search

nodejs / help

:sparkles: Need help with Node.js? File an Issue here. :rocket:
1.44k stars 276 forks source link

tlsoption.enableTrace does not show correct tls protocol 1.3 (it shows 1.2 instead) #3103

Open shiup opened 3 years ago

shiup commented 3 years ago

When enableTrace is configured, node does not show the correct TLS protocol. nodejs shows tls1.2, while wireshark shows 1.3 (and wireshark is showing the correct one)

                             --   --   (master  origin)     
~/dev/curl/sample (💃 ) node app.js 
Sent Record
Header:
  Version = TLS 1.0 (0x301)
  Content Type = Handshake (22)
  Length = 236
    ClientHello, Length=232
      client_version=0x303 (TLS 1.2)
      Random:
        gmt_unix_time=0xAFAB92C9
        random_bytes (len=28): 3F4E6CC15602951A8236C732E7E2E188E5B427A6797D67FDBB9FE01E
      session_id (len=32): BEA460F6C1ADD6AA33D66B7CFC5ED0CF2D37374859FA3E73D209768ABA9149CD
      cipher_suites (len=12)
...............

Received Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ApplicationData (23)
  Length = 16401
  Inner Content Type = ApplicationData (23)
Received Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ApplicationData (23)
  Length = 15504
  Inner Content Type = ApplicationData (23)
Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ApplicationData (23)
  Length = 19
  Inner Content Type = Alert (21)
    Level=warning(1), description=close notify(0)

Received Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ApplicationData (23)
  Length = 19
  Inner Content Type = Alert (21)
    Level=warning(1), description=close notify(0)

                             --   --   (master  origin)     
~/dev/curl/sample (💃 ) node -v
v14.15.1
                             --   --   (master  origin)     
~/dev/curl/sample (💃 ) ping www.cdn77.com
PING 1669655317.rsc.cdn77.org (89.187.164.10): 56 data bytes
64 bytes from 89.187.164.10: icmp_seq=0 ttl=56 time=14.569 ms
^C
--- 1669655317.rsc.cdn77.org ping statistics ---
2 packets transmitted, 1 packets received, 50.0% packet loss
round-trip min/avg/max/stddev = 14.569/14.569/14.569/0.000 ms

For the same request above, here is the wireshark pcap: (remove the .txt first) tls13.pcapng.txt

screen from wireshark : image

app.js to demo the problem.

'use strict';

// spoon for testing the tls1.3

const https = require('https');
const tls = require('tls');
const _ = require('lodash');

const tls13Ciphers = [
    // below are new TLS1.3 ciphers
    'TLS_AES_256_GCM_SHA384',       // 'TLS_AES_256_GCM_SHA384',
    'TLS_CHACHA20_POLY1305_SHA256', // 'TLS_CHACHA20_POLY1305_SHA256',
    'TLS_AES_128_GCM_SHA256',       // 'TLS_AES_128_GCM_SHA256',
    'TLS_AES_128_CCM_SHA256',       // 'TLS_AES_128_CCM_SHA256',
    'TLS_AES_128_CCM_8_SHA256'      // 'TLS_AES_128_CCM_8_SHA256'
];

const nonTlsCiphers = [
    'ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',  // ecdhe-ecdsa-aes256-gcm-sha384
    'ECDHE_RSA_WITH_AES_256_GCM_SHA384',    // ecdhe-rsa-aes256-gcm-sha384
    'ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',  // ecdhe-ecdsa-aes256-sha384
    'ECDHE_RSA_WITH_AES_256_CBC_SHA384',    // ecdhe-rsa-aes256-sha384
    'ECDHE_ECDSA_WITH_AES_256_CBC_SHA',     // ecdhe-ecdsa-aes256-sha
    'ECDHE_RSA_WITH_AES_256_CBC_SHA',       // ecdhe-rsa-aes256-sha
    'DHE_DSS_WITH_AES_256_GCM_SHA384',      // dhe-dss-aes256-gcm-sha384
    'DHE_RSA_WITH_AES_256_GCM_SHA384',      // dhe-rsa-aes256-gcm-sha384
    'DHE_RSA_WITH_AES_256_CBC_SHA256',      // dhe-rsa-aes256-sha256
    'DHE_DSS_WITH_AES_256_CBC_SHA256',      // dhe-dss-aes256-sha256
    'DHE_RSA_WITH_AES_256_CBC_SHA',         // dhe-rsa-aes256-sha
    'DHE_DSS_WITH_AES_256_CBC_SHA',         // dhe-dss-aes256-sha
    'RSA_WITH_AES_256_GCM_SHA384',          // aes256-gcm-SHA384
    'RSA_WITH_AES_256_CBC_SHA256'          // AES256-SHA256
];

var options = {
    // 1.2
    // host: 'httpbin.org',
    // path: '/get',

    // 1.2 and 1.3
    // host: 'google.com',
    // path: '/',

    // 1.2 and 1.3
    host: 'www.cdn77.com',
    path: '/tls-test',

    port: 443,
    method: 'GET',
    rejectUnauthorized: false,
    // secureProtocol: 'TLSv1_2_method',
    minVersion: 'TLSv1.3',
    maxVersion: 'TLSv1.3',
    enableTrace: true,
    ciphers: _.join(tls13Ciphers, ':')
};

https.request(options, res => {
    let body = '';
    res.on('data', data => body += data);
    res.on('end', () => {
        // console.log('response data: ' + body);
    });
}).on('error', err => {
    console.warn(err);
}).end();

// https://www.cdn77.com/tls-test
// https://google.com
// node app.js

-->

RedYetiDev commented 1 month ago

Hi! Is this issue still occurring?