tls-table doesn't seem to be working

[gene1wood]

This tool

https://github.com/april/tls-table/blob/master/tls-table.py

is used to produce the Cipher Suites mediawiki page but it doesn't seem to work. We should either get it working or remove reference to it if we won't use it going forward.

[janbrasna]

Upstream issues:

• OpenSSL mapping broken april/tls-table#5
• GnuTLS format changed april/tls-table#8

[janbrasna]

I've commented out the reference for now in #296 and made all the necessary updates manually.

In the future I'll look into what changes are needed to parse the new C header file definition formats in tls-table but my guess is the table here will need to be maintained manually anyways.

[gstrauss]

This tool

https://github.com/april/tls-table/blob/master/tls-table.py

is used to produce the Cipher Suites mediawiki page but it doesn't seem to work. We should either get it working or remove reference to it if we won't use it going forward.

Would you please be more specific about what does not seem to work? Then, I can take a closer look, and possible choose different data sources.

---

openssl ciphers -V -stdname can be used to obtain an easily parseable list of standard cipher names and their openssl names, and can be matched up to the IANA TLS Cipher Suites code points.

$ openssl ciphers -V -stdname
          0x13,0x02 - TLS_AES_256_GCM_SHA384                        - TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
          0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256                  - TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0x13,0x01 - TLS_AES_128_GCM_SHA256                        - TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
          0x13,0x04 - TLS_AES_128_CCM_SHA256                        - TLS_AES_128_CCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESCCM(128)            Mac=AEAD
          0xC0,0x2C - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384       - ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
          0xC0,0x30 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384         - ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(256)            Mac=AEAD
          0xCC,0xA9 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0xCC,0xA8 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   - ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2 Kx=ECDH     Au=RSA   Enc=CHACHA20/POLY1305(256) Mac=AEAD
          0xC0,0xAD - TLS_ECDHE_ECDSA_WITH_AES_256_CCM              - ECDHE-ECDSA-AES256-CCM         TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256)            Mac=AEAD
          0xC0,0x2B - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256       - ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128)            Mac=AEAD
          0xC0,0x2F - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256         - ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(128)            Mac=AEAD
          0xC0,0xAC - TLS_ECDHE_ECDSA_WITH_AES_128_CCM              - ECDHE-ECDSA-AES128-CCM         TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128)            Mac=AEAD
          0xC0,0x23 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       - ECDHE-ECDSA-AES128-SHA256      TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)               Mac=SHA256
          0xC0,0x27 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         - ECDHE-RSA-AES128-SHA256        TLSv1.2 Kx=ECDH     Au=RSA   Enc=AES(128)               Mac=SHA256
...

gnutls-cli --list produces a list for GnuTLS, and can be matched up to the IANA TLS Cipher Suites code points

$ gnutls-cli --list
Cipher suites:
TLS_AES_128_GCM_SHA256                            	0x13, 0x01	TLS1.3
TLS_AES_256_GCM_SHA384                            	0x13, 0x02	TLS1.3
TLS_CHACHA20_POLY1305_SHA256                      	0x13, 0x03	TLS1.3
TLS_AES_128_CCM_SHA256                            	0x13, 0x04	TLS1.3
TLS_AES_128_CCM_8_SHA256                          	0x13, 0x05	TLS1.3
TLS_RSA_NULL_MD5                                  	0x00, 0x01	TLS1.0
TLS_RSA_NULL_SHA1                                 	0x00, 0x02	TLS1.0
TLS_RSA_NULL_SHA256                               	0x00, 0x3b	TLS1.2
...

https://pagure.io/mod_nss/blob/master/f/nss_engine_cipher.c contains a mapping from NSS cipher name to OpenSSL cipher name.

[gstrauss]

@janbrasna please test with april/tls-table#10 which integrates the other PRs and issues April's repo.

If desirable to use different data sources as I proposed in comment above, then please file a separate issue request.

[janbrasna]

Would you please be more specific about what does not seem to work?

Mainly the --colorize option, that's used for updating the table. (Otherwise the output is not sorted, filtered out etc., it only contains all the codepoints in ascending hex order.)

Besides that some of the mapping seems weird (0x00, 0x0A missing its OpenSSL name; 0x00, 0x12 missing both IANA and OpenSSL, but they are listed in the sources used.)

(Testing the fork at 8259e7d…)

possible choose different data sources.

It's supposed to be run locally, so the reason to scrape the latest source is probably to avoid any version- or OS-specific data the binaries return, or filters used to rule out any ciphers not supported (by default or at all) anymore. I believe there's more codepoints in the definitions than effectively enabled at any level for the latest versions. (NB: you'd need to depend on openssl and gnutls packages just to run the cli commands, i.e. none of the systems I work on would have gnutls-cli available, and system default openssl is actually a LibreSSL version — so this would need to build recent versions just to list the ciphers.)