1994-12-20 - SSL server experiment

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: f0cd7ffe757e054ef0fa9022ded41a69448dcc81d7b86f69e7fb140d365789b0
Message ID: <199412200623.WAA11611@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1994-12-20 06:25:03 UTC
Raw Date: Mon, 19 Dec 94 22:25:03 PST

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Mon, 19 Dec 94 22:25:03 PST
To: cypherpunks@toad.com
Subject: SSL server experiment
Message-ID: <199412200623.WAA11611@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


Here is a perl script which connects to a netscape-style "https" server.
The results of running it with "https.pl home1.mcom.com 443" is:

Attempting connection to 198.93.93.10
Connected
Sent message, length 40
Received length = 502
Message type = 4
Session ID Hit flag = 0
Certificate type = 1
Server version = 2
Certificate length = 472
Cipher specs length = 3
Conn ID length = 16
Supported ciphers:
        RC4_EXPORT40, 128 bits

This way you can see which of the 5 cipher options (RC4 or RC2 in full
and export versions, plus IDEA) are supported by any given server.  You
always use port 443 and just specify the machine name.  I was a
little surprised that Netscape's own server is only running the 40 bit
version.  I hope the export restrictions will not prevent the use of
full strength ciphers.

Here is the script, which I call https.pl:

#!/usr/local/bin/perl
# Perl script to test connection to http ssl port
# Usage: https machine port

# Standard internet stuff
$AF_INET = 2;
$SOCK_STREAM = 1;
($name, $aliases, $proto) = getprotobyname('tcp');
$sockaddr = 'S n a4 x8';

# Parse
if (@ARGV == 2) {
    ($them, $port) = @ARGV;
} else {
    die "Usage: $0 machine port\n";
}

select (S); $| = 1; select (STDOUT);
socket (S, $AF_INET, $SOCK_STREAM, $proto) || die "socket: $!";

($name, $aliases, $type, $len, $thataddr) = gethostbyname($them);
$that = pack ($sockaddr, $AF_INET, $port, $thataddr);
@thataddr = unpack('C4', $thataddr);
$thataddr = join('.', @thataddr);
print "Attempting connection to $thataddr\n";
die $! unless connect (S, $that);
print "Connected\n";

$cli_hello = 1;
$vers = 2;

$msg = pack ("C n4", $cli_hello, $vers, 5*3, 0, 16);
$challenge = pack ("d2", rand, rand);	#16 bytes
$cspecs = pack ("Cn"x5, 1, 128, 2, 128, 3, 128, 4, 128, 5, 128);
$len = 1+8+5*3+0+16 + 32768;

$h = pack("n", $len);
$totmsg = pack("a2 a9 a15 a16", $h, $msg, $cspecs, $challenge);
print S $totmsg;
print "Sent message, length ", $len-32768, "\n";

# Now for the interesting part

read (S, $phd, 2);
($slen) = unpack ("n", $phd);

print "Received length = ", $slen-32768, "\n";

read (S, $pm1, 11);
($smsg, $ssess, $scert, $sver, $sclen, $scspeclen, $scidlen) =
	unpack ("C3 n4", $pm1);

print "Message type = $smsg\n";
print "Session ID Hit flag = $ssess\n";
print "Certificate type = $scert\n";
print "Server version = $sver\n";
print "Certificate length = $sclen\n";
print "Cipher specs length = $scspeclen\n";
print "Conn ID length = $scidlen\n";

if ($sclen) {
	read (S, $scert, $sclen);
}

read (S, $pspecs, $scspeclen);

$nscspecs = $scspeclen / 3;
@scspecs = unpack ("Cn" x $nscspecs, $pspecs);

@ciphernames = ( "(undefined)", "RC4", "RC4_EXPORT40", "RC2",
		"RC2_EXPORT40", "IDEA" );

print "Supported ciphers:\n";
for ($i=0; $i<$nscspecs; ++$i) {
	printf ("\t%s, %d bits\n", @ciphernames[@scspecs[2*$i]],
			@scspecs[2*$i+1]);
}

read (S, $scid, $scidlen);

close S;

exit 0;





Thread