Closed loopion closed 1 year ago
Hi @loopion Gonna need more info than this to help. This is a warning about an untrusted or invalid cert for this URL but if i load that URL here its GitHub cert from DigiCert TLS Hybrid ECC SHA384 2020 CA1 - this is from both the browser and app.
What is your OS and version? How are you running this (precompiled binary or cargo install)? Do you have anything on your OS or network that will be tampering with TLS certificates (Deep packet inspection, MITM software)? if you load this url in a browser do you get a warning? if so what is the cert and who is the cert issued by?
A log dump would be helpful -
run solo2 update -vv
to get a debug dump
run solo2 update -vvv
to get a more detailed dump that will include the TLS certificate that was used (or tried to be used)
Hi @needs-coffee,
Thanks for your answer and sorry for providing so low details.
MacOS Monterey 12.6 Installed through "cargo install" exactly like on the documentation provided there:
Maybe it's my network as It's my company computer and there is Zscaler and a VPN that probably temper it in between.
Strangely, if I load this URL in my browser I can see the JSON file provided. Certificate Issuer Name is the one from my company. I can see Distribution Point is provided by zscaler.
Here is my solo2 update -vv
OSX ~ solo2 update -vv
Downloading latest release from https://github.com/solokeys/solo2/
DEBUG ureq::stream > connecting to api.github.com:443 at 140.82.121.5:443
DEBUG rustls::client::hs > No cached session for DnsName(DnsName(DnsName("api.github.com")))
DEBUG rustls::client::hs > Not resuming any session
DEBUG rustls::client::hs > Using ciphersuite TLS13_AES_256_GCM_SHA384
DEBUG rustls::client::tls13 > Not resuming
DEBUG rustls::client::tls13 > TLS1.3 encrypted extensions: []
DEBUG rustls::client::hs > ALPN protocol is None
WARN rustls::conn > Sending fatal alert BadCertificate
Error: https://api.github.com/repos/solokeys/solo2/releases/latest: Connection Failed: tls connection init failed: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
solo2 update -vvv
logs
OSX ~ solo2 update -vvv
Downloading latest release from https://github.com/solokeys/solo2/
DEBUG ureq::stream > connecting to api.github.com:443 at 140.82.121.5:443
DEBUG rustls::client::hs > No cached session for DnsName(DnsName(DnsName("api.github.com")))
DEBUG rustls::client::hs > Not resuming any session
TRACE rustls::client::hs > Sending ClientHello Message {
version: TLSv1_0,
payload: Handshake {
parsed: HandshakeMessagePayload {
typ: ClientHello,
payload: ClientHello(
ClientHelloPayload {
client_version: TLSv1_2,
random: 3db64abd6bc2f382b1e6879dcabb6c6fa3532008e3eec69efc8ca972a9e177ad,
session_id: 8bea628706c836848286616223cdc0faa17a50bb6a8c37c9b493074d853cb584,
cipher_suites: [
TLS13_AES_256_GCM_SHA384,
TLS13_AES_128_GCM_SHA256,
TLS13_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
],
compression_methods: [
Null,
],
extensions: [
SupportedVersions(
[
TLSv1_3,
TLSv1_2,
],
),
ECPointFormats(
[
Uncompressed,
],
),
NamedGroups(
[
X25519,
secp256r1,
secp384r1,
],
),
SignatureAlgorithms(
[
ECDSA_NISTP384_SHA384,
ECDSA_NISTP256_SHA256,
ED25519,
RSA_PSS_SHA512,
RSA_PSS_SHA384,
RSA_PSS_SHA256,
RSA_PKCS1_SHA512,
RSA_PKCS1_SHA384,
RSA_PKCS1_SHA256,
],
),
ExtendedMasterSecretRequest,
CertificateStatusRequest(
OCSP(
OCSPCertificateStatusRequest {
responder_ids: [],
extensions: ,
},
),
),
ServerName(
[
ServerName {
typ: HostName,
payload: HostName(
(
6170692e6769746875622e636f6d,
DnsName(
"api.github.com",
),
),
),
},
],
),
SignedCertificateTimestampRequest,
KeyShare(
[
KeyShareEntry {
group: X25519,
payload: 1cffa97bd6db55b97999d3e479d9b34c1c92c9a184e5d0b68fbcece3fce2b922,
},
],
),
PresharedKeyModes(
[
PSK_DHE_KE,
],
),
SessionTicket(
Request,
),
],
},
),
},
encoded: 010000ec03033db64abd6bc2f382b1e6879dcabb6c6fa3532008e3eec69efc8ca972a9e177ad208bea628706c836848286616223cdc0faa17a50bb6a8c37c9b493074d853cb5840014130213011303c02cc02bcca9c030c02fcca800ff0100008f002b00050403040303000b00020100000a00080006001d00170018000d001400120503040308070806080508040601050104010017000000050005010000000000000013001100000e6170692e6769746875622e636f6d00120000003300260024001d00201cffa97bd6db55b97999d3e479d9b34c1c92c9a184e5d0b68fbcece3fce2b922002d0002010100230000,
},
}
TRACE rustls::client::hs > Got HRR HelloRetryRequest { legacy_version: TLSv1_2, session_id: 8bea628706c836848286616223cdc0faa17a50bb6a8c37c9b493074d853cb584, cipher_suite: TLS13_AES_256_GCM_SHA384, extensions: [SupportedVersions(TLSv1_3), KeyShare(secp256r1)] }
TRACE rustls::client::hs > Sending ClientHello Message {
version: TLSv1_2,
payload: Handshake {
parsed: HandshakeMessagePayload {
typ: ClientHello,
payload: ClientHello(
ClientHelloPayload {
client_version: TLSv1_2,
random: 3db64abd6bc2f382b1e6879dcabb6c6fa3532008e3eec69efc8ca972a9e177ad,
session_id: 8bea628706c836848286616223cdc0faa17a50bb6a8c37c9b493074d853cb584,
cipher_suites: [
TLS13_AES_256_GCM_SHA384,
TLS13_AES_128_GCM_SHA256,
TLS13_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
],
compression_methods: [
Null,
],
extensions: [
SupportedVersions(
[
TLSv1_3,
TLSv1_2,
],
),
ECPointFormats(
[
Uncompressed,
],
),
NamedGroups(
[
X25519,
secp256r1,
secp384r1,
],
),
SignatureAlgorithms(
[
ECDSA_NISTP384_SHA384,
ECDSA_NISTP256_SHA256,
ED25519,
RSA_PSS_SHA512,
RSA_PSS_SHA384,
RSA_PSS_SHA256,
RSA_PKCS1_SHA512,
RSA_PKCS1_SHA384,
RSA_PKCS1_SHA256,
],
),
ExtendedMasterSecretRequest,
CertificateStatusRequest(
OCSP(
OCSPCertificateStatusRequest {
responder_ids: [],
extensions: ,
},
),
),
ServerName(
[
ServerName {
typ: HostName,
payload: HostName(
(
6170692e6769746875622e636f6d,
DnsName(
"api.github.com",
),
),
),
},
],
),
SignedCertificateTimestampRequest,
KeyShare(
[
KeyShareEntry {
group: secp256r1,
payload: 048d67eeedbf4d14de1a771486d265859b9c7b1c28e894cdfcdd75dde2dca48771191e8072b48f609018922b1aaf33c44de538abee7cb20447c645f53cdceccf72,
},
],
),
PresharedKeyModes(
[
PSK_DHE_KE,
],
),
SessionTicket(
Request,
),
],
},
),
},
encoded: 0100010d03033db64abd6bc2f382b1e6879dcabb6c6fa3532008e3eec69efc8ca972a9e177ad208bea628706c836848286616223cdc0faa17a50bb6a8c37c9b493074d853cb5840014130213011303c02cc02bcca9c030c02fcca800ff010000b0002b00050403040303000b00020100000a00080006001d00170018000d001400120503040308070806080508040601050104010017000000050005010000000000000013001100000e6170692e6769746875622e636f6d0012000000330047004500170041048d67eeedbf4d14de1a771486d265859b9c7b1c28e894cdfcdd75dde2dca48771191e8072b48f609018922b1aaf33c44de538abee7cb20447c645f53cdceccf72002d0002010100230000,
},
}
TRACE rustls::conn > Dropping CCS
TRACE rustls::client::hs > We got ServerHello ServerHelloPayload {
legacy_version: TLSv1_2,
random: 0c0584aa4d35f40fd63067b81e2c164b3925d022756059c1798bd1f688ef3b38,
session_id: 8bea628706c836848286616223cdc0faa17a50bb6a8c37c9b493074d853cb584,
cipher_suite: TLS13_AES_256_GCM_SHA384,
compression_method: Null,
extensions: [
SupportedVersions(
TLSv1_3,
),
KeyShare(
KeyShareEntry {
group: secp256r1,
payload: 04df31aa7f64f8a7790e39474b03758cf1c1a67d3a55c2a06c6f913e3130e157a571da277d0e84f27d208da63f137efc140ba72afa8325b8f82a8da74d7cd7a173,
},
),
],
}
DEBUG rustls::client::hs > Using ciphersuite TLS13_AES_256_GCM_SHA384
DEBUG rustls::client::tls13 > Not resuming
TRACE rustls::client::client_conn > EarlyData rejected
DEBUG rustls::client::tls13 > TLS1.3 encrypted extensions: []
DEBUG rustls::client::hs > ALPN protocol is None
TRACE rustls::client::tls13 > Server cert is [Certifi")]
WARN rustls::conn > Sending fatal alert BadCertificate
Error: https://api.github.com/repos/solokeys/solo2/releases/latest: Connection Failed: tls connection init failed: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
Yep this is what i thought was happening. The TLS communication from your computer is being MITM'ed by your companies (?paypal) firewall so they can inspect all the traffic in and out of their network and devices. Pretty much standard in enterprise devices and networks.
The company has configured their root CA cert as trusted by your device (you will see an addition with the name of your company in SSL certs in keychain) which allows the browser to trust the certificates they are issuing so it loads in the browser just fine (with your company cert as the upstream trusted as they MITMed it)
A cursory look at he source code for the solo2-cli it looks like the ureq
crate that performs the TLS connection is set by default to its tls
trust setting that uses the webkit-pki
roots crate issued by Mozilla as the list of trusted roots - this means any locally installed root certs (your companies) are not trusted by the solo2-cli so will be rejected.
If the solo2-cli used ureq
in the native-tls
configuration it would use your OS cert store and this would work for you.
My advice would be to use a non work device and connection to update the key, It will probably work if you disconnect from zscaler/VPN then your network connection wont be proxied through your company. Also this serves as a reminder not to use your work device for personal things as they can see all the network data.
Thanks for the confirmation. It's in fact to be used for my professional usage :-) as I'd like to use my Solokey for this purpose. Thanks a lot for identifying this.
When doing a "solo2 update" I get a
Any solution ?
Thank you for your help