fix curves findings in TLS1.2 and prior versions#2620
Conversation
|
Hi @odinmylord, Thanks for reporting this and for providing a PR. I was able to reproduce the issue. I thought that the supported_groups extension was only about key exchange, but RFC 8422 does seem to indicate that it is also about the server's certificate. I think it hadn't been noticed before since server's that have ECC certificates tend to also have RSA certificates, in which case the connection is still successful using the RSA certificate. I haven't had a chance to test your PR, but I have a couple of comments. I believe that the change you made for testing with OpenSSL also needs to be made for testing with I am concerned that this change will not work with all servers. When doing testing of #2617 I noticed that most servers selected signature algorithms based on their own preference order rather than the client's specified preference order. When I tested your proposed fix against an OpenSSL server (i.e., So, while I don't know of a server to test against that ignores the client's preference order for supported_groups, my guess is that a slightly more complicated solution is needed -- run the tests as they are currently done, and then when that is done run the tests as you propose. This would add more lines of code, but would only result in one additional test. In most cases the second set of tests could be skipped. If "RSA" appears in |
|
Hi, @dcooper16 I fixed the code as you proposed and tested it both with system openssl and sockets. |
dcooper16
left a comment
dcooper16
left a comment
There was a problem hiding this comment.
Hi @odinmylord,
Sorry it took me so long to look at this code. I haven't had a chance to try running the code, but I read through it and have just a few minor comments. When I get some more time, I'll try testing it out.
testssl.sh
Outdated
| # Versions of TLS prior to 1.3 close the connection if the client does not support the curve | ||
| # used in the certificate. The easiest solution is to move the curves to the end of the list. | ||
| # instead of removing them from the ClientHello. This is only needed if there is no RSA certificate. | ||
| if ((! "$HAS_TLS13" || [[ "$proto" == "-no_tls1_3" ]]) && [[ ! "$ecdhe_cipher_list" == *RSA* ]]) || break; then |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
dcooper16
left a comment
dcooper16
left a comment
There was a problem hiding this comment.
Hi @odinmylord,
Thanks for making the changes. The revised PR looks good to me. I made suggestions for minor changes to a couple of lines of code, to make then more efficient, but I think the PR is acceptable as is.
3 participants
Describe your changes
If a server uses a certificate with secp256r1 as its private key testssl.sh only finds the "secp256r1" while the server also offers secp384r1 and secp521r1. This is caused by TLS versions prior to 1.3 closing the connection with the error "no shared cipher" if the client does not send the curve used in the certificate in the supported_groups extension.
The easiest solution (which is the one implemented here) is to move the curves found to the end of the supported_groups extension instead of removing them, once testssl.sh finds the same curve a second time it moves forward meaning that only an additional handshake is performed. An alternative would be to first find the private key of the certificate and, if a curve is used, add that curve as the last one instead of removing it from the ClientHello.
What is your pull request about?
If it's a code change please check the boxes which are applicable
help()