search

not1337 / tlsclient

a simple to use TLS client library for Linux with special features
1 stars 1 forks source link

Not all the extension-supported-version can be added to ClientHello's Extension. #1

Open zhangbiyun opened 4 years ago

zhangbiyun commented 4 years ago

Hi,
Thank you for the opensource of tlsclient. I've tried extension-supported-version configuration in .conf file, but the last line of the extension was failed to add to clienthello‘s extension.

In a case, the following in .conf file.

extension-supported-version grease extension-supported-version TLS-1.3 extension-supported-version TLS-1.2 extension-supported-version TLS-1.1 extension-supported-version TLS-1.0 *

Could you investigate it for me?

Thanks. Zhang biyun

not1337 commented 4 years ago

Hi, this depends on what the crypto backend actually inserts. The extension is "supported-version" and the extension data, i.e. TLS-1.0 is inserted by the backend crypto library. This means that you have to configure the backend crypto library to insert the required data.

On Sun, 2020-08-23 at 04:29 -0700, zhangbiyun wrote:

Hi, Thank you for the opensource of tlsclient. I've tried extension-supported-version configuration in .conf file, but the last line of the extension was failed to add to clienthello‘s extension.

In a case, the following in .conf file.

extension-supported-version grease extension-supported-version TLS-1.3 extension-supported-version TLS-1.2 extension-supported-version TLS-1.1 extension-supported-version TLS-1.0 *

TLS-1.0 was not in extension value of clienthello by Wireshark packet capture. Could you investigate it for me?

Thanks. Zhang biyun

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

zhangbiyun commented 4 years ago

Hi, this depends on what the crypto backend actually inserts. The extension is "supported-version" and the extension data, i.e. TLS-1.0 is inserted by the backend crypto library. This means that you have to configure the backend crypto library to insert the required data.

Thanks. I've tried openssl-1.1.1g as the backend. May be this some miss in my configuration。 But, I stil have a question.

several patterns as follow i test.

A line config, there is no extension data in ClientHello packet where doing the handshake.

Only grease/TLS-1.3/TLS-1.2 can be seen the packet capture.

TLS-1.0 was gone.

So, I guess maybe there is a bug.

not1337 commented 4 years ago

I see, though as the templates I included do work I would need one of the templates you're testing with and some more information, e.g. the backend library used.

On Sun, 2020-08-23 at 04:58 -0700, zhangbiyun wrote:

Hi, this depends on what the crypto backend actually inserts. The extension is "supported-version" and the extension data, i.e. TLS- 1.0 is inserted by the backend crypto library. This means that you have to configure the backend crypto library to insert the required data. … Thanks. I've tried openssl-1.1.1g as the backend. May be this some miss in my configuration。 But, I stil have a question.

several patterns as follow i test.

pattern1 extension-supported-version TLS-1.3 A line config, there is no extension data in ClientHello packet where doing the handshake.

pattern2 extension-supported-version grease extension-supported-version TLS-1.3 extension-supported-version TLS-1.2 extension-supported-version TLS-1.1 Only grease/TLS-1.3/TLS-1.2 can be seen the packet capture.

pattern3 extension-supported-version grease extension-supported-version TLS-1.3 extension-supported-version TLS-1.2 extension-supported-version TLS-1.1 extension-supported-version TLS-1.0 TLS-1.0 was gone.

So, I guess maybe there is a bug.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

zhangbiyun commented 4 years ago

Sorry, sir. I migrated tlsclient to windows using VS2017. And,merged tlsclient with curl library. All the modules were built under windows. So may be it is not useful.

Part of the tlsclient,ClientHello Loader/Modifier from config file, there is only a job in my owner migration. template file modified, which turn the ciphersuite from algorithm name to the hex code. I have tried to look into the code clienthello loader about creating CLIENTHELLO struct. There are Greate C pointers and data structrues. Finnaly, I HAVE NO IDEA.

ciphersuite grease ciphersuite 4A4A ciphersuite 1301 ciphersuite 1302 ciphersuite 1303 ciphersuite C02B ciphersuite C02F ciphersuite C02C ciphersuite C030 ciphersuite CCA9 ciphersuite CCA8 ciphersuite C013 ciphersuite C014 ciphersuite 009C ciphersuite 009D ciphersuite 002F ciphersuite 0035

Anyway, the following library i used.

Could you take a look at the supported-version packet capture when doing the handshake with the real website on Linux enviroment ?

not1337 commented 4 years ago

Unfortunately there seems to be something that has happened during the porting. I do indeed verify that the resulting Client Hello is what it should look like. There's actually a regression verification tool named 'regressor' in the distribution that verifies actual and expected Client Hello results. The tool is run before I do publish a new template which means that there has to be a porting problem. As some hints, could there be a CRLF vs. LF problem or very simply a no LF/CRLF on last template line problem? Does reordering of elements within your template move the problem elsewhere?

On Sun, 2020-08-23 at 05:49 -0700, zhangbiyun wrote:

Sorry, sir. I migrated tlsclient to windows using VS2017. And,merged tlsclient with curl library. All the modules were built under windows. So may be it is not useful.

Part of the tlsclient,ClientHello Loader/Modifier from config file, there is only a job in my owner migration. template file modified, which turn the ciphersuite from algorithm name to the hex code. I have tried to look into the code clienthello loader about creating CLIENTHELLO struct. There are Greate C pointers and data structrues. Finnaly, I HAVE NO IDEA.

ciphersuite grease ciphersuite 4A4A ciphersuite 1301 ciphersuite 1302 ciphersuite 1303 ciphersuite C02B ciphersuite C02F ciphersuite C02C ciphersuite C030 ciphersuite CCA9 ciphersuite CCA8 ciphersuite C013 ciphersuite C014 ciphersuite 009C ciphersuite 009D ciphersuite 002F ciphersuite 0035

Anyway, the following library i used.

tlsclient openssl-1.1.1g curl-7.71.1 Built on Win10 using Vs2017。 Could you take a look at the supported-version packet capture when doing the handshake with the real website on Linux enviroment ?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

zhangbiyun commented 4 years ago

okay. thanks. i got the direction.