Last active
November 21, 2016 06:06
-
-
Save padraic/8753238 to your computer and use it in GitHub Desktop.
Comparing SSL/TLS ciphersuites for PHP 5.5, cURL and Mozilla
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * This script is designed as a simple tool to run comparisons between varying | |
| * cipher suite lists used by PHP 5.5, cURL and Mozilla. The ciphersuites are | |
| * are hardcoded and date to 01 February 2014 | |
| * | |
| * The differences are restrictions, e.g. Mozilla diff from DEFAULT shows ciphers | |
| * Mozilla has removed, etc. The differences should all be SSLv3 related. | |
| */ | |
| $default_ciphers = "DEFAULT"; // PHP uses OpenSSL DEFAULT | |
| $curl_ciphers = "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"; // cURL adopted Jan. 2014 | |
| $mozilla_ciphers = implode(':', array( // https://wiki.mozilla.org/Security/Server_Side_TLS | |
| 'ECDHE-RSA-AES128-GCM-SHA256', | |
| 'ECDHE-ECDSA-AES128-GCM-SHA256', | |
| 'ECDHE-RSA-AES256-GCM-SHA384', | |
| 'ECDHE-ECDSA-AES256-GCM-SHA384', | |
| 'DHE-RSA-AES128-GCM-SHA256', | |
| 'DHE-DSS-AES128-GCM-SHA256', | |
| 'kEDH+AESGCM', | |
| 'ECDHE-RSA-AES128-SHA256', | |
| 'ECDHE-ECDSA-AES128-SHA256', | |
| 'ECDHE-RSA-AES128-SHA', | |
| 'ECDHE-ECDSA-AES128-SHA', | |
| 'ECDHE-RSA-AES256-SHA384', | |
| 'ECDHE-ECDSA-AES256-SHA384', | |
| 'ECDHE-RSA-AES256-SHA', | |
| 'ECDHE-ECDSA-AES256-SHA', | |
| 'DHE-RSA-AES128-SHA256', | |
| 'DHE-RSA-AES128-SHA', | |
| 'DHE-DSS-AES128-SHA256', | |
| 'DHE-RSA-AES256-SHA256', | |
| 'DHE-DSS-AES256-SHA', | |
| 'DHE-RSA-AES256-SHA', | |
| 'AES128-GCM-SHA256', | |
| 'AES256-GCM-SHA384', | |
| 'ECDHE-RSA-RC4-SHA', | |
| 'ECDHE-ECDSA-RC4-SHA', | |
| 'AES128', | |
| 'AES256', | |
| 'RC4-SHA', | |
| 'HIGH', | |
| '!aNULL', | |
| '!eNULL', | |
| '!EXPORT', | |
| '!DES', | |
| '!3DES', | |
| '!MD5', | |
| '!PSK' | |
| )); | |
| exec("openssl ciphers -v '" . $default_ciphers . "' | column -t", $default); | |
| exec("openssl ciphers -v '" . $curl_ciphers . "' | column -t", $curl); | |
| exec("openssl ciphers -v '" . $mozilla_ciphers . "' | column -t", $mozilla); | |
| file_put_contents('./default-ciphers.txt', implode("\n", $default)); | |
| file_put_contents('./curl-ciphers.txt', implode("\n", $curl)); | |
| file_put_contents('./mozilla-ciphers.txt', implode("\n", $mozilla)); | |
| $curl_from_default = implode("\n", array_diff($default, $curl)); | |
| $mozilla_from_default = implode("\n", array_diff($default, $mozilla)); | |
| $mozilla_from_curl = implode("\n", array_diff($curl, $mozilla)); | |
| $result = 'Difference of cURL from default:' . "\n\n"; | |
| $result .= $curl_from_default . "\n\n"; | |
| $result .= 'Difference of Mozilla from default:'. "\n\n"; | |
| $result .= $mozilla_from_default . "\n\n"; | |
| $result .= 'Difference of Mozilla from cURL:'. "\n\n"; | |
| $result .= $mozilla_from_curl . "\n\n"; | |
| echo $result; | |
| file_put_contents("./results.txt", $result); | |
| /** | |
| * PHP: PHP 5.5.8-3+sury.org~saucy+2 (cli) (built: Jan 29 2014 13:27:56) | |
| * | |
| * Sample results:: | |
| Difference of cURL from default: | |
| ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 | |
| ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1 | |
| ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1 | |
| ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1 | |
| RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 | |
| RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 | |
| PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 | |
| EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 | |
| EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 | |
| DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 | |
| EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export | |
| EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export | |
| EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export | |
| EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export | |
| EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export | |
| Difference of Mozilla from default: | |
| PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1 | |
| ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1 | |
| ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 | |
| SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1 | |
| SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1 | |
| EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 | |
| EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 | |
| ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1 | |
| ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1 | |
| DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 | |
| PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1 | |
| DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1 | |
| DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1 | |
| SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 | |
| PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1 | |
| ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1 | |
| ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1 | |
| RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 | |
| PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 | |
| EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 | |
| EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 | |
| DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 | |
| EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export | |
| EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export | |
| EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export | |
| EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export | |
| EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export | |
| Difference of Mozilla from cURL: | |
| PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1 | |
| ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1 | |
| ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 | |
| SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1 | |
| SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1 | |
| EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 | |
| EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 | |
| ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1 | |
| ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1 | |
| DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 | |
| PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1 | |
| DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1 | |
| DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1 | |
| SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 | |
| PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1 | |
| * Conclusion: Mozilla's list is more restrictive and removes an additional 15 ciphers | |
| * over cURL, however if you examine the result files, Mozilla also has ciphers ordered | |
| * to favour Perfect Forward Security and favours AES 128 over AES 256: see | |
| * https://briansmith.org/browser-ciphersuites-01.html. | |
| */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment