

The TLS protocol doesn’t support querying the server for its capabilities. The usual way is the client send all its supported choices, and the server picks one and reply or close the connection if there’s no choices that intersect with the server choices.

There’s a couple of others program that does that, but i didn’t find any that does that optimally. Indeed the usual technique consists in enumerating from 0 to N, and thus opening connections and sending packet, N times.

Since I have all the TLS library available, all the sending packet and marshalling is done for me. I only need the algorithm to open and query.

There’s way to optimise even more the algorithm, merely by knowing the usual ciphers supported, but I decided to not bother, and implement a simple dichotomy.

The algorithm is simple:

  1. send a list of ciphers

  2. if the server reply succesfully, filter the choosen cipher, cut the remaining list in half, proceed to 1 for both remaining lists.

  3. if the server closes the connection, the whole list of ciphers is not supported.

[image|checkciphers.png]

You can find the code on github


posted by Vincent Hanquez on March 22, 2011.

tags tls, ssl, remote.

in technical.