Giters

arlimus / sslshake

Ruby library for pure SSL/TLS handshake testing. No additional requirements.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

TLS 1.2 Client Hello CipherSuite Problem

supergicko opened this issue · comments

commented

hi @adamcaudill @arlimus

I used the newest sslshake library to test the new sni feature from @adamcaudill in #5. Works fine

However, another problem is raising up.

When having '5600' => 'TLS_FALLBACK_SCSV' in the Ciphers list, the handshake fails when having only ECDHE Ciphers on the Server Side (nginx config below)

So my question to you guys is:
do we really need the TLS_FALLBACK_SCSV CipherSuite for sslshake in the Client Hello? (thinking about why it exists i think it is not really needed in a library used for testing)

Situation:
TLS 1.2 ONLY activated
nginx config:

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_ecdh_curve secp384r1;
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;