0

I am trying to get the list of Cipher Suits offered by my clients when visiting my PHP web page.

I tried checking $_SERVER['SSL_CLIENT_CERT'] or $_SERVER['SSL_CLIENT_CERT_CHAIN_0'], but I am getting the following error

Warning: Undefined array key "SSL_CLIENT_CERT" ..

My webserver is Apache (XAMPP). It seems that the super global variable $_SERVER is not populated with this information. Any idea on how can I get it?

Note: $_SERVER['HTTPS'] is 'on'

MKSOI
  • 49
  • 5
  • Do you mean [openssl_get_cipher_methods()](https://www.php.net/manual/en/function.openssl-get-cipher-methods.php)? – KIKO Software Jan 20 '23 at 11:58
  • This will show all methods, not just the ones offered by my client – MKSOI Jan 20 '23 at 12:01
  • No, it will not show all methods, it will show only those methods available to PHP on your client. – KIKO Software Jan 20 '23 at 12:02
  • I get it now, you want to know which methods are supported by the browser of your visitors. – KIKO Software Jan 20 '23 at 12:59
  • Yes exactly. As you know, naming client as A and server as B, during the SSL handshake, A offeres a list of its supported cipher suits (name it as LSCS), then B picks up from the list according to its own preferences. I need to know this LSCS. – MKSOI Jan 20 '23 at 13:13

1 Answers1

1

To obtain a list of available cipher methods for your server, use function openssl_get_cipher_methods(). This, however, will not provide you with a list of the cipher suites supported by the client during a specific connection.

To determine the cipher used by the client, inspect the SSL/TLS handshake. Connect to a web server using the command openssl s_client -connect hostname:port to view the details of the handshake, including the negotiated cipher suite or use mod ssl or another Apache module to log the SSL/TLS information in the logs, which will include the negotiated cipher.

$_SERVER is a superglobal variable and its populated based on the configuration of the web server.

warfish
  • 613
  • 5
  • 20
  • Thanks warfish. I have no clue of how to do so. If a client is visiting my php web page, how can I get the list of intially offered cipher suit by the client? – MKSOI Jan 20 '23 at 13:16
  • It seems that the php code in the page is executed after the connection is established. It is OK for me to have the connection established before I check the client offered cipher suites. Nevertheless, I can not check after the connection is established, neither I know how to intercept the SSL-handshake procedure to log it out. – MKSOI Jan 20 '23 at 13:18
  • @MKSOI Use the Apache mod ssl module with the "SSLInsecureRenegotiation" and "SSLLogLevel" directives enabled in your Apache config file. To enable logs of the SSL handshake, set the "SSLLogLevel" to "info" or "debug". The "SSLIInsecureRenegotiation" setting should be disabled. You can dig into to get the client certificate from the SSL_CLIENT_CERT header too and you can try to play also with php function: openssl_x509_parse() afterall. – warfish Jan 21 '23 at 02:01
  • Thank you for your reply, but I think I need more help. I need to do that programmatically using PHP for instance. I have no deep background in administering Apache, however, I assume that enabling these options is doable from the config file. But I need to do that programmatically. For instance, the webpage that the client has visited, should echo the ssl cipher suits options that he/she has offered during the handshake. – MKSOI Jan 21 '23 at 12:36
  • @MKSOI well the best way is webserver logs, PHP code is executed after the SSL/TLS handshake, one method is to use the function openssl_get_client_ciphers(), which returns the list of ciphers that the client supports; but, this method requires the client certificate and is not the same. Maybe also try to use a lib such as SSLyze, on Python it analyzes a server's SSL/TLS configuration by connecting to it and performing various checks. PHP can be used to call this library and obtain the result. Good luck bro :) – warfish Jan 21 '23 at 17:23
  • Then I need to read more about it. Thanks @warfish – MKSOI Jan 23 '23 at 14:18