search

XRPLF / clio

An XRP Ledger API Server
https://xrpl.org
ISC License
55 stars 48 forks source link

Support TLS1.3 #1419

Closed godexsoft closed 2 weeks ago

godexsoft commented 1 month ago

Summary

It appears that Clio does not support TLS1.3 while rippled does.

rippled:

curl -v --tlsv1.3 -d '{"method":"server_info"}' --connect-to s1.ripple.com:51234:127.0.0.1:51234 https://s1.ripple.com:51234/
* Connecting to hostname: 127.0.0.1
* Connecting to port: 51234
*   Trying 127.0.0.1:51234...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 51234 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.ripple.com
*  start date: Aug 22 00:00:00 2023 GMT
*  expire date: Sep 11 23:59:59 2024 GMT
*  subjectAltName: host "s1.ripple.com" matched cert's "*.ripple.com"
*  issuer: C=FR; ST=Paris; L=Paris; O=Gandi; CN=Gandi Standard SSL CA 2
*  SSL certificate verify ok.
> POST / HTTP/1.1
> Host: s1.ripple.com:51234
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 24
> Content-Type: application/x-www-form-urlencoded

Clio:

curl -v --tlsv1.3 -d '{"method":"server_info"}'  https://s1.ripple.com:51234
*   Trying 34.220.225.237:51234...
* TCP_NODELAY set
* Connected to s1.ripple.com (34.220.225.237) port 51234 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, protocol version (582):
* error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
* Closing connection 0
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
kuznetsss commented 1 month ago

Maybe adjusting this line will be enough to fix this: https://github.com/XRPLF/clio/blob/c56998477cb398d5a9a23dec69502b55e671cf83/src/main/Main.cpp#L139

xzhaous commented 1 month ago

look like just change from ssl::context ctx{ssl::context::tlsv12}; to ssl::context ctx{ssl::context::tls_server};