Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Updated SSL analyzer and Bro script with lots of new ciphers.

Browse source
This commit is contained in:
Seth Hall 2010-10-26 16:41:15 -04:00
parent 5bf18fdb7f
commit 06ca14ea45
4 changed files with 1316 additions and 498 deletions
Download patch file Download diff file Expand all files Collapse all files

1009
policy/ssl-ciphers.bro
View file

File diff suppressed because it is too large Load diff

41
policy/ssl.bro
View file

@ -85,29 +85,28 @@ const myWeakCiphers: set[count] = {
SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
SSLv20_CK_DES_64_CBC_WITH_MD5,
SSLv3x_NULL_WITH_NULL_NULL,
SSLv3x_RSA_WITH_NULL_MD5,
SSLv3x_RSA_WITH_NULL_SHA,
SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5,
SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSLv3x_RSA_WITH_DES_CBC_SHA,
TLS_NULL_WITH_NULL_NULL,
TLS_RSA_WITH_NULL_MD5,
TLS_RSA_WITH_NULL_SHA,
TLS_RSA_EXPORT_WITH_RC4_40_MD5,
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
TLS_RSA_WITH_DES_CBC_SHA,
SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
SSLv3x_DH_DSS_WITH_DES_CBC_SHA,
SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSLv3x_DH_RSA_WITH_DES_CBC_SHA,
SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
SSLv3x_DHE_DSS_WITH_DES_CBC_SHA,
SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSLv3x_DHE_RSA_WITH_DES_CBC_SHA,
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
TLS_DH_DSS_WITH_DES_CBC_SHA,
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
TLS_DH_RSA_WITH_DES_CBC_SHA,
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
TLS_DHE_DSS_WITH_DES_CBC_SHA,
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
TLS_DHE_RSA_WITH_DES_CBC_SHA,
SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5,
SSLv3x_DH_anon_WITH_RC4_128_MD5,
SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
SSLv3x_DH_anon_WITH_DES_CBC_SHA,
SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA
TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
TLS_DH_ANON_WITH_RC4_128_MD5,
TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
TLS_DH_ANON_WITH_DES_CBC_SHA,
TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
};
const x509_ignore_errors: set[int] = {

454
src/SSLCiphers.cc
View file

@ -389,16 +389,16 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
96,
160
},
{ SSL_FORTEZZA_KEA_WITH_RC4_128_SHA,
SSL_CIPHER_TYPE_STREAM,
SSL_FLAG_SSLv30,
SSL_CIPHER_RC4,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_FORTEZZA_KEA,
0,
128,
160
},
//{ SSL_FORTEZZA_KEA_WITH_RC4_128_SHA,
// SSL_CIPHER_TYPE_STREAM,
// SSL_FLAG_SSLv30,
// SSL_CIPHER_RC4,
// SSL_MAC_SHA,
// SSL_KEY_EXCHANGE_FORTEZZA_KEA,
// 0,
// 128,
// 160
//},
// --- special SSLv3 FIPS ciphers
{ SSL_RSA_FIPS_WITH_DES_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
@ -591,7 +591,439 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
0,
256,
160
}
},
{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_RSA,
0,
128,
160
},
{ TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_DSS,
0,
128,
160
},
{ TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_RSA,
0,
128,
160
},
{ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DHE_DSS,
0,
128,
160
},
{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DHE_RSA,
0,
128,
160
},
{ TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_ANON,
0,
128,
160
},
{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_RSA,
0,
256,
160
},
{ TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_DSS,
0,
256,
160
},
{ TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_RSA,
0,
256,
160
},
{ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DHE_DSS,
0,
256,
160
},
{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DHE_RSA,
0,
256,
160
},
{ TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_CAMELLIA,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_ANON,
0,
256,
160
},
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_3DES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_ECDSA,
0,
168,
160
},
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_ECDSA,
0,
128,
160
},
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_ECDSA,
0,
256,
160
},
{ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_NULL,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_ECDSA,
0,
0,
160
},
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_RC4,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_ECDSA,
0,
128,
160
},
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_3DES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_RSA,
0,
168,
160
},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_RSA,
0,
128,
160
},
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_RSA,
0,
256,
160
},
{ TLS_ECDHE_RSA_WITH_NULL_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_NULL,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_RSA,
0,
0,
160
},
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_RC4,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDHE_RSA,
0,
128,
160
},
{ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_3DES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ECDSA,
0,
168,
160
},
{ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ECDSA,
0,
128,
160
},
{ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ECDSA,
0,
256,
160
},
{ TLS_ECDH_ECDSA_WITH_NULL_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_NULL,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ECDSA,
0,
0,
160
},
{ TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_RC4,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ECDSA,
0,
128,
160
},
{ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_3DES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_RSA,
0,
168,
160
},
{ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_RSA,
0,
128,
160
},
{ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_RSA,
0,
256,
160
},
{ TLS_ECDH_RSA_WITH_NULL_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_NULL,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_RSA,
0,
0,
160
},
{ TLS_ECDH_RSA_WITH_RC4_128_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_RC4,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_RSA,
0,
128,
160
},
{ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_3DES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ANON,
0,
168,
160
},
{ TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ANON,
0,
128,
160
},
{ TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_AES,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ANON,
0,
256,
160
},
{ TLS_ECDH_anon_WITH_NULL_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_NULL,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ANON,
0,
0,
160
},
{ TLS_ECDH_anon_WITH_RC4_128_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_RC4,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_ECDH_ANON,
0,
128,
160
},
{ TLS_RSA_WITH_SEED_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_SEED,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_RSA,
0,
128,
160
},
{ TLS_DH_DSS_WITH_SEED_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_SEED,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_DSS,
0,
128,
160
},
{ TLS_DH_RSA_WITH_SEED_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_SEED,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_RSA,
0,
128,
160
},
{ TLS_DHE_DSS_WITH_SEED_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_SEED,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DHE_DSS,
0,
128,
160
},
{ TLS_DHE_RSA_WITH_SEED_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_SEED,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DHE_RSA,
0,
128,
160
},
{ TLS_DH_anon_WITH_SEED_CBC_SHA,
SSL_CIPHER_TYPE_BLOCK,
SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
SSL_CIPHER_SEED,
SSL_MAC_SHA,
SSL_KEY_EXCHANGE_DH_ANON,
0,
128,
160
},
};
const uint SSL_CipherSpecs_Count =

308
src/SSLCiphers.h
View file

@ -12,14 +12,14 @@
*/
enum SSLv2_CipherSpec {
// --- standard SSLv2 ciphers
SSL_CK_RC4_128_WITH_MD5 = 0x010080,
SSL_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080,
SSL_CK_RC2_128_CBC_WITH_MD5 = 0x030080,
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080,
SSL_CK_IDEA_128_CBC_WITH_MD5 = 0x050080,
SSL_CK_DES_64_CBC_WITH_MD5 = 0x060040,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0,
SSL_CK_RC4_64_WITH_MD5 = 0x080080
SSL_CK_RC4_128_WITH_MD5 = 0x010080,
SSL_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080,
SSL_CK_RC2_128_CBC_WITH_MD5 = 0x030080,
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080,
SSL_CK_IDEA_128_CBC_WITH_MD5 = 0x050080,
SSL_CK_DES_64_CBC_WITH_MD5 = 0x060040,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0,
SSL_CK_RC4_64_WITH_MD5 = 0x080080
};
@ -28,60 +28,236 @@ enum SSLv2_CipherSpec {
*/
enum SSL3_1_CipherSpec {
// --- standard SSLv3x ciphers
TLS_NULL_WITH_NULL_NULL = 0x0000,
TLS_RSA_WITH_NULL_MD5 = 0x0001,
TLS_RSA_WITH_NULL_SHA = 0x0002,
TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
TLS_RSA_WITH_RC4_128_SHA = 0x0005,
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006,
TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007,
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008,
TLS_RSA_WITH_DES_CBC_SHA = 0x0009,
TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A,
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B,
TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C,
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D,
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E,
TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F,
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010,
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011,
TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013,
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014,
TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015,
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016,
TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017,
TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018,
TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019,
TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A,
TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B,
TLS_NULL_WITH_NULL_NULL = 0x0000,
TLS_RSA_WITH_NULL_MD5 = 0x0001,
TLS_RSA_WITH_NULL_SHA = 0x0002,
TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
TLS_RSA_WITH_RC4_128_SHA = 0x0005,
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006,
TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007,
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008,
TLS_RSA_WITH_DES_CBC_SHA = 0x0009,
TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A,
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B,
TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C,
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D,
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E,
TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F,
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010,
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011,
TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013,
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014,
TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015,
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016,
TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017,
TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018,
TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019,
TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A,
TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B,
// --- special SSLv3 ciphers
SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C,
SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D,
SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x001E,
// --- special SSLv3 FIPS ciphers
SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0XFEFF,
// --- new 56 bit export ciphers
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062,
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064,
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063,
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065,
TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066,
SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C,
SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D,
//SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x001E,
// -- RFC 2712 (ciphers not fully described in SSLCiphers.cc)
TLS_KRB5_WITH_DES_CBC_SHA = 0x001E,
TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F,
TLS_KRB5_WITH_RC4_128_SHA = 0x0020,
TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021,
TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022,
TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023,
TLS_KRB5_WITH_RC4_128_MD5 = 0x0024,
TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026,
TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027,
TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029,
TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A,
TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B,
// --- new AES ciphers
TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F,
TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030,
TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033,
TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034,
TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035,
TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036,
TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039,
TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A
TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F,
TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030,
TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033,
TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034,
TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035,
TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036,
TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039,
TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A,
TLS_RSA_WITH_NULL_SHA256 = 0x003B,
TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C,
TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D,
TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E,
TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040,
// -- RFC 4132
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041,
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042,
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043,
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045,
TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046,
// -- Non-RFC. Widely deployed implementation (ciphers not fully described in SSLCiphers.cc)
TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060,
TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061,
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062,
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063,
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064,
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065,
TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066,
// -- RFC 5246 (ciphers not fully described in SSLCiphers.cc)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067,
TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068,
TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B,
TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C,
TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D,
// -- RFC 5932
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084,
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085,
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086,
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088,
TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089,
// -- RFC 4279 (ciphers not fully described in SSLCiphers.cc)
TLS_PSK_WITH_RC4_128_SHA = 0x008A,
TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B,
TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C,
TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D,
TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E,
TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F,
TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090,
TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091,
TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092,
TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093,
TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094,
TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095,
// -- RFC 4162
TLS_RSA_WITH_SEED_CBC_SHA = 0x0096,
TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097,
TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098,
TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099,
TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A,
TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B,
// -- RFC 5288 (ciphers not fully described in SSLCiphers.cc)
TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C,
TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F,
TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0,
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3,
TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4,
TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5,
TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6,
TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7,
// -- RFC 5487 (ciphers not fully described in SSLCiphers.cc)
TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8,
TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9,
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA,
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB,
TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC,
TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD,
TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE,
TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF,
TLS_PSK_WITH_NULL_SHA256 = 0x00B0,
TLS_PSK_WITH_NULL_SHA384 = 0x00B1,
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2,
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3,
TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4,
TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5,
TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6,
TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7,
TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8,
TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9,
// -- RFC 5932 (ciphers not fully described in SSLCiphers.cc)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA,
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB,
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC,
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE,
TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0,
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1,
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2,
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4,
TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5,
// -- RFC 4492
TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005,
TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A,
TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B,
TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F,
TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010,
TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014,
TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015,
TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016,
TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017,
TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018,
TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019,
// -- RFC 5054 (ciphers not fully described in SSLCiphers.cc)
TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A,
TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B,
TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C,
TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D,
TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E,
TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F,
TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020,
TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021,
TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022,
// -- RFC 5289 (ciphers not fully described in SSLCiphers.cc)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032,
// -- RFC 5489 (ciphers not fully described in SSLCiphers.cc)
TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033,
TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034,
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035,
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036,
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037,
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038,
TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039,
TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A,
TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B,
// --- special SSLv3 FIPS ciphers
SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF,
SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFe0,
};
enum SSL_CipherType {
@ -99,7 +275,9 @@ enum SSL_BulkCipherAlgorithm {
SSL_CIPHER_DES40,
SSL_CIPHER_FORTEZZA,
SSL_CIPHER_IDEA,
SSL_CIPHER_AES
SSL_CIPHER_AES,
SSL_CIPHER_CAMELLIA,
SSL_CIPHER_SEED,
};
enum SSL_MACAlgorithm {
@ -126,7 +304,13 @@ enum SSL_KeyExchangeAlgorithm {
SSL_KEY_EXCHANGE_FORTEZZA_KEA,
// --- new 56 bit export ciphers
SSL_KEY_EXCHANGE_RSA_EXPORT1024,
SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024
SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024,
// -- Elliptic Curve key change algorithms (rfc4492)
SSL_KEY_EXCHANGE_ECDH_ECDSA,
SSL_KEY_EXCHANGE_ECDHE_ECDSA,
SSL_KEY_EXCHANGE_ECDH_RSA,
SSL_KEY_EXCHANGE_ECDHE_RSA,
SSL_KEY_EXCHANGE_ECDH_ANON,
};
#if 0