{"id":18465587,"url":"https://github.com/snobu/tls-negotiations","last_synced_at":"2025-04-15T21:23:22.696Z","repository":{"id":77178672,"uuid":"119807692","full_name":"snobu/tls-negotiations","owner":"snobu","description":"TLS - The Long Story","archived":false,"fork":false,"pushed_at":"2018-05-14T21:21:38.000Z","size":578,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-29T01:24:12.867Z","etag":null,"topics":["net-framework","schannel","ssl","tls"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/snobu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-02-01T08:41:11.000Z","updated_at":"2024-05-07T05:00:01.000Z","dependencies_parsed_at":null,"dependency_job_id":"d9e0e8ce-d2ef-476b-bdfc-b7a94e0de881","html_url":"https://github.com/snobu/tls-negotiations","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snobu%2Ftls-negotiations","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snobu%2Ftls-negotiations/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snobu%2Ftls-negotiations/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snobu%2Ftls-negotiations/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/snobu","download_url":"https://codeload.github.com/snobu/tls-negotiations/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249155118,"owners_count":21221542,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["net-framework","schannel","ssl","tls"],"created_at":"2024-11-06T09:13:37.636Z","updated_at":"2025-04-15T21:23:22.687Z","avatar_url":"https://github.com/snobu.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"The Visual Studio solution starts these 3 projects on F5 Debug:\n\n![Screenshot](screenshot.png)\n\n# Top tips\n\n### TLS System Default Versions in Windows\nFrom https://support.microsoft.com/en-us/help/3154520/support-for-tls-system-default-versions-included-in-the--net-framework:\n![System Default TLS versions](sys-default-tls-ver.png)\n\n### What's new in .NET Framework 4.7 (CTRL+F for TLS)\nhttps://docs.microsoft.com/en-us/dotnet/framework/whats-new/#v47\n\n### Registry Keys affecting SSL/TLS in SCHANNEL\nhttps://blogs.technet.microsoft.com/cmpfekevin/2016/09/18/schannel-ssl-and-tls-registry-keys-reporting/\n\n```\nHKLM SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 2.0\\Client\nHKLM SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 2.0\\Server\nHKLM SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\\Client\nHKLM SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\\Server\nHKLM SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Client\nHKLM SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Server\nHKLM SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client\nHKLM SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server\nHKLM SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Client\nHKLM SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Server\n```\n\n### Control SCHANNEL ciphers\nhttps://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc\n\n### Test clients against bad SSL configs\nhttps://badssl.com\n\n### How's my SSL?\n  * https://www.howsmyssl.com/\n  * JSON response: https://www.howsmyssl.com/a/check\n\n### Qualys SSL Labs (Ivan Ristic)\n  * https://www.ssllabs.com/ssltest/\n  * API Documentation: https://github.com/ssllabs/ssllabs-scan/blob/stable/ssllabs-api-docs.md\n\n### SSL Labs one-version-only listeners (Thank you, Ivan!)\n  * **SSL 3.0**-only listener at https://ssllabs.com:10300/\n  * **TLS 1.0**-only listener at https://ssllabs.com:10301/\n  * **TLS 1.1**-only listener at https://ssllabs.com:10302/\n  * **TLS 1.2**-only listener at https://ssllabs.com:10303/\n\n### Listen for specific protocol version locally\n\nNOTE: Works fine in WSL.\n\n```bash\n# Generate self-signed certificate\n$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes\n\n# Spin up a simple web server on port 4433 that talks one protocol version only\n$ openssl s_server -key key.pem -cert cert.pem -accept 4433 -www -tls1\n\n # -ssl3         - just use SSLv3\n # -tls1_2       - just use TLSv1.2\n # -tls1_1       - just use TLSv1.1\n # -tls1         - just use TLSv1\n```\n\n### Handshake specific protocol version with remote host\n\nNOTE: Works fine in WSL.\n\n```\n# openssl s_client -h\n\n # -ssl3         - just use SSLv3\n # -tls1_2       - just use TLSv1.2\n # -tls1_1       - just use TLSv1.1\n # -tls1         - just use TLSv1\n\n$ openssl s_client -host pages.github.io -port 443 -servername pages.github.io -tls1_2\n\nCONNECTED(00000003)\n---\nCertificate chain\n 0 s:/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=www.github.com\n   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA\n 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA\n   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA\n---\nServer certificate\n-----BEGIN CERTIFICATE-----\nMIIHqDCCBpCgAwIBAgIQCDqEWS938ueVG/iHzt7JZjANBgkqhkiG9w0BAQsFADBw\n...\n3svH64hwWd1i3BZ2LTBq46MvQKU2D8wFdtXgbgRAPWohX79Oo6hs0Jghub0=\n-----END CERTIFICATE-----\nsubject=/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=www.github.com\nissuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA\n---\n...\n---\nSSL handshake has read 3846 bytes and written 455 bytes\n---\nNew, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256\nServer public key is 2048 bit\nSecure Renegotiation IS supported\nCompression: NONE\nExpansion: NONE\nNo ALPN negotiated\nSSL-Session:\n    Protocol  : TLSv1.2\n    Cipher    : ECDHE-RSA-AES128-GCM-SHA256\n    ...\n    Start Time: 1517480966\n    Timeout   : 7200 (sec)\n    Verify return code: 0 (ok)\n---\n```\n\n### Enumerate remote ciphers with `nmap`\n\nNOTE: Doesn't work in WSL. Use real Linux or nmap for Windows.\n\n```bash\n$ sudo apt install nmap -y\n\n$ nmap -sV --script ssl-enum-ciphers -p 443 pages.github.io\n\nNmap scan report for pages.github.io (151.101.37.147)\n\nPORT    STATE SERVICE        VERSION\n443/tcp open  ssl/http-proxy Varnish\n|_http-server-header: GitHub.com\n| ssl-enum-ciphers:\n|   TLSv1.2:\n|     ciphers:\n|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A\n|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A\n|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A\n|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A\n|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A\n|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A\n|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A\n|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A\n|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A\n|     compressors:\n|       NULL\n|     cipher preference: server\n|_  least strength: A\n```\n\n### Traffic Analysis of an SSL/TLS Session\nhttp://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session\n\n```\n  03 00          SSL version (SSL 3.0)\n  03 01          SSL version (TLS 1.0)\n  03 02          SSL version (TLS 1.1)\n  03 03          SSL version (TLS 1.2)\n  03 03          SSL version (TLS 1.3), negotiates version 1.3 through protocol extension\n\n---\n\nServerHello message\n\n0000   16 03 01 00 35 02 00 00 31 03 01 54 9a ab 72 85  ....5...1..T..r.\n0010   91 a4 a7 a9 27 fe 3d e4 da f6 38 a5 aa 6e 5a 2f  ....'.=...8..nZ/\n0020   31 90 5b 41 b0 5d de d8 9d ae f6 00 00 35 00 00  1.[A.].......5..\n0030   09 ff 01 00 01 00 00 23 00 00                    .......#..\n\n       16             Handshake protocol type\n       03 01          SSL version (TLS 1.0)\n       35             Record length (53 bytes)\n\n       02             ServerHello message type\n       00 00 31       Message length (49 bytes)\n       03 01          SSL version (TLS 1.0)\n       54 9a ab 72    First 4 bytes of random (Unix time)\n       85 .. f6       Last 28 bytes of the random number\n       00             Session Id length\n       00 35          Selected Cipher Suite (RSA with AES-256-CBC SHA)\n       00             Selected compression method (null)\n       00 09          Extensions length\n       ff 01 00 01 00 Extension (Renegotiation Info)\n       00 23 00 00    Extension (SessionTicket TLS)\n```\n\n### Windows PowerShell (5.1): Invoke-WebRequest and Invoke-RestMethod\n\n```powershell\nPS\u003e [Net.ServicePointManager]::SecurityProtocol\nSsl3, Tls\n```\n![SSL3](https://user-images.githubusercontent.com/6472374/40024097-d96369ce-57d5-11e8-8714-f18d05475c6c.png)\n![what year is it?](https://user-images.githubusercontent.com/6472374/40023946-614059a2-57d5-11e8-8ff9-9bce64a0c5f2.gif)\n\n```powershell\nPS\u003e Invoke-WebRequest -UseBasicParsing -Method Head https://microsoft.github.io | fl Status*\nInvoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.\n\nPS\u003e [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls `\n                                                  -bor [Net.SecurityProtocolType]::Tls11 `\n                                                  -bor [Net.SecurityProtocolType]::Tls12\nPS\u003e [Net.ServicePointManager]::SecurityProtocol\nTls, Tls11, Tls12\n\nPS\u003e Invoke-WebRequest -UseBasicParsing -Method Head https://microsoft.github.io | fl Status*\n\nStatusCode        : 200\nStatusDescription : OK\n```\n\nPowerShell Core (6.0+) has a `-SslProtocol` parameter, but shouldn't really matter since it will attempt TLS 1.2 anyway:\n```powershell\nPS C:\\Program Files\\PowerShell\\6-preview\u003e Invoke-WebRequest https://microsoft.github.io -SslProtocol Tls12 |\n    ft Status*\n\nStatusCode StatusDescription\n---------- -----------------\n       200 OK\n\n\nPS C:\\Program Files\\PowerShell\\6-preview\u003e Invoke-WebRequest https://microsoft.github.io | ft Status*\n\nStatusCode StatusDescription\n---------- -----------------\n       200 OK\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnobu%2Ftls-negotiations","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsnobu%2Ftls-negotiations","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnobu%2Ftls-negotiations/lists"}