Introducing project:

The  SSL Labs Project (http://www.ssllabs.com) has been created by Ivan Ristic, creator of mod_security (http://www.modsecurity.org) (Open Source Web Application Firewall), who became deeply interested in the technology when he wrote a chapter about SSL in the book Apache Security ( http://www.apachesecurity.net/ ), in 2004 .

Currently, his idea for this new project is to do research and projects that may help in better understanding the SSL technology and its daily utilization by professionals, especially nowadays, with intense use of web applications and need of using SSL/TLS. Future work and goals:

1. Deploy mod_sslhaf in a high-profile SSL web site to gather raw data.
2. Use the raw data to construct a database of SSL client capabilities.
3. Extend mod_sslhaf to determine client make in real-time.
4. Write a paper documenting the entire experience.

Using mod_hafssl for client-side fingerprint:

The modhafssl is an apache module that has, as objective, the removal of ciphers supported by the client/server negotiation. The idea, behind this concept, is to better understand functioning of requisitions, as well as to measure better utilizations (high cpu consumption, performance) and top-level higher security degrees (ciphers with security problems)

We have been using the mod_hafssl in our lab and, in parallel, have as well followed-up some comments about difficulty in interpreting the logs, since project logs in a not too much human-readable mode (there are approximately 271 codes for different ciphers) and then we created a simple parser to convert log.

Examples of sslhaf’s standard log output:

“h3,03.01,88,87,39,38,84,35,45,44,66,33,32,41,04,05,2f,16,13,feff,0a” “Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US) AppleWebKit/531.0 (KHTML, like Gecko) Chrome/3.0.187.0 Safari/531.0”

“h3,03.01,c00a,c014,88,87,39,38,c00f,c005,84,35,c007,c009,c011,c013,45,44,33,32,c00c,c00e,c002,c004,
41,04,05,2f,c008,c012,16,13,c00d,c003,feff,0a” “Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11) Gecko/2009060309 Ubuntu/9.04 (jaunty) Firefox/3.0.11”

“h2,03.01,39,38,35,16,13,0a,0700c0,33,32,2f,030080,05,04,010080,15,12,09,060040,14,11,08,06,040080,
03,020080” “Links (2.2; Linux 2.6.28-11-generic x86_64; 80×24)”

N-Stalker mod_ssl haf log parser

The simple parser created by the N-Stalker Team replaces cipher codes by their names, thus making easier understanding of generated logs.

N-Stalker Research Team (http://www.nstalker.com)
mod_sslhaf cipher converter
Usage: ./sslhaf-log.pl /path/log/sslhaf.log

“SSLv3+,TLS v1.0,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
66,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA” “Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US) AppleWebKit/531.0 (KHTML, like Gecko) Chrome/3.0.187.0 Safari/531.0”

“SSLv3+,TLS v1.0,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA” “Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11) Gecko/2009060309 Ubuntu/9.04 (jaunty) Firefox/3.0.11”

“SSLv2,TLS v1.0,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_CK_RC2_128_CBC_WITH_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,
SSL_CK_RC4_128_WITH_MD5,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_CK_DES_64_CBC_WITH_MD5,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_CK_RC4_128_EXPORT40_WITH_MD5” “Links (2.2; Linux 2.6.28-11-generic x86_64; 80×24)”

Basically, log is divided into: 2 first fields that are, sequentially, the used protocol, until reaching the degree it can support. The rest are the chippers supported by the client in question, and, finally, the User-Agent.

The sslabs project, as well as the mod_sslhaf are still in their initial phase. Ivan Ristic has written some posts and analysis about them and it is recommendable to follow-up project, bearing in mind the greater understanding and benefits they may bring to web administrators’ daily routines as well as to developers.

In what refers to the parser itself, we are performing the last adjustments and shall publish details about it, possibly along with the project.

Sites:

http://www.ssllabs.com
http://blog.ivanristic.com
https://www.ssllabs.com/projects/client-fingerprinting/index.html

N-Stalker Research Team