Skip to content

Instantly share code, notes, and snippets.

@husobee
Last active December 14, 2020 17:52
Show Gist options
  • Save husobee/6e9f998653d66f7481da to your computer and use it in GitHub Desktop.
Save husobee/6e9f998653d66f7481da to your computer and use it in GitHub Desktop.
discovery of tls in go, and the handshake process
package main
import (
"crypto/tls"
"encoding/json"
"fmt"
"log"
"net"
"net/http"
)
var tlsInfoChan = make(chan output)
func connStateHook(c net.Conn, state http.ConnState) {
if state == http.StateActive {
if cc, ok := c.(*tls.Conn); ok {
state := cc.ConnectionState()
switch state.Version {
case tls.VersionSSL30:
log.Println("negotiated to Version: VersionSSL30")
case tls.VersionTLS10:
log.Println("negotiated to Version: VersionTLS10")
case tls.VersionTLS11:
log.Println("negotiated to Version: VersionTLS11")
case tls.VersionTLS12:
log.Println("negotiated to Version: VersionTLS12")
default:
log.Println("negotiated to Unknown TLS version")
}
}
}
}
type output struct {
SupportedSuites []string `json:"supported_suites"`
SupportedCurves []string `json:"supported_curves"`
SupportedPoints []string `json:"supported_points"`
}
func getCertificateHook(helloInfo *tls.ClientHelloInfo) (*tls.Certificate, error) {
o := &output{}
for _, suite := range helloInfo.CipherSuites {
if v, exists := CipherSuiteMap[suite]; exists {
o.SupportedSuites = append(o.SupportedSuites, v)
} else {
o.SupportedSuites = append(o.SupportedSuites, fmt.Sprintf("Unknown, 0x%x", suite))
}
}
for _, curve := range helloInfo.SupportedCurves {
if v, exists := CurveMap[curve]; exists {
o.SupportedCurves = append(o.SupportedCurves, v)
} else {
o.SupportedCurves = append(o.SupportedCurves, fmt.Sprintf("Unknown, 0x%x", curve))
}
// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8
}
for _, point := range helloInfo.SupportedPoints {
// http://tools.ietf.org/html/rfc4492#section-5.1.2).
o.SupportedPoints = append(o.SupportedPoints, fmt.Sprintf("0x%x", point))
}
j, _ := json.Marshal(o)
log.Println(string(j))
return nil, nil
}
var nilHandler http.HandlerFunc = func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(204)
}
func main() {
s := &http.Server{
Addr: ":1234",
ConnState: connStateHook,
Handler: nilHandler,
TLSConfig: &tls.Config{
GetCertificate: getCertificateHook,
},
}
s.ListenAndServeTLS("cert.pem", "key.pem")
}
package main
import "crypto/tls"
var (
CurveMap = map[tls.CurveID]string{
0: "Unassigned",
1: "sect163k1Y",
2: "sect163r1Y",
3: "sect163r2Y",
4: "sect193r1Y",
5: "sect193r2Y",
6: "sect233k1Y",
7: "sect233r1Y",
8: "sect239k1Y",
9: "sect283k1Y",
10: "sect283r1Y",
11: "sect409k1Y",
12: "sect409r1Y",
13: "sect571k1Y",
14: "sect571r1Y",
15: "secp160k1Y",
16: "secp160r1Y",
17: "secp160r2Y",
18: "secp192k1Y",
19: "secp192r1Y",
20: "secp224k1Y",
21: "secp224r1Y",
22: "secp256k1Y",
23: "secp256r1Y",
24: "secp384r1Y",
25: "secp521r1Y",
26: "brainpoolP256r1Y",
27: "brainpoolP384r1Y",
28: "brainpoolP512r1Y",
257: "ffdhe3072Y",
258: "ffdhe4096Y",
259: "ffdhe6144Y",
260: "ffdhe8192Y",
65281: "arbitrary_explicit_prime_curvesY",
65282: "arbitrary_explicit_char2_curvesY",
}
// CipherSuiteMap - list of ciphersuites based on: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
// reserved/unknown items are excluded.
CipherSuiteMap = map[uint16]string{
0x0000: "TLS_NULL_WITH_NULL_NULLY",
0x0001: "TLS_RSA_WITH_NULL_MD5Y",
0x0002: "TLS_RSA_WITH_NULL_SHAY",
0x0003: "TLS_RSA_EXPORT_WITH_RC4_40_MD5N",
0x0004: "TLS_RSA_WITH_RC4_128_MD5N",
0x0005: "TLS_RSA_WITH_RC4_128_SHAN",
0x0006: "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5Y",
0x0007: "TLS_RSA_WITH_IDEA_CBC_SHAY",
0x0008: "TLS_RSA_EXPORT_WITH_DES40_CBC_SHAY",
0x0009: "TLS_RSA_WITH_DES_CBC_SHAY",
0x000A: "TLS_RSA_WITH_3DES_EDE_CBC_SHAY",
0x000B: "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHAY",
0x000C: "TLS_DH_DSS_WITH_DES_CBC_SHAY",
0x000D: "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHAY",
0x000E: "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHAY",
0x000F: "TLS_DH_RSA_WITH_DES_CBC_SHAY",
0x0010: "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHAY",
0x0011: "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHAY",
0x0012: "TLS_DHE_DSS_WITH_DES_CBC_SHAY",
0x0013: "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHAY",
0x0014: "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHAY",
0x0015: "TLS_DHE_RSA_WITH_DES_CBC_SHAY",
0x0016: "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHAY",
0x0017: "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5N",
0x0018: "TLS_DH_anon_WITH_RC4_128_MD5N",
0x0019: "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHAY",
0x001A: "TLS_DH_anon_WITH_DES_CBC_SHAY",
0x001B: "TLS_DH_anon_WITH_3DES_EDE_CBC_SHAY",
0x001E: "TLS_KRB5_WITH_DES_CBC_SHAY",
0x001F: "TLS_KRB5_WITH_3DES_EDE_CBC_SHAY",
0x0020: "TLS_KRB5_WITH_RC4_128_SHAN",
0x0021: "TLS_KRB5_WITH_IDEA_CBC_SHAY",
0x0022: "TLS_KRB5_WITH_DES_CBC_MD5Y",
0x0023: "TLS_KRB5_WITH_3DES_EDE_CBC_MD5Y",
0x0024: "TLS_KRB5_WITH_RC4_128_MD5N",
0x0025: "TLS_KRB5_WITH_IDEA_CBC_MD5Y",
0x0026: "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHAY",
0x0027: "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHAY",
0x0028: "TLS_KRB5_EXPORT_WITH_RC4_40_SHAN",
0x0029: "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5Y",
0x002A: "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5Y",
0x002B: "TLS_KRB5_EXPORT_WITH_RC4_40_MD5N",
0x002C: "TLS_PSK_WITH_NULL_SHAY",
0x002D: "TLS_DHE_PSK_WITH_NULL_SHAY",
0x002E: "TLS_RSA_PSK_WITH_NULL_SHAY",
0x002F: "TLS_RSA_WITH_AES_128_CBC_SHAY",
0x0030: "TLS_DH_DSS_WITH_AES_128_CBC_SHAY",
0x0031: "TLS_DH_RSA_WITH_AES_128_CBC_SHAY",
0x0032: "TLS_DHE_DSS_WITH_AES_128_CBC_SHAY",
0x0033: "TLS_DHE_RSA_WITH_AES_128_CBC_SHAY",
0x0034: "TLS_DH_anon_WITH_AES_128_CBC_SHAY",
0x0035: "TLS_RSA_WITH_AES_256_CBC_SHAY",
0x0036: "TLS_DH_DSS_WITH_AES_256_CBC_SHAY",
0x0037: "TLS_DH_RSA_WITH_AES_256_CBC_SHAY",
0x0038: "TLS_DHE_DSS_WITH_AES_256_CBC_SHAY",
0x0039: "TLS_DHE_RSA_WITH_AES_256_CBC_SHAY",
0x003A: "TLS_DH_anon_WITH_AES_256_CBC_SHAY",
0x003B: "TLS_RSA_WITH_NULL_SHA256Y",
0x003C: "TLS_RSA_WITH_AES_128_CBC_SHA256Y",
0x003D: "TLS_RSA_WITH_AES_256_CBC_SHA256Y",
0x003E: "TLS_DH_DSS_WITH_AES_128_CBC_SHA256Y",
0x003F: "TLS_DH_RSA_WITH_AES_128_CBC_SHA256Y",
0x0040: "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256Y",
0x0041: "TLS_RSA_WITH_CAMELLIA_128_CBC_SHAY",
0x0042: "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHAY",
0x0043: "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHAY",
0x0044: "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHAY",
0x0045: "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHAY",
0x0046: "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHAY",
0x0067: "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256Y",
0x0068: "TLS_DH_DSS_WITH_AES_256_CBC_SHA256Y",
0x0069: "TLS_DH_RSA_WITH_AES_256_CBC_SHA256Y",
0x006A: "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256Y",
0x006B: "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256Y",
0x006C: "TLS_DH_anon_WITH_AES_128_CBC_SHA256Y",
0x006D: "TLS_DH_anon_WITH_AES_256_CBC_SHA256Y",
0x0084: "TLS_RSA_WITH_CAMELLIA_256_CBC_SHAY",
0x0085: "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHAY",
0x0086: "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHAY",
0x0087: "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHAY",
0x0088: "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHAY",
0x0089: "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHAY",
0x008A: "TLS_PSK_WITH_RC4_128_SHAN",
0x008B: "TLS_PSK_WITH_3DES_EDE_CBC_SHAY",
0x008C: "TLS_PSK_WITH_AES_128_CBC_SHAY",
0x008D: "TLS_PSK_WITH_AES_256_CBC_SHAY",
0x008E: "TLS_DHE_PSK_WITH_RC4_128_SHAN",
0x008F: "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHAY",
0x0090: "TLS_DHE_PSK_WITH_AES_128_CBC_SHAY",
0x0091: "TLS_DHE_PSK_WITH_AES_256_CBC_SHAY",
0x0092: "TLS_RSA_PSK_WITH_RC4_128_SHAN",
0x0093: "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHAY",
0x0094: "TLS_RSA_PSK_WITH_AES_128_CBC_SHAY",
0x0095: "TLS_RSA_PSK_WITH_AES_256_CBC_SHAY",
0x0096: "TLS_RSA_WITH_SEED_CBC_SHAY",
0x0097: "TLS_DH_DSS_WITH_SEED_CBC_SHAY",
0x0098: "TLS_DH_RSA_WITH_SEED_CBC_SHAY",
0x0099: "TLS_DHE_DSS_WITH_SEED_CBC_SHAY",
0x009A: "TLS_DHE_RSA_WITH_SEED_CBC_SHAY",
0x009B: "TLS_DH_anon_WITH_SEED_CBC_SHAY",
0x009C: "TLS_RSA_WITH_AES_128_GCM_SHA256Y",
0x009D: "TLS_RSA_WITH_AES_256_GCM_SHA384Y",
0x009E: "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256Y",
0x009F: "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384Y",
0x00A0: "TLS_DH_RSA_WITH_AES_128_GCM_SHA256Y",
0x00A1: "TLS_DH_RSA_WITH_AES_256_GCM_SHA384Y",
0x00A2: "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256Y",
0x00A3: "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384Y",
0x00A4: "TLS_DH_DSS_WITH_AES_128_GCM_SHA256Y",
0x00A5: "TLS_DH_DSS_WITH_AES_256_GCM_SHA384Y",
0x00A6: "TLS_DH_anon_WITH_AES_128_GCM_SHA256Y",
0x00A7: "TLS_DH_anon_WITH_AES_256_GCM_SHA384Y",
0x00A8: "TLS_PSK_WITH_AES_128_GCM_SHA256Y",
0x00A9: "TLS_PSK_WITH_AES_256_GCM_SHA384Y",
0x00AA: "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256Y",
0x00AB: "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384Y",
0x00AC: "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256Y",
0x00AD: "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384Y",
0x00AE: "TLS_PSK_WITH_AES_128_CBC_SHA256Y",
0x00AF: "TLS_PSK_WITH_AES_256_CBC_SHA384Y",
0x00B0: "TLS_PSK_WITH_NULL_SHA256Y",
0x00B1: "TLS_PSK_WITH_NULL_SHA384Y",
0x00B2: "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256Y",
0x00B3: "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384Y",
0x00B4: "TLS_DHE_PSK_WITH_NULL_SHA256Y",
0x00B5: "TLS_DHE_PSK_WITH_NULL_SHA384Y",
0x00B6: "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256Y",
0x00B7: "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384Y",
0x00B8: "TLS_RSA_PSK_WITH_NULL_SHA256Y",
0x00B9: "TLS_RSA_PSK_WITH_NULL_SHA384Y",
0x00BA: "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256Y",
0x00BB: "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256Y",
0x00BC: "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256Y",
0x00BD: "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256Y",
0x00BE: "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256Y",
0x00BF: "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256Y",
0x00C0: "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256Y",
0x00C1: "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256Y",
0x00C2: "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256Y",
0x00C3: "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256Y",
0x00C4: "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256Y",
0x00C5: "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256Y",
0x00ff: "TLS_EMPTY_RENEGOTIATION_INFO_SCSVY",
0xC002: "TLS_ECDH_ECDSA_WITH_RC4_128_SHAN",
0xC003: "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHAY",
0xC004: "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHAY",
0xC005: "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHAY",
0xC006: "TLS_ECDHE_ECDSA_WITH_NULL_SHAY",
0xC007: "TLS_ECDHE_ECDSA_WITH_RC4_128_SHAN",
0xC008: "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHAY",
0xC009: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAY",
0xC00A: "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAY",
0xC00B: "TLS_ECDH_RSA_WITH_NULL_SHAY",
0xC00C: "TLS_ECDH_RSA_WITH_RC4_128_SHAN",
0xC00D: "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHAY",
0xC00E: "TLS_ECDH_RSA_WITH_AES_128_CBC_SHAY",
0xC00F: "TLS_ECDH_RSA_WITH_AES_256_CBC_SHAY",
0xC010: "TLS_ECDHE_RSA_WITH_NULL_SHAY",
0xC011: "TLS_ECDHE_RSA_WITH_RC4_128_SHAN",
0xC012: "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHAY",
0xC013: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAY",
0xC014: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAY",
0xC015: "TLS_ECDH_anon_WITH_NULL_SHAY",
0xC016: "TLS_ECDH_anon_WITH_RC4_128_SHAN",
0xC017: "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHAY",
0xC018: "TLS_ECDH_anon_WITH_AES_128_CBC_SHAY",
0xC019: "TLS_ECDH_anon_WITH_AES_256_CBC_SHAY",
0xC01A: "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHAY",
0xC01B: "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHAY",
0xC01C: "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHAY",
0xC01D: "TLS_SRP_SHA_WITH_AES_128_CBC_SHAY",
0xC01E: "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHAY",
0xC01F: "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHAY",
0xC020: "TLS_SRP_SHA_WITH_AES_256_CBC_SHAY",
0xC021: "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHAY",
0xC022: "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHAY",
0xC023: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256Y",
0xC024: "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384Y",
0xC025: "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256Y",
0xC026: "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384Y",
0xC027: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256Y",
0xC028: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384Y",
0xC029: "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256Y",
0xC02A: "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384Y",
0xC02B: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256Y",
0xC02C: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384Y",
0xC02D: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256Y",
0xC02E: "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384Y",
0xC02F: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256Y",
0xC030: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384Y",
0xC031: "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256Y",
0xC032: "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384Y",
0xC033: "TLS_ECDHE_PSK_WITH_RC4_128_SHAN",
0xC034: "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHAY",
0xC035: "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHAY",
0xC036: "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHAY",
0xC037: "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256Y",
0xC038: "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384Y",
0xC039: "TLS_ECDHE_PSK_WITH_NULL_SHAY",
0xC03A: "TLS_ECDHE_PSK_WITH_NULL_SHA256Y",
0xC03B: "TLS_ECDHE_PSK_WITH_NULL_SHA384Y",
0xC03C: "TLS_RSA_WITH_ARIA_128_CBC_SHA256Y",
0xC03D: "TLS_RSA_WITH_ARIA_256_CBC_SHA384Y",
0xC03E: "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256Y",
0xC03F: "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384Y",
0xC040: "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256Y",
0xC041: "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384Y",
0xC042: "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256Y",
0xC043: "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384Y",
0xC044: "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256Y",
0xC045: "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384Y",
0xC046: "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256Y",
0xC047: "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384Y",
0xC048: "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256Y",
0xC049: "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384Y",
0xC04A: "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256Y",
0xC04B: "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384Y",
0xC04C: "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256Y",
0xC04D: "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384Y",
0xC04E: "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256Y",
0xC04F: "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384Y",
0xC050: "TLS_RSA_WITH_ARIA_128_GCM_SHA256Y",
0xC051: "TLS_RSA_WITH_ARIA_256_GCM_SHA384Y",
0xC052: "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256Y",
0xC053: "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384Y",
0xC054: "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256Y",
0xC055: "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384Y",
0xC056: "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256Y",
0xC057: "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384Y",
0xC058: "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256Y",
0xC059: "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384Y",
0xC05A: "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256Y",
0xC05B: "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384Y",
0xC05C: "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256Y",
0xC05D: "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384Y",
0xC05E: "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256Y",
0xC05F: "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384Y",
0xC060: "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256Y",
0xC061: "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384Y",
0xC062: "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256Y",
0xC063: "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384Y",
0xC064: "TLS_PSK_WITH_ARIA_128_CBC_SHA256Y",
0xC065: "TLS_PSK_WITH_ARIA_256_CBC_SHA384Y",
0xC066: "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256Y",
0xC067: "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384Y",
0xC068: "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256Y",
0xC069: "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384Y",
0xC06A: "TLS_PSK_WITH_ARIA_128_GCM_SHA256Y",
0xC06B: "TLS_PSK_WITH_ARIA_256_GCM_SHA384Y",
0xC06C: "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256Y",
0xC06D: "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384Y",
0xC06E: "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256Y",
0xC06F: "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384Y",
0xC070: "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256Y",
0xC071: "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384Y",
0xC072: "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256Y",
0xC073: "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384Y",
0xC074: "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256Y",
0xC075: "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384Y",
0xC076: "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256Y",
0xC077: "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384Y",
0xC078: "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256Y",
0xC079: "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384Y",
0xC07A: "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256Y",
0xC07B: "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384Y",
0xC07C: "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256Y",
0xC07D: "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384Y",
0xC07E: "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256Y",
0xC07F: "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384Y",
0xC080: "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256Y",
0xC081: "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384Y",
0xC082: "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256Y",
0xC083: "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384Y",
0xC084: "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256Y",
0xC085: "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384Y",
0xC086: "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256Y",
0xC087: "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384Y",
0xC088: "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256Y",
0xC089: "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384Y",
0xC08A: "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256Y",
0xC08B: "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384Y",
0xC08C: "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256Y",
0xC08D: "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384Y",
0xC08E: "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256Y",
0xC08F: "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384Y",
0xC090: "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256Y",
0xC091: "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384Y",
0xC092: "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256Y",
0xC093: "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384Y",
0xC094: "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256Y",
0xC095: "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384Y",
0xC096: "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256Y",
0xC097: "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384Y",
0xC098: "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256Y",
0xC099: "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384Y",
0xC09A: "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256Y",
0xC09B: "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384Y",
0xC09C: "TLS_RSA_WITH_AES_128_CCMY",
0xC09D: "TLS_RSA_WITH_AES_256_CCMY",
0xC09E: "TLS_DHE_RSA_WITH_AES_128_CCMY",
0xC09F: "TLS_DHE_RSA_WITH_AES_256_CCMY",
0xC0A0: "TLS_RSA_WITH_AES_128_CCM_8Y",
0xC0A1: "TLS_RSA_WITH_AES_256_CCM_8Y",
0xC0A2: "TLS_DHE_RSA_WITH_AES_128_CCM_8Y",
0xC0A3: "TLS_DHE_RSA_WITH_AES_256_CCM_8Y",
0xC0A4: "TLS_PSK_WITH_AES_128_CCMY",
0xC0A5: "TLS_PSK_WITH_AES_256_CCMY",
0xC0A6: "TLS_DHE_PSK_WITH_AES_128_CCMY",
0xC0A7: "TLS_DHE_PSK_WITH_AES_256_CCMY",
0xC0A8: "TLS_PSK_WITH_AES_128_CCM_8Y",
0xC0A9: "TLS_PSK_WITH_AES_256_CCM_8Y",
0xC0AA: "TLS_PSK_DHE_WITH_AES_128_CCM_8Y",
0xC0AB: "TLS_PSK_DHE_WITH_AES_256_CCM_8Y",
0xC0AC: "TLS_ECDHE_ECDSA_WITH_AES_128_CCMY",
0xC0AD: "TLS_ECDHE_ECDSA_WITH_AES_256_CCMY",
0xC0AE: "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8Y",
0xC0AF: "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8Y",
}
)
@Valve
Copy link

Valve commented Aug 20, 2019

This is a good technique but it's not dealing with GREASE properly (https://tools.ietf.org/html/draft-davidben-tls-grease-01)

@modasi
Copy link

modasi commented Sep 12, 2019

thank you very much~~~

@joekir
Copy link

joekir commented Jan 4, 2020

Likewise, thanks this is great!

This is a good technique but it's not dealing with GREASE properly (https://tools.ietf.org/html/draft-davidben-tls-grease-01)

TLS-GREASE tweak I made (for others that want it):

common.go

        // https://datatracker.ietf.org/doc/draft-ietf-tls-grease
	GreaseList = map[uint16]bool{
		0x0A0A: true,
		0x1A1A: true,
		0x2A2A: true,
		0x3A3A: true,
		0x4A4A: true,
		0x5A5A: true,
		0x6A6A: true,
		0x7A7A: true,
		0x8A8A: true,
		0x9A9A: true,
		0xAAAA: true,
		0xBABA: true,
		0xCACA: true,
		0xDADA: true,
		0xEAEA: true,
		0xFAFA: true,
	}

then just skip those out in client_tls_info.go

for _, suite := range helloInfo.CipherSuites {
		if isGrease := GreaseList[suite]; isGrease {
			continue
		}
...

*see this gist for the epic debate of "which is faster lookup approach"

Could also add TLS1.3 suite/curve ordinals from RFC 8446 to round it out.

@joekir
Copy link

joekir commented Jan 4, 2020

For the TLS1.3. additions

in the Suites

...
0x00ff: "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",

// TLS 1.3 https://tools.ietf.org/html/rfc8446#appendix-B.4
0x1301: "TLS_AES_128_GCM_SHA256",
0x1302: "TLS_AES_256_GCM_SHA384",
0x1303: "TLS_CHACHA20_POLY1305_SHA256",
0x1304: "TLS_AES_128_CCM_SHA256",
0x1305: "TLS_AES_128_CCM_8_SHA256",

0xC002: "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
...

for the curves

28: "brainpoolP512r1",

// TLS1.3 https://tools.ietf.org/html/rfc8446#section-4.2.7
29: "x25519",
30: "x448",

256:   "ffdhe2048",
257:   "ffdhe3072",

also looks like that 256: "ffdhe2048" was missing in original but was actually valid in TLS1.2 I think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment