Reliability of the cipher suites checking

[kylak]

Hi.

There's another issue why I believe in general the result maybe not reliable: for some cipher suites you would need to provide TLS extensions or specific values in those extensions, otherwise the server won't possibly accept the ClientHello, see e.g. testssl/testssl.sh#1207 (comment)

source: testssl/testssl.sh#2526 (comment)

Did you know that ? Is it automatically managed by O-Saft when checking the full range of cipher suites ?

[EnDe]

Yes, we are aware about that.
This is a general issue with targets using TLS 1.3. We know about targets where our tool bails out with errors. So depends on what you exactly mean with "reliability":

• checking all ciphers (fuzzing), yes
• warning the user, if something fails: yes
• detecting all ciphers allways: depends
  Currently (2024) we have not seen many targets where the tool returns errors.

Before going into details, can you please explain what you want to achieve?
May be you consult the documentation first. If grep is not your favorite, you can query the docs in o-saft.tcl's Help window ;-)

[kylak]

I want to achieve two things :

1. To know the SSL/TLS protocol versions enabled on a server.
2. To know if there are any other cipher suites authorized by the server than some that I have given him.

Yes the doc seems to have a lot of infos, I'm going to check it out.