Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#870 closed enhancement (fixed)

Add variable containing list of client-supported cipher suites

Reported by: Andrew Sun Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.9.x
Keywords: ssl Cc:
uname -a: Linux [redacted Docker container ID] 4.2.5-1-ARCH #1 SMP PREEMPT Tue Oct 27 08:13:28 CET 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.9.9
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04)
built with OpenSSL 1.0.2e 3 Dec 2015
TLS SNI support enabled
configure arguments: --add-module=../ngx_pagespeed-release-1.10.33.1-beta --add-module=../ngx_cache_purge-2.3 --add-module=../headers-more-nginx-module-0.28 --add-module=../nginx-module-vts --add-module=../replace-filter-nginx-module-0.01rc5 --with-pcre-jit --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-ipv6 --with-http_stub_status_module --with-http_gzip_static_module --with-http_v2_module --with-openssl=../openssl-1.0.2e --with-cc-opt='-O3 -march=native' --with-ld-opt='-Wl,-rpath,/usr/local/lib -lrt'

Description

When a browser makes a TLS connection, the ClientHello contains the list of cipher suites the browser supports.

I would like to access this list of cipher suites from a variable, similar to the existing ssl_cipher variable, but containing the entire list of ciphers.

Change History (5)

comment:1 by Maxim Dounin, 4 years ago

Status: newaccepted

comment:2 by Neil Craig, 4 years ago

I'd like to add a +1 to this :-)

comment:3 by Maxim Dounin <mdounin@…>, 3 years ago

In 6816:ea93c7d8752a/nginx:

SSL: $ssl_ciphers (ticket #870).

The variable contains list of ciphers as supported by the client.
Known ciphers are listed by their names, unknown ones are shown
in hex, e.g., ""AES128-SHA:AES256-SHA:0x00ff".

The variable is fully supported only when using OpenSSL 1.0.2 and above.
With older version there is an attempt to provide some information
using SSL_get_shared_ciphers(). It only lists known ciphers though.
Moreover, as OpenSSL uses session data for SSL_get_shared_ciphers(),
and it doesn't store relevant data when serializing a session. As
a result $ssl_ciphers is only available for new sessions (and not
available for reused ones) when using OpenSSL older than 1.0.2.

comment:4 by Maxim Dounin, 3 years ago

Resolution: fixed
Status: acceptedclosed

comment:5 by Andrey Zelenkov <zelenkov@…>, 3 years ago

In 1093:2b0ef67ab032/nginx-tests:

Tests: added test for $ssl_ciphers variable (ticket #870).

Note: See TracTickets for help on using tickets.