How to send invalid ciphers from client to server?

Question

In the client hello, I want the client to send a set of invalid cipher suites. On wireshark, this is the kind of output I'm looking for.

enter image description here

To do this, I think I have to edit the cipher list that is sent from the client to the server. I know that the cipher list is set for the SSL_CTX object in line 1768 of ssl/ssl_lib.c under the SSL_CTX_new() method, i.e the line below:

ssl_create_cipher_list(ret->method,
         &ret->cipher_list,&ret->cipher_list_by_id,
         meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST);

How do I proceed? I assume I have to modify some code in the ssl_create_cipher_list method, which is defined on line 1353 in ssl/ssl_ciph.h, but I'm not able to figure this out.

Any help appreciated!

This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. — jww, Mar 02 '15 at 11:59
@jww, it is a programming question. I've edited the question above. — Randomly Named User, Mar 04 '15 at 10:07
Wait, are you asking how to jigger your SSL library to purposely misbehave? Or are you asking how to specify cipher suites that your client doesn't support? — jschultz410, Mar 05 '15 at 05:30
The cipher suite you highlighted, 0x5600 is not a cipher suite but a "Signaling Cipher Suite Value" that is similar to the one above it in the list, 0x00ff. More info: https://www.ietf.org/archive/id/draft-bmoeller-tls-downgrade-scsv-02.txt — juhraffe, Mar 23 '17 at 17:46

score 1 · Answer 1 · answered Mar 05 '15 at 01:56

1

I should think that instead of bothering with the ssl_create_cipher_list, you would instead override the negotiation phase (where ciphers are sent) and send any invalid ciphers which you want. In other words, anything not on this list.

answered Mar 05 '15 at 01:56

Sean Baker

664
5
11

Thanks, and yeah, I tried to override the validity check of the ciphers on the client side. However, there were too many dependencies and code flow got really confusing. I was looking for the easiest way to do it. – Randomly Named User Mar 05 '15 at 05:00

score 0 · Answer 2 · edited Oct 07 '21 at 13:28

A conforming TLS client can only send the cipher suites that the client supports. It cannot send cipher suites that it does not support. From TLS 1.2, RFC 5246:

7.4.1.2. Client Hello

...

The cipher suite list, passed from the client to the server in the ClientHello message, contains the combinations of cryptographic algorithms supported by the client in order of the client's preference (favorite choice first) ...

cipher_suites

This is a list of the cryptographic options supported by the client, with the client's first preference first. If the session_id field is not empty (implying a session resumption request), this vector MUST include at least the cipher_suite from that session. Values are defined in Appendix A.5.

So, your client will need to specify the cipher suites that it supports. You can either explicitly choose the ones you think are valid for your purposes, or you can rely on your library's definitions. For example, with OpenSSL you can do something like:

SSL_CTX_set_cipher_list(ssl_ctx, "-ALL:HIGH");

juhraffe · Answer 3 · 2015-03-05T19:11:22.523

If you just need to do this as kind of a one-off test you could write a simple TCP-layer proxy that would accept connections from the client, do a RegEx replacement of the (known in advance) client cipher suite list with the desired unsupported list, and forward this to the desired server. Pick your favorite language to implement the proxy. I'm not sure if this is easier than modifying your code, but it's somewhat cleaner if this serves your purpose.

If you actually want the client to establish a TLS session, this won't work, since this is essentially a MITM attack. This is just a way to send the unsupported ciphers to the server and see how the server reacts.

How to send invalid ciphers from client to server?

3 Answers3