|
Unix VPS
Support
FAQ
Network
Miscellaneous
|
| Net::SSL::Handshake(3) | User Contributed Perl Documentation | Net::SSL::Handshake(3) |
NAME
Net::SSL::Handshake - SSL Handshake on an existing connection or open a new oneVERSION
Version 0.1.x, $Revision: 646 $SYNOPSIS
my $handshake = Net::SSL::Handshake->new( socket => $socket, timeout => $timeout, host => $hostname, port => $port, ciphers => $ciphers, ); $handshake->hello;
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< =head1 DESCRIPTION
Attributes:
Tieouts for IO::Socket::Timeout (read, write) Default: read from socket obj???? or 30 seconds? or whatelse! socket version random and other parameters to ssl etc (default random)
+++ IDN via Net::IDN::Encode (for SNI)
Modules:
Net::SSL::StartTLS::SMTP, ... Peter Mosman openssl: https://github.com/PeterMosmans/openssl/
# Build OpenSSL TEST!
git clone https://github.com/PeterMosmans/openssl.git --depth 1 -b 1.0.2-chacha openssl-chacha # config, make & Inst CFLAGS="-O3 -fno-strict-aliasing -pipe -march=native -mtune=native -fstack-protector" ./Configure darwin64-x86_64-cc --prefix=/Users/alvar/Documents/Code/externes/openssl-chacha/installdir --openssldir=/Users/alvar/Documents/Code/externes/openssl-chacha/installdir/openssl enable-asm threads shared zlib enable-ssl2 enable-ssl3 enable-md2 enable-rc5 no-gmp no-rfc3779 enable-ec_nistp_64_gcc_128 zlib no-shared experimental-jpake enable-md2 enable-rc5 enable-rfc3779 enable-gost enable-static-engine make depend && make && make test && make report && make install # Via: https://github.com/jvehent/cipherscan
# cert list
openssl ciphers -l -V ALL:eNULL:aNULL /Users/alvar/Documents/Code/externes/openssl-chacha/installdir/bin/openssl ciphers -l -V ALL:eNULL:aNULL
# Self singned cert: openssl req -new -newkey rsa:2048 -days 36500 -nodes -x509 -keyout server.pem -out server.pem
# Server: man s_server
# Install openssl with SSLv2 and SSLv3 etc
CFLAGS="-O3 -fno-strict-aliasing -pipe -march=native -mtune=native -fstack-protector" ./Configure darwin64-x86_64-cc --prefix=/Users/alvar/Documents/Code/externes/openssl-1.0.2d/installdir --openssldir=/Users/alvar/Documents/Code/externes/openssl-1.0.2d/installdir/openssl enable-asm threads shared zlib zlib-dynamic enable-ssl2 enable-ssl3 enable-md2 enable-rc5 no-gmp no-rfc3779 enable-ec_nistp_64_gcc_128 make depend make && make test && make install
# Start server
Users/alvar/Documents/Code/externes/openssl-1.0.2d/installdir/bin/openssl s_server -HTTP -accept 443
# oder mit www
# Standard TLS/SSL handshake handshake_pkts = { "TLS v1.3": '\x80\x2c\x01\x03\x04\x00\x03\x00\x00\x00\x20', "TLS v1.2": '\x80\x2c\x01\x03\x03\x00\x03\x00\x00\x00\x20', "TLS v1.1": '\x80\x2c\x01\x03\x02\x00\x03\x00\x00\x00\x20', "TLS v1.0": '\x80\x2c\x01\x03\x01\x00\x03\x00\x00\x00\x20', "SSL v3.0": '\x80\x2c\x01\x03\x00\x00\x03\x00\x00\x00\x20', "SSL v2.0": '\x80\x2c\x01\x00\x02\x00\x03\x00\x00\x00\x20' }
https://github.com/iphelix/sslmap/blob/master/sslmap.py
SSL Handshake
https://github.com/iphelix/sslmap/blob/master/sslmap.pyhttps://labs.portcullis.co.uk/tools/ssl-cipher-suite-enum/
https://github.com/drwetter/testssl.sh https://testssl.sh
pack types:
C unsigned 8 bit char n unsigned short, 16 bit, network order a binary string, NULL padded
SSLv2
Client sends
Client hello max 256 bytes for F5! (Bug) https://code.google.com/p/chromium/issues/detail?id=245500 Fixed at least since 09/29/2011
Client-Hello SSLv2:
# Header n Message len | 0x8000 # Data. len: message len C Message Type: SSL_MT_CLIENT_HELLO n Client-Version n Cipher spec len n Session-ID len => 0 n challenge len a* cipher spec data a* session id data => empty a* challenge data
alternative header (3 bytes):
# Header n Message len C Padding (number of bytes added at the end of data part!)
SSLv3 and TLS
C record Type / SSL record type = 22 (SSL3_RT_HANDSHAKE)
n SSL Version
n Record len
# Record:
C Message Type / Handshake type
C 0x00 / Length of data to follow in this record (3 Bytes!)
n Message len / Length rest
## Data
n SSL/TLS Version
a[32] challenge
C session ID len
n cipher spec len
a* cipher spec
C compression method len (1)
C* compression method (0x00)
n length extensions
a* extensions data
## Extensions: SNI,
# Hello Extensions format:
n extension type
n Length extension data
a* data
# data for hello extension sni:
n len of list (bytes)
C Nametype (host_name: 0x00)
n len host name
a* hostname (IDN!)
$clientHello_extensions = pack(
"n n n C n a[$clientHello{'extension_sni_len'}]",
$clientHello{'extension_type_server_name'}, #n
$clientHello{'extension_len'}, #n
$clientHello{'extension_sni_list_len'}, #n
$clientHello{'extension_sni_type'}, #C
$clientHello{'extension_sni_len'}, #n
$clientHello{'extension_sni_name'}, #a[$clientHello{'extension_sni_len'}]
);
"n a[32] C n a[$clientHello{'cipher_spec_len'}] C C[$clientHello{'compression_method_len'}] a[$clientHello{'extensions_total_len'}]",
$clientHello{'version'}, # n
$clientHello{'challenge'}, # A[32] = gmt + random [4] + [28] Bytes
$clientHello{'session_id_len'}, # C
$clientHello{'cipher_spec_len'}, # n
$clientHello{'cipher_spec'}, # A[$clientHello{'cipher_spec_len'}]
$clientHello{'compression_method_len'}, # C (0x01)
$clientHello{'compression_method'}, # C[len] (0x00)
$clientHello_extensions # optional
);
https://www-01.ibm.com/support/knowledgecenter/#!/SSB23S_1.1.0.10/com.ibm.ztpf-ztpfdf.doc_put.10/gtps5/s5rcd.html?cp=SSB23S_1.1.0.10%2F0-1-8-2-3
possible handshake types:
SSL3_MT_HELLO_REQUEST 0 (x'00')
SSL3_MT_CLIENT_HELLO 1 (x'01')
SSL3_MT_SERVER_HELLO 2 (x'02')
SSL3_MT_CERTIFICATE 11 (x'0B')
SSL3_MT_SERVER_KEY_EXCHANGE 12 (x'0C')
SSL3_MT_CERTIFICATE_REQUEST 13 (x'0D')
SSL3_MT_SERVER_DONE 14 (x'0E')
SSL3_MT_CERTIFICATE_VERIFY 15 (x'0F')
SSL3_MT_CLIENT_KEY_EXCHANGE 16 (x'10')
SSL3_MT_FINISHED 20 (x'14')
$clientHello{'msg_len'} = length($clientHello_tmp);
$clientHello{'record_len'} = $clientHello{'msg_len'} + 4;
$clientHello = pack(
"C n n C C n a*",
$clientHello{'record_type'}, # C
$clientHello{'record_version'}, # n
$clientHello{'record_len'}, # n
$clientHello{'msg_type'}, # C
0x00, # C (0x00)
$clientHello{'msg_len'}, # n
$clientHello_tmp # a
);
Server-Hello:
The SSL Handshake Protocol defines the following errors:
NO-CIPHER-ERROR This error is returned by the client to the server when it cannot find a cipher or key size that it supports that is also supported by the server. This error is not recoverable.
send_record
sends the record to the serveradd_to_record
adds a template and some data to a recordrecord_as_string
returns the record as a string; checks for SSLv2/ SSLv3 / TLSclear_record
clears the template etcchallenge
generate some random ...close_notify
send a "close notify" alert->hello
Send client hello, receive and parse server hello....
build_client_hello
build client hello message->build_extensions
Builds the hello extensionsreceive_record
receive and parse server record ...parse_handshake($data)
Parse SSLv3+ Handshakesslv2_server_hello
SERVER-HELLO (Phase 1; Sent in the clear)
0 char MSG-SERVER-HELLO
1 char SESSION-ID-HIT
2 char CERTIFICATE-TYPE
3 char SERVER-VERSION-MSB
4 char SERVER-VERSION-LSB
5 char CERTIFICATE-LENGTH-MSB
6 char CERTIFICATE-LENGTH-LSB
7 char CIPHER-SPECS-LENGTH-MSB
8 char CIPHER-SPECS-LENGTH-LSB
9 char CONNECTION-ID-LENGTH-MSB
10 char CONNECTION-ID-LENGTH-LSB
char CERTIFICATE-DATA[MSB<<8|LSB]
char CIPHER-SPECS-DATA[MSB<<8|LSB]
char CONNECTION-ID-DATA[MSB<<8|LSB]
parse_alert
parse alert message| 2022-04-08 | perl v5.32.1 |
Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.