search

eduardsui / tlse

Single C file TLS 1.2/1.3 implementation, using tomcrypt as crypto library
Other
540 stars 89 forks source link

Can't connect with certain servers #54

Closed ronaaron closed 4 years ago

ronaaron commented 4 years ago

(reported also via email) The relevant debug dump is

SIGN SHA256
Consumed 2620 bytes
Message type: 16, length: 333
HANDSHAKE MESSAGE
 => SERVER KEY EXCHANGE
IANA CURVE NUMBER: 23
          SIGNATURE (69/0/65): 0C 85 75 74 6D EC D5 59 85 66 3F 9D 8E 94 16 F8 2E F1 06 5C 51 01 BA FB 62 BA 25 41 6F 15 DA FA EF B3 6B CE 65 99 39 CC 4E C6 93 5B 30 FF 5D 31 43 01 36 E5 78 39 5B 15 ED A7 EA 98 A5 B5 F6 DD 94 CC 6C C6 C3 C4 BA 5E 01 DB 50 52 11 C3 74 DC AC D7 C3 A3 06 08 8D 87 8E E8 EC C8 01 FC A1 34 D1 A8 39 35 D4 EF A0 F9 C3 08 B3 92 B8 E7 5E D5 AF 1E CF 08 D9 EF EB 81 FB 27 5D 35 AD 96 A5 D9 1C B4 20 AF FC 2F E1 86 FD CF F2 AE 8B 59 15 CD 45 8F DC E4 39 BA 93 92 7C 78 5A 64 5F 3D 00 C6 01 89 6D 9D 1C 03 9D D1 CF 16 F0 F1 3A 36 F8 63 53 3A 6B 20 D5 88 2C 3C 31 DC A7 18 40 C0 AE E5 55 87 6E 2B F1 32 79 FB 54 C4 95 FE 59 62 40 00 69 21 8C B1 19 DE 23 87 1F 7D 4C C6 07 65 6B E5 A7 2B 50 52 75 39 85 5F AD F0 A5 64 CD 32 0B D6 FF DD 0B 93 59 C3 EC D6 26 95 01 3B A8 9E CA 7A 
OUT_SIZE: 32
ECC DHE (32): 8B B5 72 A4 D1 C9 E7 57 8B 6E 19 DC F2 10 A6 22 A3 19 A0 10 4B 36 27 AC 55 04 3E F5 6E 19 6F 8B 
Consumed 338 bytes
Message type: 16, length: 4
HANDSHAKE MESSAGE
 => SERVER HELLO DONE
<= Building KEY EXCHANGE

=========== Master key ===========
1E 20 A8 41 EC 09 A3 34 09 BE 20 C0 B8 86 09 D0 B1 60 22 C2 4B 93 18 70 FD 0C 1A F7 85 BD 12 29 B8 27 4E 10 9B A2 59 DE F3 12 D2 B2 D6 DB CD B1 
LOCAL RANDOM  (32): 5E F9 9D DD 5F BA AC D4 28 8A D4 57 C1 59 71 48 DF 8B 19 3D 2D A0 A8 62 A5 D6 90 3F 35 BB 9F 2F 
REMOTE RANDOM (32): 9B 88 5D 3E 04 9F D9 5D 12 6F D8 F0 98 CA F2 62 C8 EE 92 CF 9C 2C 73 9D 44 4F 57 4E 47 52 44 01 

=========== EXPANSION ===========
F0 C0 AD ED 52 66 CC 5F 08 AD D6 D3 81 A2 4F 9E 55 D8 5C C1 EB 44 76 C2 D0 51 59 BA 85 61 1C 3B 9E B4 9D DE E8 D4 03 DD 56 B7 11 66 4F 52 64 50 3A 85 9B F3 25 9C 22 88 BA 32 39 71 73 09 2F 34 71 C4 BC FE 91 94 CE DC 44 D4 F7 3C 10 24 86 53 13 E7 90 29 52 5A A2 B4 63 36 51 71 E3 4B F4 4D 3B A7 2B 2F 48 C6 2E 67 7C 31 A4 8A F2 B3 F9 F6 68 62 FE 2E A6 9A 9D 3F 29 CE 1D 44 52 08 9A A0 5F B6 FC B9 A4 0D B8 D7 F8 5E 37 88 9E 86 F1 34 CD E0 D7 C8 AF 3D 7A CF 68 35 98 4B D4 E3 88 1C 11 78 7D F5 20 0D 6C 9C 1F CC 3D ED AC 15 B6 5F 66 DD D4 8E DD D6 A9 2F 10 AF 3C D6 90 E4 CE E0 
EXPANSION 40/192
CLIENT KEY (16): F0 C0 AD ED 52 66 CC 5F 08 AD D6 D3 81 A2 4F 9E 
CLIENT IV (4): 9E B4 9D DE 
CLIENT MAC KEY (32): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
SERVER KEY (16): 55 D8 5C C1 EB 44 76 C2 D0 51 59 BA 85 61 1C 3B 
SERVER IV (4): E8 D4 03 DD 
SERVER MAC KEY (32): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
Using cipher ID: c02f
<= Building CHANGE CIPHER SPEC
<= Building CLIENT FINISHED
VERIFY DATA (12): F2 CC 9C F9 81 C5 7D A3 07 15 EF 5B 
Consumed 9 bytes
Message type: 14, length: 1
CHANGE CIPHER SPEC MESSAGE
Consumed 6 bytes
Message type: 16, length: 40
encrypted (40): F3 98 96 14 99 DD 2B 98 80 C0 E4 7D 16 64 AE 6D 32 5D 34 01 85 79 33 E3 73 D0 57 5E D5 3C E2 BE 08 8C 4E EE 16 73 A3 EB 
aad (13): 00 00 00 00 00 00 00 00 16 03 03 00 10 
aad iv (12): E8 D4 03 DD F3 98 96 14 99 DD 2B 98 
PT SIZE: 16
decrypted (16): 14 00 00 0C 08 C4 F0 95 50 35 14 37 56 AE 16 77 
tag (16): 73 D0 57 5E D5 3C E2 BE 08 8C 4E EE 16 73 A3 EB 
HANDSHAKE MESSAGE
 => FINISHED
Consumed 21 bytes
Message type: 16, length: 28
encrypted (28): F3 98 96 14 99 DD 2B 99 14 43 55 9D D6 F6 A5 43 05 2C ED EA EF DB DB 9E 15 05 55 EF 
aad (13): 00 00 00 00 00 00 00 01 16 03 03 00 04 
aad iv (12): E8 D4 03 DD F3 98 96 14 99 DD 2B 99 
PT SIZE: 4
decrypted (4): 00 00 00 00 
tag (16): D6 F6 A5 43 05 2C ED EA EF DB DB 9E 15 05 55 EF 
HANDSHAKE MESSAGE
Consumed 9 bytes
Message type: 15, length: 26
encrypted (26): F3 98 96 14 99 DD 2B 9A E1 6C 98 B6 90 3D 32 81 FA 22 ED 89 30 31 7A F9 35 22 
aad (13): 00 00 00 00 00 00 00 02 15 03 03 00 02 
aad iv (12): E8 D4 03 DD F3 98 96 14 99 DD 2B 9A 
PT SIZE: 2
decrypted (2): 02 28 
tag (16): 98 B6 90 3D 32 81 FA 22 ED 89 30 31 7A F9 35 22 
ALERT MESSAGE
02 28 Consumed -12 bytes
ERROR IN CONSUME: -12
ronaaron commented 4 years ago

So I compared the outputs from a server which works with one which doesn't (using the same server s/w, and apparently slightly different configs). Both are using 'Let's Encrypt' certificates.

Both sessions proceed identically, until the the 'FINISHED' message from the handshake. In that case, the 'good' server gives the APPLICATION DATA message, while the 'bad' server gives another handshake.

After that, we error out with a handshake_failure ALERT message.

I'm guessing we aren't expecting another handshake, and thus fail.

ronaaron commented 4 years ago

Crap. It turns out the 'bad' server required SNI and I didn't have that enabled...