Ciphersuite Priority And Handshake

Question

I ran a program called cipherscan, against 2 servers that communicate with each other via TLS.

Cipherscan prints details about each server's TLS capabilities. Given the data, I'm wondering how to determine which suite is agreed upon by these 2 servers, can I assume it's whatever is the highest priority that both support?

What has to match exactly?

I put an asterisk where I thought the servers in question might settle, but wondered if this is accurate, might they select a different listed cipher suite?

In the asterisk case, the cipher, protocol version, and key exchange (pfs) were the same. I'm not sure what has to match and what is OK to differ.

Thanks, SM

Target: myXMPP:5223

prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
2     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
3     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
* 4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,1024bits         None
5     DHE-RSA-AES256-SHA256        TLSv1.2                DH,1024bits         None
6     DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
7     AES256-GCM-SHA384            TLSv1.2                None                None
8     AES256-SHA256                TLSv1.2                None                None
9     AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
10    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
11    ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
12    ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
13    DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits         None
14    DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits         None
15    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
16    AES128-GCM-SHA256            TLSv1.2                None                None
17    AES128-SHA256                TLSv1.2                None                None
18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
19    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1
20    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
21    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  None                None

 Target: myLDAP:636

 prio  ciphersuite                  protocols              pubkey_size  signature_algoritm       trusted  ticket_hint  ocsp_staple  npn   pfs                 curves                curves_ordering
* 1     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                2048         sha256WithRSAEncryption  True     None         False        None  DH,1024bits         None
 2     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                2048         sha256WithRSAEncryption  True     None         False        None  DH,1024bits         None
 3     DHE-RSA-AES256-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     None         False        None  DH,1024bits         None
 4     DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     None         False        None  DH,1024bits         None
 5     DHE-RSA-AES128-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     None         False        None  DH,1024bits         None
 6     DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     None         False        None  DH,1024bits         None
 7     EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     None         False        None  DH,1024bits         None
 8     AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  True     None         False        None  None                None
 9     AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  True     None         False        None  None                None
 10    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     None         False        None  None                None
 11    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     None         False        None  None                None
 12    AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     None         False        None  None                None
 13    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     None         False        None  None                None
 14    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     None         False        None  None                None
 15    ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     None         False        None  ECDH,P-384,384bits  prime256v1,secp384r1  client
 16    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     None         False        None  ECDH,P-384,384bits  prime256v1,secp384r1  client
 17    ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     None         False        None  ECDH,P-384,384bits  prime256v1,secp384r1  client
 18    ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     None         False        None  ECDH,P-384,384bits  prime256v1,secp384r1  client
 19    ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     None         False        None  ECDH,P-384,384bits  prime256v1,secp384r1  client
 20    ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     None         False        None  ECDH,P-384,384bits  prime256v1,secp384r1  client
 21    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     None         False        None  ECDH,P-384,384bits  prime256v1,secp384r1  client

Steffen Ullrich · Answer 1 · 2017-08-08T04:48:06.200

Given the data, I'm wondering how to determine which suite is agreed upon by these 2 servers ..

"server" has different meanings, like:

a specific application like a web server
a system where such applications are running on
the role in communication, i.e. in case of TLS the client role is initiating the TLS connection and the server role is accepting the connection

Your scan only shows what the ciphers a specific TLS server role (i.e. web server, mail server...) supports, i.e. provides information about a specific part of an specific application. Any other server application on the system can use different ciphers and cipher order. Even a single application might have different server roles with different ciphers (like one web server listening on multiple ports with different configuration). Also, the ciphers shown for a specific TLS server role does not mean that the same application uses the same ciphers and order in a TLS client role or even that some other application at the same system will use the same cipher set and order.

Thus, the information you have can not be used to deduce which cipher will be used for communication between these servers. It can at most be used to find out which ciphers will not be used.

Thanks for those details Steffen. In this case the servers are XMPP client and LDAP server. How might I determine which cipher suite these will use? — Special Monkey, Aug 08 '17 at 14:57
@SpecialMonkey: you might make a traffic capture of the TLS handshake. There you will see which ciphers and which cipher order the XMPP client offers. From this you could determine how this specific client might behave against different server configurations. For this specific server configuration you can of course just look further in the handshake to see which cipher was chosen. — Steffen Ullrich, Aug 08 '17 at 16:39

Ciphersuite Priority And Handshake

1 Answers1