Error: TLS error: Unsupported protocol version

[vulpicastor]

When I tried to use certassist.mit.edu today, I got an error message:

Opening session
Error: TLS error: Unsupported protocol version.

It also seems that ca.mit.edu now supports TLS 1.3, from visiting it in my browser. Could it be that the JavaScript TLS implementation needs to be updated to support it?

Here's my browser version info. I can replicate this in Chrome 125 on both Chrome OS and Windows 10, as well as Firefox 127.0 on Windows 10.

Google Chrome   125.0.6422.169 (Official Build) (64-bit) 
Revision    0f77f18373e678a3da07c74a63d9452a7ab970a6-refs/branch-heads/6422@{#1281}
Platform    15853.61.0 (Official Build) stable-channel brya
Firmware Version    Google_Osiris.14505.682.0
Customization ID    osiris
ARC 11931015 SDK Version: 33
JavaScript  V8 12.5.227.13
User Agent  Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36

[andersk]

Hmm. ca.mit.edu supports TLS 1.2 and 1.3, but it looks like node-forge supports neither. Upstream issues:

• digitalbazaar/forge#883
• digitalbazaar/forge#1045

[andersk]

ca.mit.edu also has a misordered certificate chain.

• digitalbazaar/forge#1086

[andersk]

Possible alternative to investigate: https://github.com/jawj/subtls, although it’s covered in “NOT READY FOR USE IN PRODUCTION” warnings.

[andersk]

Based on the monitoring logs that have been going to my spam folder 🤭, this broke on Jun 3 between 18:30 and 19:00 EDT.

I’ve deployed an update v1-175-gb507476 that adds digitalbazaar/forge#581 for TLS 1.2 support. I reported the misordered chain to ops, who says it will be sorted shortly.

[andersk]

Ops fixed the certificate chain ordering, but the server has changed the way it performs Duo authentication in a way that’s going to take more work to handle—I assume this is related to https://ist.mit.edu/news/touchstone-okta.