Re: [TLS] TLS 1.2 test clients?

Simon Josefsson <simon@josefsson.org> Mon, 31 January 2011 19:18 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90B673A6B32 for <tls@core3.amsl.com>; Mon, 31 Jan 2011 11:18:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.982
X-Spam-Level:
X-Spam-Status: No, score=-102.982 tagged_above=-999 required=5 tests=[AWL=-0.383, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9eVv0l2lJyMc for <tls@core3.amsl.com>; Mon, 31 Jan 2011 11:18:02 -0800 (PST)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [213.115.69.139]) by core3.amsl.com (Postfix) with ESMTP id A14773A6C52 for <tls@ietf.org>; Mon, 31 Jan 2011 11:18:01 -0800 (PST)
Received: from latte.josefsson.org (c80-216-4-108.bredband.comhem.se [80.216.4.108]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p0VJL9PQ012813 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 31 Jan 2011 20:21:11 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <4D46E4D8.3090307@vpnc.org>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:110131:paul.hoffman@vpnc.org::ScZ4FbU5K6V897qd:V/s
X-Hashcash: 1:22:110131:tls@ietf.org::mUAvZQrkd9Ra9K7P:BlIV
Date: Mon, 31 Jan 2011 20:21:09 +0100
In-Reply-To: <4D46E4D8.3090307@vpnc.org> (Paul Hoffman's message of "Mon, 31 Jan 2011 08:35:36 -0800")
Message-ID: <87aaigg9qy.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Virus-Scanned: clamav-milter 0.96.5 at yxa-v
X-Virus-Status: Clean
Cc: tls@ietf.org
Subject: Re: [TLS] TLS 1.2 test clients?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jan 2011 19:18:03 -0000

Paul Hoffman <paul.hoffman@vpnc.org> writes:

> Greetings again. I would like to test how servers react to a TLS
> client that only does TLS 1.2. There are two browsers that can be put
> into this state (IE under Win 7, and Opera), but neither give very
> good diagnostics when a failure occurs. Further, Wireshark doesn't
> give good dumps for TLS 1.2.
>
> Thus, if anyone here has a TLS 1.2 client that has reasonable
> debugging of the TLS handshake and can do trivial HTTP (just send a
> "GET /" and receive the response would be fine) after setting up a
> tunnel, I'd greatly appreciate it. Also, if anyone has a Wireshark
> plugin (?) that brings its TLS decoding up to 1.2, that would be great
> as well.

GnuTLS's gnutls-cli can act as a simple TLS 1.2 client, see transcript
below.

/Simon

jas@latte:~$ gnutls-cli -p 443 www.mikestoolbox.net --priority NORMAL:-VERS-SSL3.0:-VERS-TLS1.1:-VERS-TLS1.0 
Resolving 'www.mikestoolbox.net'...
Connecting to '24.234.114.35:443'...
- Successfully sent 0 certificate(s) to server.
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1024 bits
- Server has requested a certificate.
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 - Certificate[0] info:
  - subject `C=US,O=Mike's Toolbox,CN=www.mikestoolbox.net', issuer `C=US,O=Mike's Toolbox,CN=Mike's Toolbox Test CA', RSA key 1024 bits, signed using RSA-SHA256, activated `2010-03-05 21:19:00 UTC', expires `2011-03-05 21:19:00 UTC', SHA-1 fingerprint `d250a3f337064b63c8288c6a5bb540af3c44be97'
 - Certificate[1] info:
  - subject `C=US,O=Mike's Toolbox,CN=Mike's Toolbox Test CA', issuer `C=US,O=Mike's Toolbox,CN=Mike's Toolbox Test CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2010-03-05 21:18:59 UTC', expires `2012-03-05 21:18:59 UTC', SHA-1 fingerprint `0e4fa65463bb38397bc24cc3259a803554963c79'
- The hostname in the certificate matches 'www.mikestoolbox.net'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA256
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

GET / HTTP/1.0

HTTP/1.0 200 Ok
Date: Mon, 31 Jan 2011 19:19:23 GMT
Server: Mike's-Toolbox-Custom-Web-Server/3.7+3.2i
Content-Type: text/plain; charset=utf-8
Content-Length: 4458

******************************************************************
*** Mike's Toolbox Enhanced Multi-Threaded SSL/TLS Test Server ***
***                                                            ***
***               https://www.mikestoolbox.net/                ***
***               https://www.mikestoolbox.org/                ***
***                                                            ***
*** Mike's Toolbox contact info:                               ***
***                                                            ***
***             EMAIL:    mikestoolbox@pobox.com               ***
***             WEB:      http://mikestoolbox.com/             ***
***             TWITTER:  @mikestoolbox                        ***
***                                                            ***
*** Copyright (c) 2010 Michael D'Errico, All Rights Reserved   ***
******************************************************************

Connection from:        [80.216.4.108]
Current time:           Mon, 31 Jan 2011 19:19:20 GMT
TLS negotiation time:   0.57711601 seconds

Client Version:         TLS 1.2
Client Random:          4D470B37F2873BC83EF553A79937F35A8F9E9EFB63FAC0B60D0A383B9131D738
Client Random Time:     Mon, 31 Jan 2011 19:19:19 GMT
Client Session ID:      
Client Cipher Suites:   0067  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
                        0033  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
                        0045  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
                        006B  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
                        0039  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
                        0088  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
                        0016  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
                        0040  TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
                        0032  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
                        0044  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
                        006A  TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
                        0038  TLS_DHE_DSS_WITH_AES_256_CBC_SHA
                        0087  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
                        0013  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
                        0066  TLS_DHE_DSS_WITH_RC4_128_SHA
                        0090  TLS_DHE_PSK_WITH_AES_128_CBC_SHA
                        0091  TLS_DHE_PSK_WITH_AES_256_CBC_SHA
                        008F  TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
                        008E  TLS_DHE_PSK_WITH_RC4_128_SHA
                        003C  TLS_RSA_WITH_AES_128_CBC_SHA256
                        002F  TLS_RSA_WITH_AES_128_CBC_SHA
                        0041  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
                        003D  TLS_RSA_WITH_AES_256_CBC_SHA256
                        0035  TLS_RSA_WITH_AES_256_CBC_SHA
                        0084  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
                        000A  TLS_RSA_WITH_3DES_EDE_CBC_SHA
                        0005  TLS_RSA_WITH_RC4_128_SHA
                        008C  TLS_PSK_WITH_AES_128_CBC_SHA
                        008D  TLS_PSK_WITH_AES_256_CBC_SHA
                        008B  TLS_PSK_WITH_3DES_EDE_CBC_SHA
                        008A  TLS_PSK_WITH_RC4_128_SHA
Client Compression:     0     NULL

Server Version:         TLS 1.2
Server Random:          4D470B37F8BCDF0D263BC2415288665A08E162FD0519E210C14DC2000925D03B
Server Random Time:     Mon, 31 Jan 2011 19:19:19 GMT
Server Session ID:      
Server Cipher Suite:    0067  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Server Compression:     0     NULL

Client Extensions
-----------------
Server Name Indication: www.mikestoolbox.net
Max Fragment Length:    16384 bytes
Truncated HMAC:         No
Signature Algorithms:   RSA/SHA-1, DSA/SHA-1, RSA/SHA-256, RSA/SHA-384,
                        RSA/SHA-512
Session Ticket:         Empty
Renegotiation Info:     Empty

Server Extensions
-----------------
Server Name Chosen:     www.mikestoolbox.net
Max Fragment Length:    16384 bytes
Truncated HMAC:         No
Session Ticket:         264 Bytes
Renegotiation Info:     Empty

Security Parameters
-------------------
Client Finished:        0A6A46A0084820AD52F0A3A1
Server Finished:        3C1812F90DCC36207D610831
Master Secret:          A09D0E9AAA1F752776E6DA6C578220671B87CB5A28773575\
                        7EF13C5C658878D35B74C2329D8CA583155FC906E6E0B458

Handshake Details
-----------------
Bytes Sent:             2615
Bytes Received:         325

- Peer has closed the GnuTLS connection
jas@latte:~$