Is there a reasonable method of building SSL cipher usage statistics based on captured packets?
Let's say my web server supports a set of ciphers and I would like to find out how many clients negotiate each cipher suite.
tlsweb-server
Is there a reasonable method of building SSL cipher usage statistics based on captured packets?
Let's say my web server supports a set of ciphers and I would like to find out how many clients negotiate each cipher suite.
Best Answer
Yes. If you've got captured packets, simply extract the negotiated cipher from the Server Hello handshake packet:
The packet itself can be easily identified, and the selected cipher is in a set location within it, easy enough to parse. So capture the first few packets of all your SSL connections, extract the cipher chosen, and you've got what you're looking for.
The idea was interesting enough that I decided to try it. With a little hacking and slashing I was able to adapt a Python script to do it:
With that info, you can correlate the cipher suite IDs against the TLS Cipher Suite Registry from IANA:
Here's the code. It's a real strip-down of TLS Client Hello Tools so if you want to play with it, consider going back to there for a less drastic version (and bear in mind the original focuses on the Client Hello whereas we care about the Server Hello).