-
Notifications
You must be signed in to change notification settings - Fork 310
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/portable suites #302
Conversation
Merge master into fork
Merge back into master
Sync master
CI is busted but seems that's being worked on. @zakird you may want to take a look at this PR- now that the change in zcrypto has been merged, this is really a very minor change but it can have a really nice benefit at scale |
@mzpqnxow Thanks for your work on this topic. FYI I tried to include this PR into my fork, but I got the following error when I tried to build my fork. I get the same error when I try to build the feature/portable-suites branch of your fork. It's probably due to a mistake on my part, but I thought I'd mention it:
|
Interesting.. I don't know too much about the go build system, it's possible it has a zcrypto master locally that's not up to date. If that's the case, using If that doesn't help, the following should work- this just clones the zcrypto master and then points your local fork at it. The
Hope that's helpful. I did confirm that the zcrypto master branch does have the PR merged- https://github.com/zmap/zcrypto/blob/master/tls/cipher_suites.go#L1122 So it must be using an older branch/tag. One other thing you can do is take a look at the EDIT, @engn33r I forgot to tag you, not sure if you would see this otherwise. Also I mixed up what you were trying to do so I updated my comment... |
@mzpqnxow the issue was on my end, and right where you suggested it would be. I too observed a noticeable improvement in HTTPS responses after using the portable cipher suite. No issues with this PR! The issue I had was that the dependencies in the
A couple unrelated additional comments that may also (or may not) help with increasing successful handshakes:
|
What does the log say for the causes? Handshake errors, TCP failures, ...? |
I'll bump |
Done in 4e04784 |
To wrap up the last item here, the issue I experienced with inconsistent results was due to my DNS config, not that of any ZGrab2 code. A tip for any future readers encountering DNS resolution issues is to try using different DNS providers (Google, Quad9, etc.). Cloudflare was quicker to throttle my DNS requests than others and my results are much better after switching to 8.8.8.8. I also switched to dnsmasq, which appears to work better than what I had before, but I expect that I'm only scratching the surface of DNS improvements here. |
This makes use of the PortableCiphers that was just merged into zcrypto
The original issue for this on the zgrab2 side is #285
Usage is
zgrab2 http --cipher-suite portable ...
I tested it against a large swath of HTTPS services and got a 1.5% increase in successful handshakes. I didn't see any evidence of problems