Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

OSX 10.11 El Capitan does not only support ECDHE Ciphers

Daniel Nashed  1 October 2015 10:21:45

After updating to OSX 10.11 I did a quick test.
It wasn't sure if Apple will only support ECDHE and implementing their new standard ATS.

The first tests shows that the current ciphers are there but Apple does even support quite simple ciphers like RSA_WITH_RC4_128_SHA / MD5 as a fall back.

But you never know if this is going away in one of the next updates.

Here is a trace from against a Domino 9.0.1 FP4 IF2 server.
You can see all supported common ciphers and I highlighted the most important parts of the handshake.

Happy updating!


-- Daniel


SSLProcessProtocolMessage> Record Content: Handshake (22)
SSLProcessHandshakeMessage Enter> Message: ClientHello (1) State: HandshakeServerIdle (3) Key Exchange: 0 Cipher: Unknown Cipher (0x0000)
SSLProcessHandshakeMessage client_hello> SGC FLAG: 0 CTX state = 3 SGCCount = 0
SSLProcessClientHello> clientVersion: 0303
SSLProcessClientHello> SSL/TLS protocol clientVersion 0x0303, serverVersion 0x0303
SSLProcessClientHello> 26 ciphers requested by client
SSLProcessClientHello> Client requested TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00FF)
SSLProcessClientHello> TLS_EMPTY_RENEGOTIATION_INFO_SCSV found
SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC02C)
SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B)
SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xC024)
SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xC023)
SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xC00A)
SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xC009)
SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xC008)
SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
SSLProcessClientHello> Best common cipherspec 0xC030 (so far)
SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F)
SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)
SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)
SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013)
SSLProcessClientHello> Client requested ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xC012)
SSLProcessClientHello> Client requested RSA_WITH_AES_256_GCM_SHA384 (0x009D)
SSLProcessClientHello> Best common non-EC cipherspec 0x009D (so far)
SSLProcessClientHello> Client requested RSA_WITH_AES_128_GCM_SHA256 (0x009C)
SSLProcessClientHello> Client requested RSA_WITH_AES_256_CBC_SHA256 (0x003D)
SSLProcessClientHello> Client requested RSA_WITH_AES_128_CBC_SHA256 (0x003C)
SSLProcessClientHello> Client requested RSA_WITH_AES_256_CBC_SHA (0x0035)
SSLProcessClientHello> Client requested RSA_WITH_AES_128_CBC_SHA (0x002F)
SSLProcessClientHello> Client requested RSA_WITH_3DES_EDE_CBC_SHA (0x000A)
SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_RC4_128_SHA (0xC007)
SSLProcessClientHello> Client requested ECDHE_RSA_WITH_RC4_128_SHA (0xC011)
SSLProcessClientHello> Client requested RSA_WITH_RC4_128_SHA (0x0005)
SSLProcessClientHello> Client requested RSA_WITH_RC4_128_MD5 (0x0004)
SSLProcessClientHello> Extensions found in this message
SSLProcessClientHello> Received TLS Server Name Indication (SNI) extension
SSLProcessClientHello> SNI - client requested server name 'domino.nashcom.de'
SSLProcessClientHello> Received Elliptic Curves extension
SSLProcessClientHello> Client supports NamedCurve secp256r1 (23)
SSLProcessClientHello> Client supports NamedCurve secp384r1 (24)
SSLProcessClientHello> Client supports NamedCurve secp521r1 (25)
SSLProcessClientHello> Received EC Point Formats extension
SSLProcessClientHello> Client supports uncompressed (0) points
SSLProcessClientHello> Processing TLS signature algorithms extension
SSLProcessClientHello> Client supports hash mask 0x0034; server cert chain has mask 0x0014
SSLProcessClientHello> Extension type 0x3374, extension length 0x0000
SSLProcessClientHello> Extension type 0x0010, extension length 0x0030
SSLProcessClientHello> Processing TLS Status Request extension (OCSP)
SSLProcessClientHello> Extension type 0x0012, extension length 0x0000
SSLProcessClientHello> hash/alg in certchain  fSupHasAlg:0000
SSLProcessClientHello> We selected cipher ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
SSLProcessHandshakeMessage Exit> Message: ClientHello (1) State: HandshakeServerIdle (3) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
SSLAdvanceHandshake Enter> Processed: ClientHello (1) State: HandshakeServerIdle (3)
SSLAdvanceHandshake client_hello> SGC FLAG: 0   Count = 2
SSLAdvanceHandshake client_hello> Using resumed SSL/TLS Session
SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeServerHello
SSLEncodeServerHello> Sending empty renegotiation_info (0xff01) extension
SSLEncodeServerHello> Sending empty status_request (0x0005) extension
SSLEncodeServerHello> Sending supported point formats (0x000b) extension
SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeChangeCipherSpec
SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeFinishedMessage
SSLCalculateTLS12FinishedMessage Enter> senderID: server finished, PRF using SHA384
SSLAdvanceHandshake Exit> State HandshakeChangeCipherSpec (13)
SSL_Handshake> After handshake state = HandshakeChangeCipherSpec (13); Status = -5000
int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
SSLProcessProtocolMessage> Record Content: Change cipher spec (20)
SSL_Handshake> After handshake2 state HandshakeFinished (14)
int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
SSLProcessProtocolMessage> Record Content: Handshake (22)
SSLProcessHandshakeMessage Enter> Message: Finished (20) State: HandshakeFinished (14) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
SSLCalculateTLS12FinishedMessage Enter> senderID: client finished, PRF using SHA384
SSLProcessHandshakeMessage Exit> Message: Finished (20) State: HandshakeFinished (14) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
SSLAdvanceHandshake Enter> Processed: Finished (20) State: HandshakeFinished (14)
SSLAdvanceHandshake Exit> State HandshakeServerIdle (3)
SSL_Handshake> After handshake2 state HandshakeServerIdle (3)
SSL_Handshake> Using resumed SSL/TLS session
SSL_Handshake> Protocol Version TLS1.2 (0x303)
SSL_Handshake> Cipher = ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
SSL_Handshake> KeySize = 256 bits
SSL_Handshake> Original Elliptic Curve = NIST P-256 (23)
SSL_Handshake> Server RSA key size = 2048 bits
SSL_Handshake> SSLErr = 0
SSL_Handshake> TLS/SSL Handshake completed successfully
int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]



Comments

1seema.chipbyte  13.07.2018 8:51:28  OSX 10.11 El Capitan does not only support ECDHE Ciphers

There is a reason why I bought a Mac, it was not to be one of the cool kids that wanted the best of the best. No it was because of the music production I do on it. Hours and hours sitting in front of my Mac copying, pasting, moving, deleting, hour after hour just beating on my Mac in a endless assault to get my work done. That is the key part, my work. I work from home, it is great, but even if it is from home it is still work and it still needs to get done. So my Mac, I have it because it is fast, gets the job done and comes back for more.

But what happens when it doesn't want to do those things anymore?

I move around massive amounts of information and yes even on the almighty Mac this can cause a problem after a while. Things fragment, programs get corrupted issues come up. My light speed Mac slows down to a crawl and all of the sudden I simply can not get any work done. Because I work from home there is no IT guy to call and ask to come fix it. No instead I have to figure out what is wrong. I am lucky, I did, but not after trying everything under the sun first and wasting countless hours looking for one program that can do what I needed instead of ten programs. One program to lead them all….okay that was a lame Lord of the rings reference, but that program was/is Detox My Mac. A simple to use program that did not just fix my issues, it put my Mac on overdrive again. A few clicks and my Mac was clean and ready to rock and roll again.

Read more here:- { Link }

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]