pass-through ciphers from client to server
This commit is contained in:
parent
c14fbc7794
commit
0047ac4cdc
|
@ -6,11 +6,201 @@ from construct import ConstructError
|
|||
|
||||
from netlib.tcp import NetLibError, NetLibInvalidCertificateError
|
||||
from netlib.http.http1 import HTTP1Protocol
|
||||
from ..contrib.tls._constructs import ClientHello
|
||||
from ..contrib.tls._constructs import ClientHello, CipherSuites
|
||||
from ..exceptions import ProtocolException
|
||||
from .base import Layer
|
||||
|
||||
|
||||
# taken from https://testssl.sh/openssl-rfc.mappping.html
|
||||
CIPHER_ID_NAME_MAP = {
|
||||
0x00: 'NULL-MD5',
|
||||
0x01: 'NULL-MD5',
|
||||
0x02: 'NULL-SHA',
|
||||
0x03: 'EXP-RC4-MD5',
|
||||
0x04: 'RC4-MD5',
|
||||
0x05: 'RC4-SHA',
|
||||
0x06: 'EXP-RC2-CBC-MD5',
|
||||
0x07: 'IDEA-CBC-SHA',
|
||||
0x08: 'EXP-DES-CBC-SHA',
|
||||
0x09: 'DES-CBC-SHA',
|
||||
0x0a: 'DES-CBC3-SHA',
|
||||
0x0b: 'EXP-DH-DSS-DES-CBC-SHA',
|
||||
0x0c: 'DH-DSS-DES-CBC-SHA',
|
||||
0x0d: 'DH-DSS-DES-CBC3-SHA',
|
||||
0x0e: 'EXP-DH-RSA-DES-CBC-SHA',
|
||||
0x0f: 'DH-RSA-DES-CBC-SHA',
|
||||
0x10: 'DH-RSA-DES-CBC3-SHA',
|
||||
0x11: 'EXP-EDH-DSS-DES-CBC-SHA',
|
||||
0x12: 'EDH-DSS-DES-CBC-SHA',
|
||||
0x13: 'EDH-DSS-DES-CBC3-SHA',
|
||||
0x14: 'EXP-EDH-RSA-DES-CBC-SHA',
|
||||
0x15: 'EDH-RSA-DES-CBC-SHA',
|
||||
0x16: 'EDH-RSA-DES-CBC3-SHA',
|
||||
0x17: 'EXP-ADH-RC4-MD5',
|
||||
0x18: 'ADH-RC4-MD5',
|
||||
0x19: 'EXP-ADH-DES-CBC-SHA',
|
||||
0x1a: 'ADH-DES-CBC-SHA',
|
||||
0x1b: 'ADH-DES-CBC3-SHA',
|
||||
# 0x1c: ,
|
||||
# 0x1d: ,
|
||||
0x1e: 'KRB5-DES-CBC-SHA',
|
||||
0x1f: 'KRB5-DES-CBC3-SHA',
|
||||
0x20: 'KRB5-RC4-SHA',
|
||||
0x21: 'KRB5-IDEA-CBC-SHA',
|
||||
0x22: 'KRB5-DES-CBC-MD5',
|
||||
0x23: 'KRB5-DES-CBC3-MD5',
|
||||
0x24: 'KRB5-RC4-MD5',
|
||||
0x25: 'KRB5-IDEA-CBC-MD5',
|
||||
0x26: 'EXP-KRB5-DES-CBC-SHA',
|
||||
0x27: 'EXP-KRB5-RC2-CBC-SHA',
|
||||
0x28: 'EXP-KRB5-RC4-SHA',
|
||||
0x29: 'EXP-KRB5-DES-CBC-MD5',
|
||||
0x2a: 'EXP-KRB5-RC2-CBC-MD5',
|
||||
0x2b: 'EXP-KRB5-RC4-MD5',
|
||||
0x2f: 'AES128-SHA',
|
||||
0x30: 'DH-DSS-AES128-SHA',
|
||||
0x31: 'DH-RSA-AES128-SHA',
|
||||
0x32: 'DHE-DSS-AES128-SHA',
|
||||
0x33: 'DHE-RSA-AES128-SHA',
|
||||
0x34: 'ADH-AES128-SHA',
|
||||
0x35: 'AES256-SHA',
|
||||
0x36: 'DH-DSS-AES256-SHA',
|
||||
0x37: 'DH-RSA-AES256-SHA',
|
||||
0x38: 'DHE-DSS-AES256-SHA',
|
||||
0x39: 'DHE-RSA-AES256-SHA',
|
||||
0x3a: 'ADH-AES256-SHA',
|
||||
0x3b: 'NULL-SHA256',
|
||||
0x3c: 'AES128-SHA256',
|
||||
0x3d: 'AES256-SHA256',
|
||||
0x3e: 'DH-DSS-AES128-SHA256',
|
||||
0x3f: 'DH-RSA-AES128-SHA256',
|
||||
0x40: 'DHE-DSS-AES128-SHA256',
|
||||
0x41: 'CAMELLIA128-SHA',
|
||||
0x42: 'DH-DSS-CAMELLIA128-SHA',
|
||||
0x43: 'DH-RSA-CAMELLIA128-SHA',
|
||||
0x44: 'DHE-DSS-CAMELLIA128-SHA',
|
||||
0x45: 'DHE-RSA-CAMELLIA128-SHA',
|
||||
0x46: 'ADH-CAMELLIA128-SHA',
|
||||
0x62: 'EXP1024-DES-CBC-SHA',
|
||||
0x63: 'EXP1024-DHE-DSS-DES-CBC-SHA',
|
||||
0x64: 'EXP1024-RC4-SHA',
|
||||
0x65: 'EXP1024-DHE-DSS-RC4-SHA',
|
||||
0x66: 'DHE-DSS-RC4-SHA',
|
||||
0x67: 'DHE-RSA-AES128-SHA256',
|
||||
0x68: 'DH-DSS-AES256-SHA256',
|
||||
0x69: 'DH-RSA-AES256-SHA256',
|
||||
0x6a: 'DHE-DSS-AES256-SHA256',
|
||||
0x6b: 'DHE-RSA-AES256-SHA256',
|
||||
0x6c: 'ADH-AES128-SHA256',
|
||||
0x6d: 'ADH-AES256-SHA256',
|
||||
0x80: 'GOST94-GOST89-GOST89',
|
||||
0x81: 'GOST2001-GOST89-GOST89',
|
||||
0x82: 'GOST94-NULL-GOST94',
|
||||
0x83: 'GOST2001-GOST89-GOST89',
|
||||
0x84: 'CAMELLIA256-SHA',
|
||||
0x85: 'DH-DSS-CAMELLIA256-SHA',
|
||||
0x86: 'DH-RSA-CAMELLIA256-SHA',
|
||||
0x87: 'DHE-DSS-CAMELLIA256-SHA',
|
||||
0x88: 'DHE-RSA-CAMELLIA256-SHA',
|
||||
0x89: 'ADH-CAMELLIA256-SHA',
|
||||
0x8a: 'PSK-RC4-SHA',
|
||||
0x8b: 'PSK-3DES-EDE-CBC-SHA',
|
||||
0x8c: 'PSK-AES128-CBC-SHA',
|
||||
0x8d: 'PSK-AES256-CBC-SHA',
|
||||
# 0x8e: ,
|
||||
# 0x8f: ,
|
||||
# 0x90: ,
|
||||
# 0x91: ,
|
||||
# 0x92: ,
|
||||
# 0x93: ,
|
||||
# 0x94: ,
|
||||
# 0x95: ,
|
||||
0x96: 'SEED-SHA',
|
||||
0x97: 'DH-DSS-SEED-SHA',
|
||||
0x98: 'DH-RSA-SEED-SHA',
|
||||
0x99: 'DHE-DSS-SEED-SHA',
|
||||
0x9a: 'DHE-RSA-SEED-SHA',
|
||||
0x9b: 'ADH-SEED-SHA',
|
||||
0x9c: 'AES128-GCM-SHA256',
|
||||
0x9d: 'AES256-GCM-SHA384',
|
||||
0x9e: 'DHE-RSA-AES128-GCM-SHA256',
|
||||
0x9f: 'DHE-RSA-AES256-GCM-SHA384',
|
||||
0xa0: 'DH-RSA-AES128-GCM-SHA256',
|
||||
0xa1: 'DH-RSA-AES256-GCM-SHA384',
|
||||
0xa2: 'DHE-DSS-AES128-GCM-SHA256',
|
||||
0xa3: 'DHE-DSS-AES256-GCM-SHA384',
|
||||
0xa4: 'DH-DSS-AES128-GCM-SHA256',
|
||||
0xa5: 'DH-DSS-AES256-GCM-SHA384',
|
||||
0xa6: 'ADH-AES128-GCM-SHA256',
|
||||
0xa7: 'ADH-AES256-GCM-SHA384',
|
||||
0x5600: 'TLS_FALLBACK_SCSV',
|
||||
0xc001: 'ECDH-ECDSA-NULL-SHA',
|
||||
0xc002: 'ECDH-ECDSA-RC4-SHA',
|
||||
0xc003: 'ECDH-ECDSA-DES-CBC3-SHA',
|
||||
0xc004: 'ECDH-ECDSA-AES128-SHA',
|
||||
0xc005: 'ECDH-ECDSA-AES256-SHA',
|
||||
0xc006: 'ECDHE-ECDSA-NULL-SHA',
|
||||
0xc007: 'ECDHE-ECDSA-RC4-SHA',
|
||||
0xc008: 'ECDHE-ECDSA-DES-CBC3-SHA',
|
||||
0xc009: 'ECDHE-ECDSA-AES128-SHA',
|
||||
0xc00a: 'ECDHE-ECDSA-AES256-SHA',
|
||||
0xc00b: 'ECDH-RSA-NULL-SHA',
|
||||
0xc00c: 'ECDH-RSA-RC4-SHA',
|
||||
0xc00d: 'ECDH-RSA-DES-CBC3-SHA',
|
||||
0xc00e: 'ECDH-RSA-AES128-SHA',
|
||||
0xc00f: 'ECDH-RSA-AES256-SHA',
|
||||
0xc010: 'ECDHE-RSA-NULL-SHA',
|
||||
0xc011: 'ECDHE-RSA-RC4-SHA',
|
||||
0xc012: 'ECDHE-RSA-DES-CBC3-SHA',
|
||||
0xc013: 'ECDHE-RSA-AES128-SHA',
|
||||
0xc014: 'ECDHE-RSA-AES256-SHA',
|
||||
0xc015: 'AECDH-NULL-SHA',
|
||||
0xc016: 'AECDH-RC4-SHA',
|
||||
0xc017: 'AECDH-DES-CBC3-SHA',
|
||||
0xc018: 'AECDH-AES128-SHA',
|
||||
0xc019: 'AECDH-AES256-SHA',
|
||||
0xc01a: 'SRP-3DES-EDE-CBC-SHA',
|
||||
0xc01b: 'SRP-RSA-3DES-EDE-CBC-SHA',
|
||||
0xc01c: 'SRP-DSS-3DES-EDE-CBC-SHA',
|
||||
0xc01d: 'SRP-AES-128-CBC-SHA',
|
||||
0xc01e: 'SRP-RSA-AES-128-CBC-SHA',
|
||||
0xc01f: 'SRP-DSS-AES-128-CBC-SHA',
|
||||
0xc020: 'SRP-AES-256-CBC-SHA',
|
||||
0xc021: 'SRP-RSA-AES-256-CBC-SHA',
|
||||
0xc022: 'SRP-DSS-AES-256-CBC-SHA',
|
||||
0xc023: 'ECDHE-ECDSA-AES128-SHA256',
|
||||
0xc024: 'ECDHE-ECDSA-AES256-SHA384',
|
||||
0xc025: 'ECDH-ECDSA-AES128-SHA256',
|
||||
0xc026: 'ECDH-ECDSA-AES256-SHA384',
|
||||
0xc027: 'ECDHE-RSA-AES128-SHA256',
|
||||
0xc028: 'ECDHE-RSA-AES256-SHA384',
|
||||
0xc029: 'ECDH-RSA-AES128-SHA256',
|
||||
0xc02a: 'ECDH-RSA-AES256-SHA384',
|
||||
0xc02b: 'ECDHE-ECDSA-AES128-GCM-SHA256',
|
||||
0xc02c: 'ECDHE-ECDSA-AES256-GCM-SHA384',
|
||||
0xc02d: 'ECDH-ECDSA-AES128-GCM-SHA256',
|
||||
0xc02e: 'ECDH-ECDSA-AES256-GCM-SHA384',
|
||||
0xc02f: 'ECDHE-RSA-AES128-GCM-SHA256',
|
||||
0xc030: 'ECDHE-RSA-AES256-GCM-SHA384',
|
||||
0xc031: 'ECDH-RSA-AES128-GCM-SHA256',
|
||||
0xc032: 'ECDH-RSA-AES256-GCM-SHA384',
|
||||
0xcc13: 'ECDHE-RSA-CHACHA20-POLY1305',
|
||||
0xcc14: 'ECDHE-ECDSA-CHACHA20-POLY1305',
|
||||
0xcc15: 'DHE-RSA-CHACHA20-POLY1305',
|
||||
0xff00: 'GOST-MD5',
|
||||
0xff01: 'GOST-GOST94',
|
||||
0xff02: 'GOST-GOST89MAC',
|
||||
0xff03: 'GOST-GOST89STREAM',
|
||||
0x010080: 'RC4-MD5',
|
||||
0x020080: 'EXP-RC4-MD5',
|
||||
0x030080: 'RC2-CBC-MD5',
|
||||
0x040080: 'EXP-RC2-CBC-MD5',
|
||||
0x050080: 'IDEA-CBC-MD5',
|
||||
0x060040: 'DES-CBC-MD5',
|
||||
0x0700c0: 'DES-CBC3-MD5',
|
||||
0x080080: 'RC4-64-MD5',
|
||||
}
|
||||
|
||||
def is_tls_record_magic(d):
|
||||
"""
|
||||
Returns:
|
||||
|
@ -127,6 +317,8 @@ class TlsLayer(Layer):
|
|||
self.log("Raw Client Hello:\r\n:%s" % raw_client_hello.encode("hex"), "debug")
|
||||
return
|
||||
|
||||
self.client_ciphers = client_hello.cipher_suites.cipher_suites
|
||||
|
||||
for extension in client_hello.extensions:
|
||||
if extension.type == 0x00:
|
||||
if len(extension.server_names) != 1 or extension.server_names[0].type != 0:
|
||||
|
@ -234,6 +426,14 @@ class TlsLayer(Layer):
|
|||
else:
|
||||
alpn = None
|
||||
|
||||
ciphers_server = self.config.ciphers_server
|
||||
if not ciphers_server:
|
||||
ciphers_server = []
|
||||
for id in self.client_ciphers:
|
||||
if id in CIPHER_ID_NAME_MAP.keys():
|
||||
ciphers_server.append(CIPHER_ID_NAME_MAP[id])
|
||||
ciphers_server = ':'.join(ciphers_server)
|
||||
|
||||
self.server_conn.establish_ssl(
|
||||
self.config.clientcerts,
|
||||
self.sni_for_server_connection,
|
||||
|
@ -242,7 +442,7 @@ class TlsLayer(Layer):
|
|||
verify_options=self.config.openssl_verification_mode_server,
|
||||
ca_path=self.config.openssl_trusted_cadir_server,
|
||||
ca_pemfile=self.config.openssl_trusted_ca_server,
|
||||
cipher_list=self.config.ciphers_server,
|
||||
cipher_list=ciphers_server,
|
||||
alpn_protos=alpn,
|
||||
)
|
||||
tls_cert_err = self.server_conn.ssl_verification_error
|
||||
|
|
Loading…
Reference in New Issue