search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.35k stars 159 forks source link

TLS 1.3 hand shake fails #203

Closed djinnsec closed 1 year ago

djinnsec commented 1 year ago

Describe the bug A clear and concise description of what the bug is.

Trying to load a signed certificate by DigiCert, which is only provided in TLS 1.3

after updating the .env file such as : 

VECTR_SSL_CRT=-----BEGIN CERTIFICATE-----\n

 REDACTED

-----END CERTIFICATE-----\n

VECTR_SSL_KEY=-----BEGIN RSA PRIVATE KEY-----\n

REDACTED 

-----END RSA PRIVATE KEY-----\n

RESET_SSL=true

we keep getting the following browser error:

Secure Connection Failed An error occurred during a connection to (DOMAIN REDACTED). SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

and when doing curl =v (DOMAIN REDACTED) weg get: 

* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* stopped the pause stream!
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Expected behavior A clear and concise description of what you expected to happen.

getting log-in screen

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

Additional Information: we have tried to reconfigure server.xml as such: 

<Connector port="8443"
                protocol="org.apache.coyote.http11.Http11AprProtocol"
                maxThreads="200"
                SSLEnabled="true"
                SSLCertificateFile="conf/ssl.crt"
                SSLCertificateKeyFile="conf/ssl.key"
                scheme="https"
                secure="true"
                clientAuth="false"
                sslProtocol="TLSv1+TLSv1.1+TLSv1.2+TLSv1.3"
                URIEncoding="UTF-8"/>

which did not help.

SRAPSpencer commented 1 year ago

We'll look into this when the team has availability.

In the meantime does the certificate work if you upload it via the UI?

https://docs.vectr.io/ssl/gui/

doodleincode commented 1 year ago

When using the .env SSL cert configuration option, your certs cannot have newline characters. It must all be on one line with newline characters escaped with a literal \n. For example, if my cert looks like this (truncated for brevity):

-----BEGIN CERTIFICATE-----
MIIGWTCCBEGgAwIBAgIUSZjaGrpRR6ZwTa4Hx9qaakJQrPMwDQYJKoZIhvcNAQEL
BQAwcTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlBBMRUwEwYDVQQHDAxQaGlsYWRl
[...]
-----END CERTIFICATE-----

Then in the .env file, it should look like this:

VECTR_SSL_CRT=-----BEGIN CERTIFICATE-----\nMIIGWTCCBEGgAwIBAgIUSZjaGrpRR6ZwTa4Hx9qaakJQrPMwDQYJKoZIhvcNAQEL\nBQAwcTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlBBMRUwEwYDVQQHDAxQaGlsYWRl\n[...]\n-----END CERTIFICATE-----

The same applies for the key.

For context, an SSL certificate is not bound to any TLS version. TLS version comes into play during TLS negotiation between the client and the server. This is explaining it very simplistically, but an SSL cert is just there to provide the initial secure connection during the TLS handshake in order to exchange the session key.

djinnsec commented 1 year ago

Thank you I have gotten the GUI one working. will validate @doodleincode, expect indeed it was more a layer 8 problem :) thanks again!