Comments (4)
Thanks for the report!
I'll go through them one by one later, two items caught my eye though:
when there are no overlapping parameters. tlslite-ng sends an 'illegal parameter' alert
Could you explain in what situation it happens? In majority of cases it should send the correct handshake_failure
or insufficient_security
.
upon receiving a ClientHello that contains elliptic curve extensions but no ECC cipher suite
I don't think enforcing that is useful; the extension may have been included because of an ECC ciphersuite that's unknown to the server, and even if all the ciphersuites are known, that's rather brittle code that does not increase interoperability or security.
from tlslite-ng.
Thank you for the feedback. We agree that enforcing this ECC cipher suite check may cause problems - that's a good point! I think the alert description for the lack of overlapping parameters may be caused by deprecated groups we include in the ClientHello we send in the test.
from tlslite-ng.
I think the alert description for the lack of overlapping parameters may be caused by deprecated groups we include in the ClientHello we send in the test.
RFC 8446 says that deprecated groups "MUST NOT be offered or negotiated by TLS 1.3 implementations."; so that's what causing the rejection: if the ClientHello is recognised as a TLS 1.3 CH, and includes those obsolete curves then technically the message is malformed, so illegal_parameter
is appropriate here. If you send them in TLS 1.2 you should see the expected handshake_failure
, similar behaviour should be observed when using the unassigned curves (like from GREASE range).
from tlslite-ng.
Yes, it's a false positive on our end - sorry if my last comment didn't convey this.
from tlslite-ng.
Related Issues (20)
- sent certificate types don't depend on settings
- tlslite continues with the handshake after receiving multiple CCS messages in one TLS record
- RSA key generation sometimes fails
- Example tls server supporting both SRP and ClientAuth HOT 2
- tlslite-ng can't parse certificates with rsa-pss signatures created by openssl 3.0
- Type Hints HOT 2
- Add brainpool TLS 1.3 sig alg definitions
- How to integrate with http libraries like aiohttp or httpx? HOT 1
- ClientHello custom extension field HOT 5
- SMTP Connection with GMAIL HOT 16
- backword compatibility HOT 1
- Issue: module 'Crypto.Cipher.AES' has no attribute 'AESCipher' HOT 1
- Clienthello sessionid field lack of length inspection HOT 1
- Lack of check for some messages' Record Version field HOT 2
- Re-introduce support for async io in python 3.12 HOT 1
- How to not send TLS_EMPTY_RENEGOTIATION_INFO ? HOT 1
- Adding ECPoints TLS 1.2 formats HOT 7
- TLS extensions order HOT 1
- Support for SSLKEYLOGFILE
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tlslite-ng.