Skip to content

Instantly share code, notes, and snippets.

@jordansissel

jordansissel/data.md

Last active August 29, 2015 14:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jordansissel/8e4d6786638ead737cb5 to your computer and use it in GitHub Desktop.
Save jordansissel/8e4d6786638ead737cb5 to your computer and use it in GitHub Desktop.
Download ZIP
SSL/TLS. JRuby, BouncyCastle, OpenSSL, MRI. Fun.
Raw
data.md

Try openssl ciphers in ruby 2.1.4 on google.com

% openssl ciphers | tr : '\n'| rvm 2.1.4 do ruby -an -rsocket -ropenssl -e 'cipher = $_.chomp; begin; x = TCPSocket.new("google.com", 443); c = OpenSSL::SSL::SSLContext.new; c.ciphers = cipher; o = OpenSSL::SSL::SSLSocket.new(x, c); o.connect; o.close; puts "OK #{cipher}"; rescue => e; puts "FAIL #{cipher} - #{e}"; end' | sort
FAIL DES-CBC-MD5 - SSL_CTX_set_cipher_list: no cipher match
FAIL DES-CBC-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL DES-CBC3-MD5 - SSL_CTX_set_cipher_list: no cipher match
FAIL DHE-DSS-AES128-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL DHE-DSS-AES256-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL DHE-DSS-SEED-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL DHE-RSA-AES128-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL DHE-RSA-AES256-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL DHE-RSA-SEED-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL EDH-DSS-DES-CBC-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL EDH-DSS-DES-CBC3-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL EDH-RSA-DES-CBC-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL EDH-RSA-DES-CBC3-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL EXP-DES-CBC-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL EXP-EDH-DSS-DES-CBC-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL EXP-EDH-RSA-DES-CBC-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL EXP-RC2-CBC-MD5 - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL EXP-RC2-CBC-MD5 - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL EXP-RC4-MD5 - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL EXP-RC4-MD5 - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
FAIL RC2-CBC-MD5 - SSL_CTX_set_cipher_list: no cipher match
FAIL SEED-SHA - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
OK AES128-SHA
OK AES256-SHA
OK DES-CBC3-SHA
OK RC4-MD5
OK RC4-MD5
OK RC4-SHA

Try same against JRuby 1.7.16.1

% openssl ciphers | tr : '\n'| rvm 1.7.16.1 do ruby -an -rsocket -ropenssl -e 'cipher = $_.chomp; begin; x = TCPSocket.new("google.com", 443); c = OpenSSL::SSL::SSLContext.new; c.ciphers = cipher; o = OpenSSL::SSL::SSLSocket.new(x, c); o.connect; o.close; puts "OK #{cipher}"; rescue => e; puts "FAIL #{cipher} - #{e}"; end' | sort                               FAIL AES128-SHA - no cipher match
FAIL AES256-SHA - no cipher match
FAIL DES-CBC-MD5 - no cipher match
FAIL DES-CBC-SHA - no cipher match
FAIL DES-CBC3-MD5 - no cipher match
FAIL DES-CBC3-SHA - no cipher match
FAIL DHE-DSS-AES128-SHA - no cipher match
FAIL DHE-DSS-AES256-SHA - no cipher match
FAIL DHE-DSS-SEED-SHA - no cipher match
FAIL DHE-RSA-AES128-SHA - no cipher match
FAIL DHE-RSA-AES256-SHA - no cipher match
FAIL DHE-RSA-SEED-SHA - no cipher match
FAIL EDH-DSS-DES-CBC-SHA - no cipher match
FAIL EDH-DSS-DES-CBC3-SHA - no cipher match
FAIL EDH-RSA-DES-CBC-SHA - no cipher match
FAIL EDH-RSA-DES-CBC3-SHA - no cipher match
FAIL EXP-DES-CBC-SHA - no cipher match
FAIL EXP-EDH-DSS-DES-CBC-SHA - no cipher match
FAIL EXP-EDH-RSA-DES-CBC-SHA - no cipher match
FAIL EXP-RC2-CBC-MD5 - no cipher match
FAIL EXP-RC2-CBC-MD5 - no cipher match
FAIL EXP-RC4-MD5 - no cipher match
FAIL EXP-RC4-MD5 - no cipher match
FAIL RC2-CBC-MD5 - no cipher match
FAIL RC4-MD5 - no cipher match
FAIL RC4-MD5 - no cipher match
FAIL RC4-SHA - no cipher match
FAIL SEED-SHA - no cipher match

Try all JRuby/BouncyCastle ciphers

Something is wrong with JRuby's SSLContext#ciphers= as you can see, maybe? Asking for a list of default ciphers, then trying to specifically set one of them. All of them fail in #ciphers= with "no cipher match"

% rvm 1.7.16.1 do ruby -rsocket -ropenssl -e '_ = OpenSSL::SSL::SSLContext.new; _.ciphers = "ALL"; ciphers = _.ciphers.map(&:first); ciphers.each do |cipher| begin; x = TCPSocket.ne
w("google.com", 443); c = OpenSSL::SSL::SSLContext.new; c.ssl_version = :TLSv1; c.ciphers = cipher; o = OpenSSL::SSL::SSLSocket.new(x, c); o.connect; o.close; puts "OK #{cipher}"; r
escue => e; puts "FAIL #{cipher} - #{e}"; end; end' | sort
FAIL ADH-AES128-SHA - no cipher match
FAIL ADH-DES-CBC-SHA - no cipher match
FAIL ADH-DES-CBC3-SHA - no cipher match
FAIL ADH-RC4-MD5 - no cipher match
FAIL AES128-SHA - no cipher match
FAIL DES-CBC-SHA - no cipher match
FAIL DES-CBC3-SHA - no cipher match
FAIL DHE-DSS-AES128-SHA - no cipher match
FAIL DHE-RSA-AES128-SHA - no cipher match
FAIL EDH-DSS-DES-CBC3-SHA - no cipher match
FAIL EDH-RSA-DES-CBC-SHA - no cipher match
FAIL EDH-RSA-DES-CBC3-SHA - no cipher match
FAIL EXP-ADH-DES-CBC-SHA - no cipher match
FAIL EXP-ADH-RC4-MD5 - no cipher match
FAIL EXP-DES-CBC-SHA - no cipher match
FAIL EXP-EDH-DSS-DES-CBC-SHA - no cipher match
FAIL EXP-EDH-RSA-DES-CBC-SHA - no cipher match
FAIL EXP-RC4-MD5 - no cipher match
FAIL RC4-MD5 - no cipher match
FAIL RC4-SHA - no cipher match

JRuby: Try all OpenSSL ciphers?

Of 140 ciphers, only 2 succeed for setting in ssl context? I'm confused.

[17] pry(main)> OpenSSL::Cipher.ciphers.count
=> 140
[18] pry(main)> OpenSSL::Cipher.ciphers.each { |cipher| begin; OpenSSL::SSL::SSLContext.new.ciphers = cipher ; puts "OK #{cipher}"; rescue => e; end }; nil
OK DES
OK RC4

Everything else fails.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment