search

jmhodges / howsmyssl

The web app running howsmyssl.com
MIT License
340 stars 56 forks source link

TLS 1.3 working properly? #716

Open gojimmypi opened 2 weeks ago

gojimmypi commented 2 weeks ago

I'm working on adding wolfSSL support to the ESP-TLS layer in the Espressif ESP-IDF as noted in https://github.com/espressif/esp-idf/issues/13966.

While attempting to update the HTPS Example to use only TLS 1.3, I encounter an error when connecting to www.howsmyssl.com. See original source code, and my WIP example. This may be related to https://github.com/jmhodges/howsmyssl/issues/356

When allowing a fallback to TLS 1.2, everything works as expected.

I'd like to be able to keep the www.howsmyssl.com reference in the Espressif example, as otherwise when forcing only TLS 1.3, the resulting error is misleading.

For example, when using openssl to test with www.howsmyssl.com:

Trying TLS 1.3 TLS-AES128-GCM-SHA256

Results in alert handshake failure:

openssl s_client -connect www.howsmyssl.com:443 -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256
CONNECTED(00000003)
4007A425BD7F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1584:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 247 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Alternatively, with google.com

The same test is successful:

$ openssl s_client -connect www.google.com:443 -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WR2
verify return:1
depth=0 CN = www.google.com
verify return:1
---
Certificate chain
 0 s:CN = www.google.com
   i:C = US, O = Google Trust Services, CN = WR2
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  5 07:19:58 2024 GMT; NotAfter: Oct 28 07:19:57 2024 GMT
 1 s:C = US, O = Google Trust Services, CN = WR2
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
[ ... snip, etc ... ]

Test with no cipher suite specified:

Fails with alert handshake failure.

$  openssl s_client -connect www.howsmyssl.com:443 -tls1_3
CONNECTED(00000003)
40073E50047F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1584:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 251 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Web page appears operational:

The above errors are unexpected, as when visiting with a browser, it appears TLS 1.3 is accepted:

image

For reference, the same web page claims:

Given Cipher Suites
The cipher suites your client said it supports, in the order it sent them, are:

TLS_GREASE_IS_THE_WORD_7A
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

Perhaps I'm missing something here?

Subscription Page Not Working

While I have your attention, not sure if it is related, but the subscriptions.howsmyssl.com does not seem to be working.

This site can’t be reached
subscriptions.howsmyssl.com unexpectedly closed the connection.
Try:

Checking the connection
[Checking the proxy and the firewall](chrome-error://chromewebdata/#buttons)
[Running Windows Network Diagnostics](javascript:diagnoseErrors())
ERR_CONNECTION_CLOSED

In any case, thank you for your work on the howsmyssl web site!

jmhodges commented 2 weeks ago

Thanks for your patience in waiting for a response. The day job was very active this week.

Howsmyssl doesn't yet fully support TLS 1.3. It's working off an old fork of the crypto/tls library from long ago. There's been a tradeoff between upgrading it to a version that supports 1.3 and continuing to have support for the older versions of TLS and ciphersuites that it detects problems in.

It might be time to upgrade and ditch those old vulnerability checks. I've not written down a full analysis of what detections would be lost, but it would be substantial. I'll try to see how bad it is by doing another attempted upgrade, but I can't promise a timeline.

jmhodges commented 2 weeks ago

(If someone else were interested in doing that work, I would, of course, love to see it!)

gojimmypi commented 1 week ago

Hi @jmhodges and thank you for confirming that full TLS 1.3 support is missing. I admit I scratched my head for some time trying to find the problem, thinking perhaps your site was hidden behind a CDN or something.

It would be awesome if somehow the https://www.howsmyssl.com/ web site could use wolfSSL. They have robust TLS 1.3 support, including post quantum, SM ciphers, and more.

Alas I have very little "Go" programming experience so a PR here from me on the topic won't be in the near future.