Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature request] Verify support for long CilentHello messages #2493

Open
dcooper16 opened this issue Apr 29, 2024 · 4 comments
Open

[Feature request] Verify support for long CilentHello messages #2493

dcooper16 opened this issue Apr 29, 2024 · 4 comments

Comments

@dcooper16
Copy link
Contributor

Which version are you referring to
3.2+

Please check this repo whether this is a known feature request
no

Describe your feature request (if it's a technical feature)

According to https://tldr.fail/ there are some servers that will fail if the ClientHello message is long. The issue mainly occurs if the ClientHello message is not sent in a single packet. This is causing problems now as browsers are starting to send ClientHello messages with post-quantum public keys in the key share extension. testssl.sh should consider adding a test for this issue.

If your feature request otherwise is related to a usage problem, please describe it
no

Describe the solution you'd like
https://tldr.fail/ provides a Python script to test servers for this problem. However, testing for this should be a simple as starting with a ClientHello that is known to work against the server and then adding enough data to it to ensure that it won't fit into a single packet. For example, including a large key in the key share extension. Another option would be to send a short ClientHello, but break it up into multiple packets, but implementing that might be a little more difficult.
@drwetter
Copy link
Owner

Good idea, @dcooper16 .

Do you know of any public web sites which fail, best deliberately?

@dcooper16
Copy link
Contributor Author

Do you know of any public web sites which fail, best deliberately?

No. Yesterday, a co-worker pointed out an article noting that some users are experiencing problems now that the latest versions of some browsers are offering post-quantum algorithms for key agreement by default. I just wanted to raise the issue here before I forgot.

Given that testing was done before the browsers enabled this by default, the problem must not be that common. That may make it difficult to find a site to test against to help verify that the code is correct.

@drwetter
Copy link
Owner

Not sure I understand the python program correctly *) . Am I right there should be just an exception after the first write (Sending the ClientHello in a single write)

*) This PR needed to be applied in my case: https://patch-diff.githubusercontent.com/raw/dadrian/tldr.fail/pull/5.diff

@drwetter
Copy link
Owner

drwetter commented May 1, 2024

Found more information. The guys from cyberstorm.mu (hi/bonjour) tested IP from their country, see https://github.com/JoottunAtish/TLDR_TESTING . There's also information which failed by the time of the assessment, i.e. 2 months ago.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@drwetter @dcooper16