search

tls-attacker / TLS-Attacker

TLS-Attacker is a Java-based framework for analyzing TLS libraries. It can be used to manually test TLS clients and servers or as as a software library for more advanced tools.
Apache License 2.0
789 stars 136 forks source link

TLS-Attacker as TLS1.2 server mode and handshake with cipher AES128-GCM-SHA256 failed with unexpected message #105

Closed ghost closed 3 years ago

ghost commented 3 years ago

Tried below commands: openssl s_client -connect 127.0.0.1:54000 -msg -tls1_2 -cipher AES256-GCM-SHA384 openssl s_client -connect 127.0.0.1:54000 -msg -tls1_2 -cipher AES128-GCM-SHA256

while handshake with cipher AES256-GCM-SHA384,AES128-GCM-SHA256 tls-attacker gives Level: AlertLevel{value=FATAL} Description: AlertDescription{value=UNEXPECTED_MESSAGE}

openssl s_client -connect 127.0.0.1:54000 -msg -tls1_2 -cipher AES256-GCM-SHA384
CONNECTED(00000003)
>>> ??? [length 0005]
    16 03 01 00 71
>>> TLS 1.2, Handshake [length 0071], ClientHello
    01 00 00 6d 03 03 a2 ae 77 af 19 83 93 ff 97 cc
    03 d9 93 ac 2c 67 d1 d3 d4 e3 d6 26 e4 96 49 cc
    9b 0c eb bb 71 a1 00 00 04 00 9d 00 ff 01 00 00
    40 00 23 00 00 00 16 00 00 00 17 00 00 00 0d 00
    30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 08
    0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 03
    03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 06
    02
<<< ??? [length 0005]
    16 03 03 00 2c
<<< TLS 1.2, Handshake [length 002c], ServerHello
    02 00 00 28 03 03 1d 97 85 a4 60 b4 20 bb 38 51
    d9 d4 7a cb 93 3d be 70 39 9b f6 c9 2d a3 3a f0
    1d 4f b7 70 e9 8c 00 00 9d 00 00 00
Can't use SSL_get_servername
<<< ??? [length 0005]
    16 03 03 04 01
<<< TLS 1.2, Handshake [length 0401], Certificate
    0b 00 03 fd 00 03 fa 00 03 f7 30 82 03 f3 30 82
    02 db a0 03 02 01 02 02 14 25 7d 87 4b 02 41 43
    0d 84 f0 79 50 88 39 cf e1 d8 15 9a e6 30 0d 06
    09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 88 31
    0b 30 09 06 03 55 04 06 13 02 49 4e 31 0b 30 09
    06 03 55 04 08 0c 02 54 53 31 0c 30 0a 06 03 55
    04 07 0c 03 48 59 44 31 12 30 10 06 03 55 04 0a
    0c 09 50 61 72 69 6d 69 74 68 61 31 0c 30 0a 06
    03 55 04 0b 0c 03 45 6e 67 31 16 30 14 06 03 55
    04 03 0c 0d 70 61 72 69 6d 69 74 68 61 2e 63 6f
    6d 31 24 30 22 06 09 2a 86 48 86 f7 0d 01 09 01
    16 15 63 6f 6e 74 61 63 74 40 70 61 72 69 6d 69
    74 68 61 2e 63 6f 6d 30 1e 17 0d 32 31 30 34 32
    32 31 32 31 36 32 37 5a 17 0d 33 31 30 34 32 30
    31 32 31 36 32 37 5a 30 81 88 31 0b 30 09 06 03
    55 04 06 13 02 49 4e 31 0b 30 09 06 03 55 04 08
    0c 02 54 53 31 0c 30 0a 06 03 55 04 07 0c 03 48
    59 44 31 12 30 10 06 03 55 04 0a 0c 09 50 61 72
    69 6d 69 74 68 61 31 0c 30 0a 06 03 55 04 0b 0c
    03 45 6e 67 31 16 30 14 06 03 55 04 03 0c 0d 70
    61 72 69 6d 69 74 68 61 2e 63 6f 6d 31 24 30 22
    06 09 2a 86 48 86 f7 0d 01 09 01 16 15 63 6f 6e
    74 61 63 74 40 70 61 72 69 6d 69 74 68 61 2e 63
    6f 6d 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d
    01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82
    01 01 00 d2 e2 96 c9 c3 ea 6f ed 70 d9 6e 8d 9a
    95 f8 8b c9 41 79 a8 a1 18 01 e6 5f 79 58 aa 3c
    8f 53 5d 4d 68 ac 08 a9 60 b2 c1 ca 9e a4 d8 2f
    93 0a 8a 59 6c 94 46 60 2b 70 c4 6d 7c 0c e3 26
    26 4b 95 36 79 8e 14 24 ee b5 f3 b1 ec 84 1f 57
    75 30 ba c6 6d 37 54 ee 4d 00 7d d5 f4 99 e0 59
    4b c4 9d d4 58 c8 f7 c3 91 87 43 94 aa fb 89 7c
    d1 bc 02 9a f4 5a b1 bb 19 da 52 0a e7 ef 00 fd
    8c da f7 f5 d3 6e b2 b5 0f 08 8f ad 4a b0 56 3f
    8b 1e cc 77 18 7d 21 cd 2a 4a 3f 02 1c c5 07 91
    d8 4c 14 7d c2 26 65 9d c0 52 08 24 eb e9 92 f8
    30 d1 8d dc 90 01 7b 7a f0 c7 41 97 b6 62 3b 1a
    e3 d8 88 b3 6d 06 a2 85 74 1a ba f8 9a 6a 8a d3
    21 35 2f 30 ba 4b fa 72 da 6b 43 27 37 c9 25 0d
    bd 00 a4 d7 de 2a df e0 d0 39 db 45 0d 0b 1a d6
    27 ed e8 9c b6 b6 0e 79 9e ed e7 48 40 c9 4e 03
    65 de bb 02 03 01 00 01 a3 53 30 51 30 1d 06 03
    55 1d 0e 04 16 04 14 b7 79 1e e6 6e 48 77 90 12
    8d d2 ea 6e 89 75 84 31 82 f8 08 30 1f 06 03 55
    1d 23 04 18 30 16 80 14 b7 79 1e e6 6e 48 77 90
    12 8d d2 ea 6e 89 75 84 31 82 f8 08 30 0f 06 03
    55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0d 06
    09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01
    00 cb 6a 0e 3a 7f a8 0b 64 ac bc 6e 0e a8 7d 9c
    c4 9e d9 38 af b9 50 c8 4f 20 39 07 d6 e0 fd 55
    24 28 df 63 aa c9 be 63 15 1c 53 06 32 48 36 73
    51 f8 72 a6 fe 3c 0e c8 15 73 73 43 1d 43 32 26
    c5 35 0d d4 fb 5b 8d d2 f5 02 fb 0c 25 af ca cb
    dd 4e bb 79 89 9d 3c 2a e4 1c 37 31 72 7d a3 66
    38 31 93 fc bc 2a b2 8e 13 3c 49 25 46 02 03 c1
    1f ef ce e9 6b 1f 47 43 1b 03 59 fe 0e 3a 8f ff
    fb 70 05 1f 5e fd 3f 59 da 4a aa 4d ff 35 df 7c
    70 44 92 4e 73 06 13 45 40 21 cc b8 b2 02 66 c9
    b1 af c7 27 9d f9 33 20 4a 37 cc aa 9a fb fc 2b
    71 64 2c b3 9e d3 bc 90 f2 da 75 1f 48 e4 88 19
    f0 85 9c e7 37 d3 a0 1e 70 1d cd e1 ad 79 24 59
    39 28 ea fe ae bd b6 a2 d5 24 9d f9 30 fd 73 7a
    24 44 86 17 22 5d 16 bc d9 b4 85 37 c0 e4 0e 7d
    92 9d b9 f8 69 2a 9a f5 7f 4a 3e 36 55 91 45 02
    ae
depth=0 C = IN, ST = TS, L = HYD, O = Parimitha, OU = Eng, CN = parimitha.com, emailAddress = contact@parimitha.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = IN, ST = TS, L = HYD, O = Parimitha, OU = Eng, CN = parimitha.com, emailAddress = contact@parimitha.com
verify return:1
<<< ??? [length 0005]
    16 03 03 01 4d
>>> ??? [length 0005]
    15 03 03 00 02
>>> TLS 1.2, Alert [length 0002], fatal unexpected_message
    02 0a
4585721344:error:141A10F4:SSL routines:ossl_statem_client_read_transition:unexpected message:ssl/statem/statem_clnt.c:395:
---
Certificate chain
 0 s:C = IN, ST = TS, L = HYD, O = Parimitha, OU = Eng, CN = parimitha.com, emailAddress = contact@parimitha.com
   i:C = IN, ST = TS, L = HYD, O = Parimitha, OU = Eng, CN = parimitha.com, emailAddress = contact@parimitha.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID8zCCAtugAwIBAgIUJX2HSwJBQw2E8HlQiDnP4dgVmuYwDQYJKoZIhvcNAQEL
BQAwgYgxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJUUzEMMAoGA1UEBwwDSFlEMRIw
EAYDVQQKDAlQYXJpbWl0aGExDDAKBgNVBAsMA0VuZzEWMBQGA1UEAwwNcGFyaW1p
dGhhLmNvbTEkMCIGCSqGSIb3DQEJARYVY29udGFjdEBwYXJpbWl0aGEuY29tMB4X
DTIxMDQyMjEyMTYyN1oXDTMxMDQyMDEyMTYyN1owgYgxCzAJBgNVBAYTAklOMQsw
CQYDVQQIDAJUUzEMMAoGA1UEBwwDSFlEMRIwEAYDVQQKDAlQYXJpbWl0aGExDDAK
BgNVBAsMA0VuZzEWMBQGA1UEAwwNcGFyaW1pdGhhLmNvbTEkMCIGCSqGSIb3DQEJ
ARYVY29udGFjdEBwYXJpbWl0aGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0uKWycPqb+1w2W6NmpX4i8lBeaihGAHmX3lYqjyPU11NaKwIqWCy
wcqepNgvkwqKWWyURmArcMRtfAzjJiZLlTZ5jhQk7rXzseyEH1d1MLrGbTdU7k0A
fdX0meBZS8Sd1FjI98ORh0OUqvuJfNG8Apr0WrG7GdpSCufvAP2M2vf1026ytQ8I
j61KsFY/ix7Mdxh9Ic0qSj8CHMUHkdhMFH3CJmWdwFIIJOvpkvgw0Y3ckAF7evDH
QZe2Yjsa49iIs20GooV0Grr4mmqK0yE1LzC6S/py2mtDJzfJJQ29AKTX3irf4NA5
20UNCxrWJ+3onLa2Dnme7edIQMlOA2XeuwIDAQABo1MwUTAdBgNVHQ4EFgQUt3ke
5m5Id5ASjdLqbol1hDGC+AgwHwYDVR0jBBgwFoAUt3ke5m5Id5ASjdLqbol1hDGC
+AgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAy2oOOn+oC2Ss
vG4OqH2cxJ7ZOK+5UMhPIDkH1uD9VSQo32Oqyb5jFRxTBjJINnNR+HKm/jwOyBVz
c0MdQzImxTUN1PtbjdL1AvsMJa/Ky91Ou3mJnTwq5Bw3MXJ9o2Y4MZP8vCqyjhM8
SSVGAgPBH+/O6WsfR0MbA1n+DjqP//twBR9e/T9Z2kqqTf8133xwRJJOcwYTRUAh
zLiyAmbJsa/HJ535MyBKN8yqmvv8K3FkLLOe07yQ8tp1H0jkiBnwhZznN9OgHnAd
zeGteSRZOSjq/q69tqLVJJ35MP1zeiREhhciXRa82bSFN8DkDn2Snbn4aSqa9X9K
PjZVkUUCrg==
-----END CERTIFICATE-----
subject=C = IN, ST = TS, L = HYD, O = Parimitha, OU = Eng, CN = parimitha.com, emailAddress = contact@parimitha.com

issuer=C = IN, ST = TS, L = HYD, O = Parimitha, OU = Eng, CN = parimitha.com, emailAddress = contact@parimitha.com

---
No client certificate CA names sent
---
SSL handshake has read 1417 bytes and written 125 bytes
Verification error: self signed certificate
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1619699138
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no

Attached tls attacker debug log AES256_GCM_SHA384.log

mmaehren commented 3 years ago

Hi, by default, TLS-Attacker creates the list of messages that have to be sent throughout the handshake before the actual handshake takes place. This allows to set up modifications to messages prior to the execution but requires that the negotiated cipher suite is known before. If a wrong defaultSelectedCipherSutie is set, additional unwanted messages may be sent - this is the case here as TLS-Attacker sends a ServerKeyExchange message allthough a static RSA cipher suite gets negotiated. If you want to include or exclude the key exchange message dynamically based on the selected cipher suite, you can use the DYNAMIC_HANDSHAKE WorkflowTrace instead of HANDSHAKE.

ghost commented 3 years ago

working as expected 👍🏼 Thanks @mmaehren