Last active
December 14, 2020 17:52
-
-
Save husobee/6e9f998653d66f7481da to your computer and use it in GitHub Desktop.
discovery of tls in go, and the handshake process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "crypto/tls" | |
| "encoding/json" | |
| "fmt" | |
| "log" | |
| "net" | |
| "net/http" | |
| ) | |
| var tlsInfoChan = make(chan output) | |
| func connStateHook(c net.Conn, state http.ConnState) { | |
| if state == http.StateActive { | |
| if cc, ok := c.(*tls.Conn); ok { | |
| state := cc.ConnectionState() | |
| switch state.Version { | |
| case tls.VersionSSL30: | |
| log.Println("negotiated to Version: VersionSSL30") | |
| case tls.VersionTLS10: | |
| log.Println("negotiated to Version: VersionTLS10") | |
| case tls.VersionTLS11: | |
| log.Println("negotiated to Version: VersionTLS11") | |
| case tls.VersionTLS12: | |
| log.Println("negotiated to Version: VersionTLS12") | |
| default: | |
| log.Println("negotiated to Unknown TLS version") | |
| } | |
| } | |
| } | |
| } | |
| type output struct { | |
| SupportedSuites []string `json:"supported_suites"` | |
| SupportedCurves []string `json:"supported_curves"` | |
| SupportedPoints []string `json:"supported_points"` | |
| } | |
| func getCertificateHook(helloInfo *tls.ClientHelloInfo) (*tls.Certificate, error) { | |
| o := &output{} | |
| for _, suite := range helloInfo.CipherSuites { | |
| if v, exists := CipherSuiteMap[suite]; exists { | |
| o.SupportedSuites = append(o.SupportedSuites, v) | |
| } else { | |
| o.SupportedSuites = append(o.SupportedSuites, fmt.Sprintf("Unknown, 0x%x", suite)) | |
| } | |
| } | |
| for _, curve := range helloInfo.SupportedCurves { | |
| if v, exists := CurveMap[curve]; exists { | |
| o.SupportedCurves = append(o.SupportedCurves, v) | |
| } else { | |
| o.SupportedCurves = append(o.SupportedCurves, fmt.Sprintf("Unknown, 0x%x", curve)) | |
| } | |
| // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 | |
| } | |
| for _, point := range helloInfo.SupportedPoints { | |
| // http://tools.ietf.org/html/rfc4492#section-5.1.2). | |
| o.SupportedPoints = append(o.SupportedPoints, fmt.Sprintf("0x%x", point)) | |
| } | |
| j, _ := json.Marshal(o) | |
| log.Println(string(j)) | |
| return nil, nil | |
| } | |
| var nilHandler http.HandlerFunc = func(w http.ResponseWriter, r *http.Request) { | |
| w.WriteHeader(204) | |
| } | |
| func main() { | |
| s := &http.Server{ | |
| Addr: ":1234", | |
| ConnState: connStateHook, | |
| Handler: nilHandler, | |
| TLSConfig: &tls.Config{ | |
| GetCertificate: getCertificateHook, | |
| }, | |
| } | |
| s.ListenAndServeTLS("cert.pem", "key.pem") | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import "crypto/tls" | |
| var ( | |
| CurveMap = map[tls.CurveID]string{ | |
| 0: "Unassigned", | |
| 1: "sect163k1Y", | |
| 2: "sect163r1Y", | |
| 3: "sect163r2Y", | |
| 4: "sect193r1Y", | |
| 5: "sect193r2Y", | |
| 6: "sect233k1Y", | |
| 7: "sect233r1Y", | |
| 8: "sect239k1Y", | |
| 9: "sect283k1Y", | |
| 10: "sect283r1Y", | |
| 11: "sect409k1Y", | |
| 12: "sect409r1Y", | |
| 13: "sect571k1Y", | |
| 14: "sect571r1Y", | |
| 15: "secp160k1Y", | |
| 16: "secp160r1Y", | |
| 17: "secp160r2Y", | |
| 18: "secp192k1Y", | |
| 19: "secp192r1Y", | |
| 20: "secp224k1Y", | |
| 21: "secp224r1Y", | |
| 22: "secp256k1Y", | |
| 23: "secp256r1Y", | |
| 24: "secp384r1Y", | |
| 25: "secp521r1Y", | |
| 26: "brainpoolP256r1Y", | |
| 27: "brainpoolP384r1Y", | |
| 28: "brainpoolP512r1Y", | |
| 257: "ffdhe3072Y", | |
| 258: "ffdhe4096Y", | |
| 259: "ffdhe6144Y", | |
| 260: "ffdhe8192Y", | |
| 65281: "arbitrary_explicit_prime_curvesY", | |
| 65282: "arbitrary_explicit_char2_curvesY", | |
| } | |
| // CipherSuiteMap - list of ciphersuites based on: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml | |
| // reserved/unknown items are excluded. | |
| CipherSuiteMap = map[uint16]string{ | |
| 0x0000: "TLS_NULL_WITH_NULL_NULLY", | |
| 0x0001: "TLS_RSA_WITH_NULL_MD5Y", | |
| 0x0002: "TLS_RSA_WITH_NULL_SHAY", | |
| 0x0003: "TLS_RSA_EXPORT_WITH_RC4_40_MD5N", | |
| 0x0004: "TLS_RSA_WITH_RC4_128_MD5N", | |
| 0x0005: "TLS_RSA_WITH_RC4_128_SHAN", | |
| 0x0006: "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5Y", | |
| 0x0007: "TLS_RSA_WITH_IDEA_CBC_SHAY", | |
| 0x0008: "TLS_RSA_EXPORT_WITH_DES40_CBC_SHAY", | |
| 0x0009: "TLS_RSA_WITH_DES_CBC_SHAY", | |
| 0x000A: "TLS_RSA_WITH_3DES_EDE_CBC_SHAY", | |
| 0x000B: "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHAY", | |
| 0x000C: "TLS_DH_DSS_WITH_DES_CBC_SHAY", | |
| 0x000D: "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHAY", | |
| 0x000E: "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHAY", | |
| 0x000F: "TLS_DH_RSA_WITH_DES_CBC_SHAY", | |
| 0x0010: "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHAY", | |
| 0x0011: "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHAY", | |
| 0x0012: "TLS_DHE_DSS_WITH_DES_CBC_SHAY", | |
| 0x0013: "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHAY", | |
| 0x0014: "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHAY", | |
| 0x0015: "TLS_DHE_RSA_WITH_DES_CBC_SHAY", | |
| 0x0016: "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHAY", | |
| 0x0017: "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5N", | |
| 0x0018: "TLS_DH_anon_WITH_RC4_128_MD5N", | |
| 0x0019: "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHAY", | |
| 0x001A: "TLS_DH_anon_WITH_DES_CBC_SHAY", | |
| 0x001B: "TLS_DH_anon_WITH_3DES_EDE_CBC_SHAY", | |
| 0x001E: "TLS_KRB5_WITH_DES_CBC_SHAY", | |
| 0x001F: "TLS_KRB5_WITH_3DES_EDE_CBC_SHAY", | |
| 0x0020: "TLS_KRB5_WITH_RC4_128_SHAN", | |
| 0x0021: "TLS_KRB5_WITH_IDEA_CBC_SHAY", | |
| 0x0022: "TLS_KRB5_WITH_DES_CBC_MD5Y", | |
| 0x0023: "TLS_KRB5_WITH_3DES_EDE_CBC_MD5Y", | |
| 0x0024: "TLS_KRB5_WITH_RC4_128_MD5N", | |
| 0x0025: "TLS_KRB5_WITH_IDEA_CBC_MD5Y", | |
| 0x0026: "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHAY", | |
| 0x0027: "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHAY", | |
| 0x0028: "TLS_KRB5_EXPORT_WITH_RC4_40_SHAN", | |
| 0x0029: "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5Y", | |
| 0x002A: "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5Y", | |
| 0x002B: "TLS_KRB5_EXPORT_WITH_RC4_40_MD5N", | |
| 0x002C: "TLS_PSK_WITH_NULL_SHAY", | |
| 0x002D: "TLS_DHE_PSK_WITH_NULL_SHAY", | |
| 0x002E: "TLS_RSA_PSK_WITH_NULL_SHAY", | |
| 0x002F: "TLS_RSA_WITH_AES_128_CBC_SHAY", | |
| 0x0030: "TLS_DH_DSS_WITH_AES_128_CBC_SHAY", | |
| 0x0031: "TLS_DH_RSA_WITH_AES_128_CBC_SHAY", | |
| 0x0032: "TLS_DHE_DSS_WITH_AES_128_CBC_SHAY", | |
| 0x0033: "TLS_DHE_RSA_WITH_AES_128_CBC_SHAY", | |
| 0x0034: "TLS_DH_anon_WITH_AES_128_CBC_SHAY", | |
| 0x0035: "TLS_RSA_WITH_AES_256_CBC_SHAY", | |
| 0x0036: "TLS_DH_DSS_WITH_AES_256_CBC_SHAY", | |
| 0x0037: "TLS_DH_RSA_WITH_AES_256_CBC_SHAY", | |
| 0x0038: "TLS_DHE_DSS_WITH_AES_256_CBC_SHAY", | |
| 0x0039: "TLS_DHE_RSA_WITH_AES_256_CBC_SHAY", | |
| 0x003A: "TLS_DH_anon_WITH_AES_256_CBC_SHAY", | |
| 0x003B: "TLS_RSA_WITH_NULL_SHA256Y", | |
| 0x003C: "TLS_RSA_WITH_AES_128_CBC_SHA256Y", | |
| 0x003D: "TLS_RSA_WITH_AES_256_CBC_SHA256Y", | |
| 0x003E: "TLS_DH_DSS_WITH_AES_128_CBC_SHA256Y", | |
| 0x003F: "TLS_DH_RSA_WITH_AES_128_CBC_SHA256Y", | |
| 0x0040: "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256Y", | |
| 0x0041: "TLS_RSA_WITH_CAMELLIA_128_CBC_SHAY", | |
| 0x0042: "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHAY", | |
| 0x0043: "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHAY", | |
| 0x0044: "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHAY", | |
| 0x0045: "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHAY", | |
| 0x0046: "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHAY", | |
| 0x0067: "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256Y", | |
| 0x0068: "TLS_DH_DSS_WITH_AES_256_CBC_SHA256Y", | |
| 0x0069: "TLS_DH_RSA_WITH_AES_256_CBC_SHA256Y", | |
| 0x006A: "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256Y", | |
| 0x006B: "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256Y", | |
| 0x006C: "TLS_DH_anon_WITH_AES_128_CBC_SHA256Y", | |
| 0x006D: "TLS_DH_anon_WITH_AES_256_CBC_SHA256Y", | |
| 0x0084: "TLS_RSA_WITH_CAMELLIA_256_CBC_SHAY", | |
| 0x0085: "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHAY", | |
| 0x0086: "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHAY", | |
| 0x0087: "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHAY", | |
| 0x0088: "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHAY", | |
| 0x0089: "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHAY", | |
| 0x008A: "TLS_PSK_WITH_RC4_128_SHAN", | |
| 0x008B: "TLS_PSK_WITH_3DES_EDE_CBC_SHAY", | |
| 0x008C: "TLS_PSK_WITH_AES_128_CBC_SHAY", | |
| 0x008D: "TLS_PSK_WITH_AES_256_CBC_SHAY", | |
| 0x008E: "TLS_DHE_PSK_WITH_RC4_128_SHAN", | |
| 0x008F: "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHAY", | |
| 0x0090: "TLS_DHE_PSK_WITH_AES_128_CBC_SHAY", | |
| 0x0091: "TLS_DHE_PSK_WITH_AES_256_CBC_SHAY", | |
| 0x0092: "TLS_RSA_PSK_WITH_RC4_128_SHAN", | |
| 0x0093: "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHAY", | |
| 0x0094: "TLS_RSA_PSK_WITH_AES_128_CBC_SHAY", | |
| 0x0095: "TLS_RSA_PSK_WITH_AES_256_CBC_SHAY", | |
| 0x0096: "TLS_RSA_WITH_SEED_CBC_SHAY", | |
| 0x0097: "TLS_DH_DSS_WITH_SEED_CBC_SHAY", | |
| 0x0098: "TLS_DH_RSA_WITH_SEED_CBC_SHAY", | |
| 0x0099: "TLS_DHE_DSS_WITH_SEED_CBC_SHAY", | |
| 0x009A: "TLS_DHE_RSA_WITH_SEED_CBC_SHAY", | |
| 0x009B: "TLS_DH_anon_WITH_SEED_CBC_SHAY", | |
| 0x009C: "TLS_RSA_WITH_AES_128_GCM_SHA256Y", | |
| 0x009D: "TLS_RSA_WITH_AES_256_GCM_SHA384Y", | |
| 0x009E: "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256Y", | |
| 0x009F: "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384Y", | |
| 0x00A0: "TLS_DH_RSA_WITH_AES_128_GCM_SHA256Y", | |
| 0x00A1: "TLS_DH_RSA_WITH_AES_256_GCM_SHA384Y", | |
| 0x00A2: "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256Y", | |
| 0x00A3: "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384Y", | |
| 0x00A4: "TLS_DH_DSS_WITH_AES_128_GCM_SHA256Y", | |
| 0x00A5: "TLS_DH_DSS_WITH_AES_256_GCM_SHA384Y", | |
| 0x00A6: "TLS_DH_anon_WITH_AES_128_GCM_SHA256Y", | |
| 0x00A7: "TLS_DH_anon_WITH_AES_256_GCM_SHA384Y", | |
| 0x00A8: "TLS_PSK_WITH_AES_128_GCM_SHA256Y", | |
| 0x00A9: "TLS_PSK_WITH_AES_256_GCM_SHA384Y", | |
| 0x00AA: "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256Y", | |
| 0x00AB: "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384Y", | |
| 0x00AC: "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256Y", | |
| 0x00AD: "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384Y", | |
| 0x00AE: "TLS_PSK_WITH_AES_128_CBC_SHA256Y", | |
| 0x00AF: "TLS_PSK_WITH_AES_256_CBC_SHA384Y", | |
| 0x00B0: "TLS_PSK_WITH_NULL_SHA256Y", | |
| 0x00B1: "TLS_PSK_WITH_NULL_SHA384Y", | |
| 0x00B2: "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256Y", | |
| 0x00B3: "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384Y", | |
| 0x00B4: "TLS_DHE_PSK_WITH_NULL_SHA256Y", | |
| 0x00B5: "TLS_DHE_PSK_WITH_NULL_SHA384Y", | |
| 0x00B6: "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256Y", | |
| 0x00B7: "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384Y", | |
| 0x00B8: "TLS_RSA_PSK_WITH_NULL_SHA256Y", | |
| 0x00B9: "TLS_RSA_PSK_WITH_NULL_SHA384Y", | |
| 0x00BA: "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0x00BB: "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0x00BC: "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0x00BD: "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0x00BE: "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0x00BF: "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0x00C0: "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256Y", | |
| 0x00C1: "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256Y", | |
| 0x00C2: "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256Y", | |
| 0x00C3: "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256Y", | |
| 0x00C4: "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256Y", | |
| 0x00C5: "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256Y", | |
| 0x00ff: "TLS_EMPTY_RENEGOTIATION_INFO_SCSVY", | |
| 0xC002: "TLS_ECDH_ECDSA_WITH_RC4_128_SHAN", | |
| 0xC003: "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHAY", | |
| 0xC004: "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHAY", | |
| 0xC005: "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHAY", | |
| 0xC006: "TLS_ECDHE_ECDSA_WITH_NULL_SHAY", | |
| 0xC007: "TLS_ECDHE_ECDSA_WITH_RC4_128_SHAN", | |
| 0xC008: "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHAY", | |
| 0xC009: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAY", | |
| 0xC00A: "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAY", | |
| 0xC00B: "TLS_ECDH_RSA_WITH_NULL_SHAY", | |
| 0xC00C: "TLS_ECDH_RSA_WITH_RC4_128_SHAN", | |
| 0xC00D: "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHAY", | |
| 0xC00E: "TLS_ECDH_RSA_WITH_AES_128_CBC_SHAY", | |
| 0xC00F: "TLS_ECDH_RSA_WITH_AES_256_CBC_SHAY", | |
| 0xC010: "TLS_ECDHE_RSA_WITH_NULL_SHAY", | |
| 0xC011: "TLS_ECDHE_RSA_WITH_RC4_128_SHAN", | |
| 0xC012: "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHAY", | |
| 0xC013: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAY", | |
| 0xC014: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAY", | |
| 0xC015: "TLS_ECDH_anon_WITH_NULL_SHAY", | |
| 0xC016: "TLS_ECDH_anon_WITH_RC4_128_SHAN", | |
| 0xC017: "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHAY", | |
| 0xC018: "TLS_ECDH_anon_WITH_AES_128_CBC_SHAY", | |
| 0xC019: "TLS_ECDH_anon_WITH_AES_256_CBC_SHAY", | |
| 0xC01A: "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHAY", | |
| 0xC01B: "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHAY", | |
| 0xC01C: "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHAY", | |
| 0xC01D: "TLS_SRP_SHA_WITH_AES_128_CBC_SHAY", | |
| 0xC01E: "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHAY", | |
| 0xC01F: "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHAY", | |
| 0xC020: "TLS_SRP_SHA_WITH_AES_256_CBC_SHAY", | |
| 0xC021: "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHAY", | |
| 0xC022: "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHAY", | |
| 0xC023: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256Y", | |
| 0xC024: "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384Y", | |
| 0xC025: "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256Y", | |
| 0xC026: "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384Y", | |
| 0xC027: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256Y", | |
| 0xC028: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384Y", | |
| 0xC029: "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256Y", | |
| 0xC02A: "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384Y", | |
| 0xC02B: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256Y", | |
| 0xC02C: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384Y", | |
| 0xC02D: "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256Y", | |
| 0xC02E: "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384Y", | |
| 0xC02F: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256Y", | |
| 0xC030: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384Y", | |
| 0xC031: "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256Y", | |
| 0xC032: "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384Y", | |
| 0xC033: "TLS_ECDHE_PSK_WITH_RC4_128_SHAN", | |
| 0xC034: "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHAY", | |
| 0xC035: "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHAY", | |
| 0xC036: "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHAY", | |
| 0xC037: "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256Y", | |
| 0xC038: "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384Y", | |
| 0xC039: "TLS_ECDHE_PSK_WITH_NULL_SHAY", | |
| 0xC03A: "TLS_ECDHE_PSK_WITH_NULL_SHA256Y", | |
| 0xC03B: "TLS_ECDHE_PSK_WITH_NULL_SHA384Y", | |
| 0xC03C: "TLS_RSA_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC03D: "TLS_RSA_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC03E: "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC03F: "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC040: "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC041: "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC042: "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC043: "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC044: "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC045: "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC046: "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC047: "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC048: "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC049: "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC04A: "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC04B: "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC04C: "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC04D: "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC04E: "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC04F: "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC050: "TLS_RSA_WITH_ARIA_128_GCM_SHA256Y", | |
| 0xC051: "TLS_RSA_WITH_ARIA_256_GCM_SHA384Y", | |
| 0xC052: "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256Y", | |
| 0xC053: "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384Y", | |
| 0xC054: "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256Y", | |
| 0xC055: "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384Y", | |
| 0xC056: "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256Y", | |
| 0xC057: "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384Y", | |
| 0xC058: "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256Y", | |
| 0xC059: "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384Y", | |
| 0xC05A: "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256Y", | |
| 0xC05B: "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384Y", | |
| 0xC05C: "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256Y", | |
| 0xC05D: "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384Y", | |
| 0xC05E: "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256Y", | |
| 0xC05F: "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384Y", | |
| 0xC060: "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256Y", | |
| 0xC061: "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384Y", | |
| 0xC062: "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256Y", | |
| 0xC063: "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384Y", | |
| 0xC064: "TLS_PSK_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC065: "TLS_PSK_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC066: "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC067: "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC068: "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC069: "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC06A: "TLS_PSK_WITH_ARIA_128_GCM_SHA256Y", | |
| 0xC06B: "TLS_PSK_WITH_ARIA_256_GCM_SHA384Y", | |
| 0xC06C: "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256Y", | |
| 0xC06D: "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384Y", | |
| 0xC06E: "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256Y", | |
| 0xC06F: "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384Y", | |
| 0xC070: "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256Y", | |
| 0xC071: "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384Y", | |
| 0xC072: "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0xC073: "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384Y", | |
| 0xC074: "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0xC075: "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384Y", | |
| 0xC076: "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0xC077: "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384Y", | |
| 0xC078: "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0xC079: "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384Y", | |
| 0xC07A: "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256Y", | |
| 0xC07B: "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384Y", | |
| 0xC07C: "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256Y", | |
| 0xC07D: "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384Y", | |
| 0xC07E: "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256Y", | |
| 0xC07F: "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384Y", | |
| 0xC080: "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256Y", | |
| 0xC081: "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384Y", | |
| 0xC082: "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256Y", | |
| 0xC083: "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384Y", | |
| 0xC084: "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256Y", | |
| 0xC085: "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384Y", | |
| 0xC086: "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256Y", | |
| 0xC087: "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384Y", | |
| 0xC088: "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256Y", | |
| 0xC089: "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384Y", | |
| 0xC08A: "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256Y", | |
| 0xC08B: "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384Y", | |
| 0xC08C: "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256Y", | |
| 0xC08D: "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384Y", | |
| 0xC08E: "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256Y", | |
| 0xC08F: "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384Y", | |
| 0xC090: "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256Y", | |
| 0xC091: "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384Y", | |
| 0xC092: "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256Y", | |
| 0xC093: "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384Y", | |
| 0xC094: "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0xC095: "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384Y", | |
| 0xC096: "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0xC097: "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384Y", | |
| 0xC098: "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0xC099: "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384Y", | |
| 0xC09A: "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256Y", | |
| 0xC09B: "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384Y", | |
| 0xC09C: "TLS_RSA_WITH_AES_128_CCMY", | |
| 0xC09D: "TLS_RSA_WITH_AES_256_CCMY", | |
| 0xC09E: "TLS_DHE_RSA_WITH_AES_128_CCMY", | |
| 0xC09F: "TLS_DHE_RSA_WITH_AES_256_CCMY", | |
| 0xC0A0: "TLS_RSA_WITH_AES_128_CCM_8Y", | |
| 0xC0A1: "TLS_RSA_WITH_AES_256_CCM_8Y", | |
| 0xC0A2: "TLS_DHE_RSA_WITH_AES_128_CCM_8Y", | |
| 0xC0A3: "TLS_DHE_RSA_WITH_AES_256_CCM_8Y", | |
| 0xC0A4: "TLS_PSK_WITH_AES_128_CCMY", | |
| 0xC0A5: "TLS_PSK_WITH_AES_256_CCMY", | |
| 0xC0A6: "TLS_DHE_PSK_WITH_AES_128_CCMY", | |
| 0xC0A7: "TLS_DHE_PSK_WITH_AES_256_CCMY", | |
| 0xC0A8: "TLS_PSK_WITH_AES_128_CCM_8Y", | |
| 0xC0A9: "TLS_PSK_WITH_AES_256_CCM_8Y", | |
| 0xC0AA: "TLS_PSK_DHE_WITH_AES_128_CCM_8Y", | |
| 0xC0AB: "TLS_PSK_DHE_WITH_AES_256_CCM_8Y", | |
| 0xC0AC: "TLS_ECDHE_ECDSA_WITH_AES_128_CCMY", | |
| 0xC0AD: "TLS_ECDHE_ECDSA_WITH_AES_256_CCMY", | |
| 0xC0AE: "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8Y", | |
| 0xC0AF: "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8Y", | |
| } | |
| ) |
thank you very much~~~
Likewise, thanks this is great!
This is a good technique but it's not dealing with GREASE properly (https://tools.ietf.org/html/draft-davidben-tls-grease-01)
TLS-GREASE tweak I made (for others that want it):
common.go
// https://datatracker.ietf.org/doc/draft-ietf-tls-grease
GreaseList = map[uint16]bool{
0x0A0A: true,
0x1A1A: true,
0x2A2A: true,
0x3A3A: true,
0x4A4A: true,
0x5A5A: true,
0x6A6A: true,
0x7A7A: true,
0x8A8A: true,
0x9A9A: true,
0xAAAA: true,
0xBABA: true,
0xCACA: true,
0xDADA: true,
0xEAEA: true,
0xFAFA: true,
}
then just skip those out in client_tls_info.go
for _, suite := range helloInfo.CipherSuites {
if isGrease := GreaseList[suite]; isGrease {
continue
}
...
*see this gist for the epic debate of "which is faster lookup approach"
Could also add TLS1.3 suite/curve ordinals from RFC 8446 to round it out.
For the TLS1.3. additions
in the Suites
...
0x00ff: "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
// TLS 1.3 https://tools.ietf.org/html/rfc8446#appendix-B.4
0x1301: "TLS_AES_128_GCM_SHA256",
0x1302: "TLS_AES_256_GCM_SHA384",
0x1303: "TLS_CHACHA20_POLY1305_SHA256",
0x1304: "TLS_AES_128_CCM_SHA256",
0x1305: "TLS_AES_128_CCM_8_SHA256",
0xC002: "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
...
for the curves
28: "brainpoolP512r1",
// TLS1.3 https://tools.ietf.org/html/rfc8446#section-4.2.7
29: "x25519",
30: "x448",
256: "ffdhe2048",
257: "ffdhe3072",
also looks like that 256: "ffdhe2048" was missing in original but was actually valid in TLS1.2 I think?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a good technique but it's not dealing with GREASE properly (https://tools.ietf.org/html/draft-davidben-tls-grease-01)