Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Is it possible to check the client's SSL/TSL version?

by khandielas (Sexton)
on Jul 16, 2015 at 19:45 UTC ( [id://1135074]=perlquestion: print w/replies, xml ) Need Help??

khandielas has asked for the wisdom of the Perl Monks concerning the following question:

Hi, Monks. I wonder from server side, is it possible to check and document the various client's SSL/TSL version?

My environment: Debian, Apache2.2.22 and Perl 5.14. The client can use browsers and various programming language to access my server. Thank you very much.

  • Comment on Is it possible to check the client's SSL/TSL version?

Replies are listed 'Best First'.
Re: Is it possible to check the client's SSL/TLS version?
by hippo (Bishop) on Jul 16, 2015 at 21:20 UTC
[reply]
[d/l]

      This will give you the major protocol version that is being used, but, so far as I know, you can’t get more detailed than that, e.g. what exact version (as in, build-number) of the stack the client-side is using.

      Possibly-useful links:

      • Test for SSL version   (What version is your Apache server running)
      • mod_ssl documentation   (Specifically, the SSLCipherSuite directive, which specifies what ciphers are acceptable.   Also SSLHonorCipherOrder, SSLProtocol.)

      Pragmatically, it might be better to cause Apache to refuse to honor any insecure protocol that you do not wish to use, than to check the version that made it through the negotiation process, within your application.   Just don’t allow not-secure-enough negotiations to succeed.

[reply]

        What Rhandom pointed out is why we need to collect the information. Manny thanks to hippo, sundialsrv4 for pointing out the documents, but I still don't quite understand this.

        Correct me if my question is silly. The protocol version ( SSL/TLS version) I want to collect is the ones from this clients, not from my Apache server. Is the var $ENV{SSL_PROTOCOL} my server's SSL version or the client's SSL version? My understanding is that the variable SSL_PROTOCOL is my apache server's configuration variable, not from the cilent.

        Apache relies on OpenSSL to do security handshakes, so Apache does not care the client's version of SSL/TLS? and could not log it?

[reply]
Re: Is it possible to check the client's SSL/TSL version?
by Rhandom (Curate) on Jul 17, 2015 at 01:23 UTC
    This is becoming a major issue as any site supporting IE7 and older will begin to fail PCI within the year. So this is an important thing to be able to check.

    One way that it could be done is to use multiple IPs or Virtual Hosts, each with SSL enabled, but with each one supporting only one SSL or TLS version. Then use JavaScript on a single page to get an image or script from each of them configured servers. Coalesce the results in JavaScript and report back. Largest cost is the multiple IPs and/or domain names and a bit of time to setup your Apache configs. (You may be able to do this with a Perl daemon, but I'm not aware of many of them that support separate SSL Virtual Host setups).

    my @a=qw(random brilliant braindead); print $a[rand(@a)];
[reply]

      This is becoming a major issue as any site supporting IE7 and older will begin to fail...

      You make it sound like this is a bad thing.

[reply]
Re: Is it possible to check the client's SSL/TSL version?
by Anonymous Monk on Jul 16, 2015 at 21:10 UTC
    sure why not
[reply]
Re: Is it possible to check the client's SSL/TSL version?
by noxxi (Pilgrim) on Jul 18, 2015 at 09:32 UTC

    From within a script/application started by the web server all you can see is the protocol version and cipher both sides agree too. To get anything more, i.e. the protocol version offered by the client, the ciphers offered etc you need to have control over the TLS stack of the server which you don't have from inside the script/application.

    And even if you are inside the TLS stack you have don't get the kind of version of the TLS stack the client uses. There is nothing similar to a HTTP User-Agent header in TLS and all you could do is to try to fingerprint the client based on used TLS extensions, offered ciphers, handshake version etc and infer from this which TLS stack and version this might be.

    But, if you want to know how clients will behave if you make changes to the server (like hardening ciphers and protocol version) the exact TLS implementation is not of much use. What you need are capabilities capabilities of the client which not only depend on the implementation but also on the configuration. I would instead recommend the following to find out if you will have problems with hardening:

    • Have bad ciphers like RC4 at the very end and make the server enforce its own cipher preference. Then check SSL_CIPHER if a bad cipher was used. Since the server will choose the best cipher the client supports (based on the servers preference) you will find out this way if you have a client supporting only bad ciphers.
    • Check SSL_PROTOCOL to see if client and server agree to a protocol version you will no longer support (like SSL 3.0 and maybe TLS 1.0). The server will pick the best version the client supports so if you server is capable of TLS 1.2 this will be TLS 1.2 with all modern browsers.
    • Check SSL_TLS_SNI if the client supports the SNI extension. If not (like with IE 8 on XP) you must keep the SSL server on a dedicated IP address.
[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://1135074]
Front-paged by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (6)
As of 2024-04-19 07:06 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found