Examples of the information collected from SSL handshakes
July 09, 2009
I've received an email or two asking me about the information I collected using mod_sslhaf, so I decided to make it available for everyone. Here it is:
The file contains a list of unique user agents seen on SSL Labs, each with information on the handshake they used and the protocols and cipher suites they offered to use. For example:
Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 \
(KHTML, like Gecko) Version/3.1.1 Mobile/5H11 Safari/525.20
Handshake: h3
Protocol: 03.01
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_RC4_128_SHA (0x05)
TLS_RSA_WITH_RC4_128_MD5 (0x04)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x0a)
TLS_RSA_WITH_DES_CBC_SHA (0x09)
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x03)
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x08)
TLS_RSA_WITH_NULL_MD5 (0x01)
The information gives insight into how SSL is used in real-life, but it's not reliable enough to support any conclusions about individual clients. There are several problems I need to solve:
- Parse User-Agent fields to group related clients.
- Record request IP addresses in order to be able to verify the search engine clients are who they say they are.
- Record request IP addresses to use them as a mechanism to determine forged User-Agent fields.
- Deploy mod_sslhaf to multiple high-traffic sensors, in order to further minimise the possibility of using forged User-Agent fields.
Update (10 July): Now with no unknown cipher suites in the output.
