Tracking SSL/TLS cipher usage

I recently needed to restrict the list of ciphers that my LDAP server allowed. However, I wanted to make sure that my LDAP clients (many not under my control) would still be able to negotiate a cipher after I made the change. I was able to capture SSL/TLS cipher usage and parse the log into a report.

First, capture the SSL/TLS handshakes from the server using tshark (wireshark):

tshark -l -f ‘tcp port 389’ -2R ‘ssl.handshake.type==2 or ssl.handshake.type==1’ -T fields -e ssl.handshake.type -e ssl.record.version -e ssl.handshake.version -e ssl.handshake.ciphersuite -e ssl.handshake.cipherspec -e ip.src -e ip.dst > ldap-cipher-track1.log

I ran this a second time for port 636 into a separate file so that I could identify which clients were using LDAP vs LDAPS.

Log entries look like:

1 0x0301 0x0301 0xc009,0xc013,0x002f,0xc004,0xc00e,0x0033,0x0032,0xc008,0xc012,0x000a,0xc003,0xc00d,0x0016,0x0013,0xc007,0xc011,0x0005,0xc002,0xc00c,0x0004,0x00ff 128.193.4.147 128.193.4.137
2,11,12,14 0x0301 0x0301 0xc011 128.193.4.137 128.193.4.147

Lines that begin with “1” are the Client Hello. Lines that begin with “2” are the Server Hello. The Client Hello includes the list of ciphers that the client supports. The Server Hello tells the client which cipher the server selected. Note: We don’t need the server’s private key because we are not decrypting anything.

After we have the log file, we parse it with Perl to report the following:

1. Client ciphers offered – a summarized list of all the ciphers offered
2. Ciphers selected – a summarized list of the ciphers actually selected
3. Clients using weak ciphers – a list of clients by IP with the weak ciphers they used and a list of strong ciphers they support
4. Clients that don’t support any of our enabled ciphers – any clients that won’t support our desired list of enabled ciphers

Example output:

Client ciphers offered:
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_RC4_128_SHA (0x0005)

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
Ciphers selected:
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Clients using weak ciphers:

10.193.14.179:
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Strong Ciphers Offered: 0x000a 0x0013 0x0016 0x002f 0x0032 0x0033 0x00ff 0xc003 0xc004 0xc008 0xc009 0xc00d 0xc00e 0xc012 0xc013

Clients that don’t support any of our enabled ciphers:

The Perl scripts and a required CSV file are available at:
http://people.oregonstate.edu/~morgan/ciphers/

Print Friendly, PDF & Email

Leave a Reply