Post Reply 
Adapting proxo 4.5 to the latest OpenSSL DLLs
Nov. 15, 2014, 07:59 AM (This post was last modified: Nov. 15, 2014 08:02 AM by amy.)
Post: #23
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs
I've also been working on patching Proxomitron to work with latest OpenSSL and have success with 1.0.1j, accepts custom cipher configuration and SNI support. Smile!

Here is a brief list of modifications so far, I am still testing it out:
- OpenSSL_add_all_algorithms replaced with SSL_library_init
- Allow configuration of cipher list via SSL_CTX_set_cipher_list (disabled all insecure ciphers)
- SNI support!

https://www.ssllabs.com/ssltest/viewMyClient.html says
Code:
Protocols*
TLS 1.2    Yes
TLS 1.1    Yes*
TLS 1.0    Yes*
SSL 3    Yes*
SSL 2    No


Cipher Suites (in order of preference)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   Forward Secrecy     256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   Forward Secrecy     256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   Forward Secrecy     256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   Forward Secrecy     256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy     256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy     256
TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022)     256
TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021)     256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0xa3)   Forward Secrecy*     256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   Forward Secrecy     256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   Forward Secrecy     256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x6a)   Forward Secrecy*     256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   Forward Secrecy     256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38)   Forward Secrecy*     256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)   Forward Secrecy     256
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x87)   Forward Secrecy*     256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)     256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)     256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)     256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)     256
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   Forward Secrecy     112
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)   Forward Secrecy     112
TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA (0xc01c)     112
TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA (0xc01b)     112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   Forward Secrecy     112
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13)   Forward Secrecy*     112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)     112
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy     128
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy     128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   Forward Secrecy     128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   Forward Secrecy     128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy     128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy     128
TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f)     128
TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e)     128
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0xa2)   Forward Secrecy*     128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   Forward Secrecy     128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   Forward Secrecy     128
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x40)   Forward Secrecy*     128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   Forward Secrecy     128
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)   Forward Secrecy*     128
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a)   Forward Secrecy     128
TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x99)   Forward Secrecy*     128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)   Forward Secrecy     128
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x44)   Forward Secrecy*     128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)     128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)     128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)     128
TLS_RSA_WITH_SEED_CBC_SHA (0x96)     128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)     128
TLS_RSA_WITH_IDEA_CBC_SHA (0x7)     128
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff)    -

(*) Cannot be used for Forward Secrecy because they require DSS keys, which are effectively limited to 1024 bits.  

Protocol Details
Server Name Indication (SNI) Yes
Secure Renegotiation Yes
TLS compression No
Session tickets Yes
OCSP stapling No
Signature algorithms SHA512/RSA, SHA512/DSA, SHA512/ECDSA, SHA384/RSA, SHA384/DSA, SHA384/ECDSA, SHA256/RSA, SHA256/DSA, SHA256/ECDSA, SHA224/RSA, SHA224/DSA, SHA224/ECDSA, SHA1/RSA, SHA1/DSA, SHA1/ECDSA, MD5/RSA  
Elliptic curves sect571r1, sect571k1, secp521r1, sect409k1, sect409r1, secp384r1, sect283k1, sect283r1, secp256k1, secp256r1, sect239k1, sect233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2, secp192k1, secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1, secp160r2  
Next Protocol Negotiation No
Application Layer Protocol Negotiation No
SSL 2 handshake compatibility No

Still todo improvements:
Disable SSLv3 (prevent POODLE attack)
SubjectAltName extension
Wildcard certificates checking

OCSP stapling (after all the above, this one will take quite a bit more code)
Add Thank You Quote this message in a reply
Post Reply 


Messages In This Thread
RE: Adapting proxo 4.5 to the latest OpenSSL DLLs - amy - Nov. 15, 2014 07:59 AM

Forum Jump: