Home > Uncategorized > Determine what version of #TLS your code is using.

Determine what version of #TLS your code is using.

 

1_ibqd7KX_cmoaUmlidifNbA

If your code connects to a HTTPS web service, it’s possible that you are still not being fully secure. The thing is – HTTPS comes in a few different “Flavours”, or specifically TLS versions.

If you connect to a HTTPS service, but use an old TLS version, then you’re not being as secure as you could be.

However, if the HTTPS endpoint doesn’t complain about your TLS version, it’s often pretty hard to see exactly what TLS version you are using, and the last thing you want is to break open WireShark and try and pick apart the packets to see.

That’s where this handy API from Jeff Hodges comes in, at https://www.howsmyssl.com/a/check

If you make a call from C#, you may see a result like this

{
“given_cipher_suites”: [
“TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA”,
“TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA”,
“TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA”,
“TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA”,
“TLS_RSA_WITH_AES_256_CBC_SHA”,
“TLS_RSA_WITH_AES_128_CBC_SHA”,
“TLS_RSA_WITH_3DES_EDE_CBC_SHA”,
“TLS_RSA_WITH_RC4_128_SHA”,
“TLS_RSA_WITH_RC4_128_MD5”
],
“ephemeral_keys_supported”: true,
“session_ticket_supported”: true,
“tls_compression_supported”: false,
“unknown_cipher_suite_supported”: false,
“beast_vuln”: false,
“able_to_detect_n_minus_one_splitting”: true,
“insecure_cipher_suites”: {
“TLS_RSA_WITH_3DES_EDE_CBC_SHA”: [
“uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order”
],
“TLS_RSA_WITH_RC4_128_MD5”: [
“uses RC4 which has insecure biases in its output”
],
“TLS_RSA_WITH_RC4_128_SHA”: [
“uses RC4 which has insecure biases in its output”
]
},
“tls_version”: “TLS 1.0”,
“rating”: “Bad”
}

You can see, I get a “Bad” rating here, because I’m using TLS 1.0, and some obsolete cyphers.

I put in the following line to use TLS 1.2:

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

And received;

{
“given_cipher_suites”: [
“TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384”,
“TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256”,
“TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384”,
“TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256”,
“TLS_DHE_RSA_WITH_AES_256_GCM_SHA384”,
“TLS_DHE_RSA_WITH_AES_128_GCM_SHA256”,
“TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384”,
“TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256”,
“TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384”,
“TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256”,
“TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA”,
“TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA”,
“TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA”,
“TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA”,
“TLS_RSA_WITH_AES_256_GCM_SHA384”,
“TLS_RSA_WITH_AES_128_GCM_SHA256”,
“TLS_RSA_WITH_AES_256_CBC_SHA256”,
“TLS_RSA_WITH_AES_128_CBC_SHA256”,
“TLS_RSA_WITH_AES_256_CBC_SHA”,
“TLS_RSA_WITH_AES_128_CBC_SHA”,
“TLS_RSA_WITH_3DES_EDE_CBC_SHA”,
“TLS_RSA_WITH_RC4_128_SHA”,
“TLS_RSA_WITH_RC4_128_MD5”
],
“ephemeral_keys_supported”: true,
“session_ticket_supported”: true,
“tls_compression_supported”: false,
“unknown_cipher_suite_supported”: false,
“beast_vuln”: false,
“able_to_detect_n_minus_one_splitting”: false,
“insecure_cipher_suites”: {
“TLS_RSA_WITH_3DES_EDE_CBC_SHA”: [
“uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order”
],
“TLS_RSA_WITH_RC4_128_MD5”: [
“uses RC4 which has insecure biases in its output”
],
“TLS_RSA_WITH_RC4_128_SHA”: [
“uses RC4 which has insecure biases in its output”
]
},
“tls_version”: “TLS 1.2”,
“rating”: “Bad”
}

Still using some old Cyphers, but at least using TLS 1.2 now.

If you see the same API when called from Chome, you see:

 
“given_cipher_suites”: 
“TLS_GREASE_IS_THE_WORD_AA”,
“TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256”,
“TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256”,
“TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384”,
“TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384”,
“TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256”,
“TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256”,
“TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA”,
“TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA”,
“TLS_RSA_WITH_AES_128_GCM_SHA256”,
“TLS_RSA_WITH_AES_256_GCM_SHA384”,
“TLS_RSA_WITH_AES_128_CBC_SHA”,
“TLS_RSA_WITH_AES_256_CBC_SHA”,
“TLS_RSA_WITH_3DES_EDE_CBC_SHA”
],
“ephemeral_keys_supported”:true,
“session_ticket_supported”:true,
“tls_compression_supported”:false,
“unknown_cipher_suite_supported”:false,
“beast_vuln”:false,
“able_to_detect_n_minus_one_splitting”:false,
“insecure_cipher_suites”: 

},
“tls_version”:“TLS 1.2”,
“rating”:“Probably Okay”
}

Interestingly, you can also use this to see issues with Search Engine Spider bots, – look at the report from Yandex (Russian Search Engine)

Given Cipher Suites

The cipher suites your client said it supports, in the order it sent them, are:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_DH_DSS_WITH_AES_256_GCM_SHA384
  • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
  • TLS_DH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DH_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DH_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DH_RSA_WITH_AES_256_CBC_SHA
  • TLS_DH_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_DH_DSS_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
  • TLS_DH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DH_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DH_RSA_WITH_AES_128_CBC_SHA
  • TLS_DH_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_SEED_CBC_SHA
  • TLS_DHE_DSS_WITH_SEED_CBC_SHA
  • TLS_DH_RSA_WITH_SEED_CBC_SHA
  • TLS_DH_DSS_WITH_SEED_CBC_SHA
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_SEED_CBC_SHA
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_RSA_WITH_IDEA_CBC_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDH_RSA_WITH_RC4_128_SHA
  • TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: