Allow selection of TLS ciphers and options (+ show debugging info in console)

[shamasis]

Currently, Postman App does not show helpful debugging information regarding SSL /TLS protocol configuration / state during request and response. As such, it is difficult to distinguish between Postman issues vs handshake issues. Additionally, the TLS configurations and ciphers are not tweakable and as such, results in some specific requests to fail or negotiate an unexpected TLS version.

1. Add additional configurations in protocolProfileBehaviour to control TLS
2. Show TLS debug information in console (or somewhere else.)

[sam-github]

the TLS configurations and ciphers are not tweakable

ciphers are configurable by CLI or programmatically:

• https://nodejs.org/api/cli.html#cli_tls_cipher_list_list
• ciphers option of https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options

What specific configurability are you looking for?

Show TLS debug information in console

Is nodejs/node@5b55c60 what you are looking for? If so, I'll try to get something like it into node. Not sure if direct printf is OK, or whether a programmatic API that just callbacks the SSL_trace output to JS, and lets the user do with them what they will is the way to go. Do you have opinions?

[MauriceS]

The commit to nodejs/node might have caused issues with Newman postmanlabs/newman#1991

[garyng]

Is this feature live?

[shamasis]

@garyng not yet. We ran into some hiccups with NodeJS and also some UI aspects around incorporating these settings.

[slaman75]

I still don't understand how this is an issue:

This is the default cipher list used by NodeJS (https://nodejs.org/api/tls.html#tls_modifying_the_default_tls_cipher_suite)

When support all of these... but when we turn off SSLv3 support, POSTMAN can't establish a handshake. Are you SURE that Postman is using the default NodeJS ciphers for TLS?

TLS_AES_256_GCM_SHA384:
TLS_CHACHA20_POLY1305_SHA256:
TLS_AES_128_GCM_SHA256:
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA256:
ECDHE-RSA-AES256-SHA384:
DHE-RSA-AES256-SHA384:
ECDHE-RSA-AES256-SHA256:
DHE-RSA-AES256-SHA256:
HIGH:
!aNULL:
!eNULL:
!EXPORT:
!DES:
!RC4:
!MD5:
!PSK:
!SRP:
!CAMELLIA

[codenirvana]

We've added support for Request Level Configurations in the latest version of the Postman App which allows to:

• Specify the order of cipher suites
• Specify the SSL and TLS protocol versions to be disabled during the handshake
• Use the server's cipher suite order instead of the client's during the handshake

We'll be adding support for the folder and collection-level configurations soon!

Also, all the low-level TLS information is accessible in the Postman Console (Postman v7.10).

[nils-work]

Hi @codenirvana
Postman v7.30.1 (Windows) doesn't seem to show the TLS detail as you highlighted in your screenshot, was it removed or not available in Windows?

[codenirvana]

@nils-work are you requesting an HTTPS API? can you share the screenshot of your Postman Console (hide sensitive details)?

[nils-work]

Hi @codenirvana

Hope this is enough? -

I also don't have the globe icon shown on this page, but understand that may be an older version? -
https://learning.postman.com/docs/sending-requests/certificates/

I'm interested in seeing and ideally being able to test the cipher being used with a request if possible.

Thanks

[codenirvana]

@nils-work I see you are behind a proxy and that's why Postman doesn't have all the information about the final request sent.

[nils-work]

Thanks @codenirvana
When not behind a proxy, is the information that's logged to the console (the Network detail including ciphers and TLS version) available for use in a test script at all? (it doesn't seem to be available in pm.request/pm.response)

[codenirvana]

@nils-work Network details are not available in the test script at the moment.