dongbeiouba
commented
2 years ago If server support both TLS 1.2 and TLCP, it depends on the client.
Client can initiate a connection with TLS 1.2 or TLCP, probably determined by configuration or user.
Open vk2705 opened 2 years ago
dongbeiouba
commented
2 years ago If server support both TLS 1.2 and TLCP, it depends on the client.
Client can initiate a connection with TLS 1.2 or TLCP, probably determined by configuration or user.
vk2705
commented
2 years ago Thank you for your reply! the requirement by our customer is that if the client browser sends TLS 1.2 ClientHello, our server should reply with GmSSL ServerHello (if client has indicated support of gmSSL by suggested ciphers) ... so I am going to edit the function that does MSG_PEEK of 3 bytes and make it read client ciphers. I just wonder if there is a more civilized way to achieve the desired result ...
On Mon, Jan 24, 2022 at 3:54 AM K1 @.***> wrote:
If server support both TLS 1.2 and TLCP, it depends on the client.
Client can initiate a connection with TLS 1.2 or TLCP, probably determined by configuration or user.
— Reply to this email directly, view it on GitHub https://github.com/BabaSSL/BabaSSL/issues/148#issuecomment-1019640188, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGCDLSLIFSRDU2BMNG5QYOLUXSWMZANCNFSM5MSRFQ4A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.***>
vk2705
commented
2 years ago i mean, to edit this: int SSL_connection_is_ntls(SSL *s, int is_server)
On Mon, Jan 24, 2022 at 8:01 AM Vitaly @.***> wrote:
Thank you for your reply! the requirement by our customer is that if the client browser sends TLS 1.2 ClientHello, our server should reply with GmSSL ServerHello (if client has indicated support of gmSSL by suggested ciphers) ... so I am going to edit the function that does MSG_PEEK of 3 bytes and make it read client ciphers. I just wonder if there is a more civilized way to achieve the desired result ...
On Mon, Jan 24, 2022 at 3:54 AM K1 @.***> wrote:
If server support both TLS 1.2 and TLCP, it depends on the client.
Client can initiate a connection with TLS 1.2 or TLCP, probably determined by configuration or user.
— Reply to this email directly, view it on GitHub https://github.com/BabaSSL/BabaSSL/issues/148#issuecomment-1019640188, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGCDLSLIFSRDU2BMNG5QYOLUXSWMZANCNFSM5MSRFQ4A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.***>
sdhzdmzzl
commented
2 years ago 360安全浏览器会在tls1.2的clienthello的ciphersuite里加上0xe013和0xe053这两个密码套件,告诉服务器客户端支持国密,然后国密服务器返回正常的国密协议(将协议版本号修改为0x0101)就可以自动切换到国密协议了。可以抓包看一下360安全浏览器访问https://gm.trustasia.com的情况。 供参考。
vk2705
commented
2 years ago I know that browser 360 does it... but BabaSSL s_server does not and then the national secret server will return to the normal national secret protocol when get such ClientHello.
On Mon, Jan 24, 2022 at 8:56 AM @. @.> wrote:
360安全浏览器会在tls1.2的clienthello的ciphersuite里加上0xe013和0xe053这两个密码套件,告诉服务器客户端支持国密,然后国密服务器返回正常的国密协议(将协议版本号修改为0x0101)就可以自动切换到国密协议了。可以抓包看一下360安全浏览器访问 https://gm.trustasia.com的情况。 供参考。
— Reply to this email directly, view it on GitHub https://github.com/BabaSSL/BabaSSL/issues/148#issuecomment-1019775696, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGCDLSLAV6ZUOWZ3AMR2HDTUXTZ3RANCNFSM5MSRFQ4A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.***>
vk2705
commented
2 years ago I mean, that babaSSL s_server, as I see, does not switch to national secret protocol. I think https://gm.trustasia.com https://gm.trustasia.xn--com-841ep20el03a./ runs a different server software.
On Mon, Jan 24, 2022 at 9:08 AM Vitaly @.***> wrote:
I know that browser 360 does it... but BabaSSL s_server does not and then the national secret server will return to the normal national secret protocol when get such ClientHello.
On Mon, Jan 24, 2022 at 8:56 AM @. < @.> wrote:
360安全浏览器会在tls1.2的clienthello的ciphersuite里加上0xe013和0xe053这两个密码套件,告诉服务器客户端支持国密,然后国密服务器返回正常的国密协议(将协议版本号修改为0x0101)就可以自动切换到国密协议了。可以抓包看一下360安全浏览器访问 https://gm.trustasia.com的情况。 供参考。
— Reply to this email directly, view it on GitHub https://github.com/BabaSSL/BabaSSL/issues/148#issuecomment-1019775696, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGCDLSLAV6ZUOWZ3AMR2HDTUXTZ3RANCNFSM5MSRFQ4A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.***>
sdhzdmzzl
commented
2 years ago 是的,我刚看了下babassl的代码,是直接判断的版本号,可以修改下SSL_connection_is_ntls的代码,将目前的只判断版本号,不是0x0101的就直接返回false修改为当版本号不是0x0101时,读取到完整的ciphersuite列表,判断里边是否有0xe013和0xe053的套件再决定返回true/false。
vk2705
commented
2 years ago Thank you, I am going to do it!
On Mon, Jan 24, 2022 at 9:13 AM @. @.> wrote:
是的,我刚看了下babassl的代码,是直接判断的版本号,可以修改下SSL_connection_is_ntls的代码,将目前的只判断版本号,不是0x0101的就直接返回false修改为当版本号不是0x0101时,读取到完整的ciphersuite列表,判断里边是否有0xe013和0xe053的套件再决定返回true/false。
— Reply to this email directly, view it on GitHub https://github.com/BabaSSL/BabaSSL/issues/148#issuecomment-1019786413, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGCDLSPNKCC4IW7NTRKSNDDUXT32XANCNFSM5MSRFQ4A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.***>
vk2705
commented
2 years ago unfortunately it did not work. it is not enough to modify SSL_connection_is_ntls(). Even if we force it to return 1, and the Hello is compatible with NTLS, the connection would fail.
If we use SSLv23_method on server , it does not switch to NTLS state machine.
when both client and server support both TLS 1.2 and GmSSL, we would like to make them agree on GmSSL. can you please advise how we can achieve it ? thank you!