search

tls-attacker / TLS-Attacker

TLS-Attacker is a Java-based framework for analyzing TLS libraries. It can be used to manually test TLS clients and servers or as as a software library for more advanced tools.
Apache License 2.0
789 stars 136 forks source link

tls13 request is not sending default signature algorithm needed for tls13 #82

Closed sajualways closed 4 years ago

sajualways commented 4 years ago

the below list does not contain / RSASSA-PSS algorithms with public key OID rsaEncryption / rsa_pss_rsae_sha256(0x0804), rsa_pss_rsae_sha384(0x0805), rsa_pss_rsae_sha512(0x0806),

extension_type=signature_algorithms(13), length=44

UNKNOWN (0x0102)
      dsa_sha1 (0x0202)
      dsa_sha224 (0x0302)
      dsa_sha256 (0x0402)
      dsa_sha384 (0x0502)
      dsa_sha512 (0x0602)
      UNKNOWN (0x0101)
      rsa_pkcs1_sha1 (0x0201)
      rsa_pkcs1_sha224 (0x0301)
      rsa_pkcs1_sha256 (0x0401)
      rsa_pkcs1_sha384 (0x0501)
      rsa_pkcs1_sha512 (0x0601)
      UNKNOWN (0x0103)
      ecdsa_sha1 (0x0203)
      ecdsa_sha224 (0x0303)
      ecdsa_secp256r1_sha256 (0x0403)
      ecdsa_secp384r1_sha384 (0x0503)
      ecdsa_secp521r1_sha512 (0x0603)
      gost2001_gost94 (0xeded)
      gost2012_256 (0xeeee)
      gost2012_512 (0xefef)

I was using "../resources/configs/tls13.config" and server fails with ERROR 139741554411328:error:14201076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:ssl/t1_lib.c:2589: shutting down SSL

ic0ns commented 4 years ago

Ah, I think the problem is that the field got renamed in the config class but not renamed in the tls13.config file. It was called "supportedSignatureAndHashAlgorithms" before and is now called "defaultClientSupportedSignatureAndHashAlgorithms". If you exchange those names in the config it should work again.

sajualways commented 4 years ago

shall i update the latest git repository ?

sajualways commented 4 years ago

i am getting build failure when i try to download latest version and build

[INFO] TLS-Attacker 3.5.0 ................................. SUCCESS [ 1.014 s] [INFO] Utils .............................................. FAILURE [ 6.507 s] [INFO] Transport .......................................... SKIPPED [INFO] TLS-Core ........................................... SKIPPED [INFO] TLS-Client ......................................... SKIPPED [INFO] TLS-Server ......................................... SKIPPED [INFO] TLS-Mitm ........................................... SKIPPED [INFO] Attacks ............................................ SKIPPED [INFO] TLS-Forensics ...................................... SKIPPED [INFO] TraceTool 3.5.0 .................................... SKIPPED [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE

[INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal on project Utils: Could not resolve dependencies for project de.rub.nds.tlsattacker:Utils:jar:3.5.0: The following artifacts could not be resolved: de.rub.nds:ModifiableVariable:jar:2.7, de.rub.nds:X509Attacker:jar:1.0: Failure to find de.rub.nds:ModifiableVariable:jar:2.7 in https://repo.maven.apache.org/maven2 was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced -> [Help 1]

sajualways commented 4 years ago

Also when i tried to install ASN1-Tool and x509-Attacker it failed [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal on project Asn1Tool: Could not resolve dependencies for project de.rub.nds:Asn1Tool:jar:1.1.1: Failure to find de.rub.nds:ModifiableVariable:jar:2.7 in https://repo.maven.apache.org/maven2 was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced -> [Help 1]

[ERROR] Failed to execute goal on project X509Attacker: Could not resolve dependencies for project de.rub.nds:X509Attacker:jar:1.0: Failure to find de.rub.nds:Asn1Tool:jar:1.1.1 in https://repo.maven.apache.org/maven2 was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced -> [Help 1]

ic0ns commented 4 years ago

We had problems deploying the latest version of ModifiableVariables to maven central, the servers seemed to be busy. If you want the latest version, as of know, you also need to install the ModifiableVariable package.

shall i update the latest git repository ?

That would be nice :)

sajualways commented 4 years ago

It worked after downloading ModifiableVariable package but now when i add this below line 

<defaultClientNamedGroups>SECP256R1</defaultClientNamedGroups>
<defaultServerNamedGroups>SECP256R1</defaultServerNamedGroups>
<defaultSelectedNamedGroup>SECP256R1</defaultSelectedNamedGroup>

it is sending "bad key share" alert from server

sajualways commented 4 years ago

i think it is always sending irrespective of what is used in config file

SECP256R1 
<defaultSelectedNamedGroup>SECP256R1</defaultSelectedNamedGroup>

    extension_type=key_share(51), length=38
        NamedGroup: ecdh_x25519 (29)
        key_exchange:  (len=32): B1E8236B631E19D86B28A6FF4D5F4B39D41EDDF47AB7D3A9579506DEC3DA272A
mmaehren commented 4 years ago

The current version of TLS-Attacker uses the defaultClientKeyShareEntries field of the Config to allow the user to add specific key shares instead of generating key shares for all supported groups

sajualways commented 4 years ago

OK..thanks