Many of the features and ciphersuites in Secure Sockets Layer (SSL) and Transport Layer Security (TLS) servers are not considered secure and safe to enable. To verify that they are not supported by a server, it is necessary to be able to advertise them in the first message send by the client in the TLS handshake – the Client Hello.
The cipherscan tool, does just that in order to discover the supported ciphersuites in a server. As a back-end it uses the openssl application. Unfortunately, as OpenSSL project is deprecating insecure old features it is also adding new features, causing no version of OpenSSL to be able to advertise and thus detect all the features of the protocol.
There are two possible solutions to this problem:
- create an openssl s_client compatible script that uses tlslite-ng internally
- extend the cscan.py to support detection of supported ciphers
The goal is to research possible upsides and downsides of either solution and then implement chosen solution so that scanning servers for TLS 1.3 and SSL 2 support is possible at the same time.