Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx servers need signature algorithm extension #58

Open
classilla opened this issue Nov 9, 2020 · 6 comments
Open

nginx servers need signature algorithm extension #58

classilla opened this issue Nov 9, 2020 · 6 comments

Comments

@classilla
Copy link

Without it they throw an ALERT MESSAGE 0x02 0x50 which is of course totally unhelpful. Increasing extension_len by 22 and then adding this extension to the hello seems to fix it. Note this pretty much allows any kind of cert; maybe we should pare it back to what TLSe actually supports.

                /* CK: accept any signature algorithm */
                tls_packet_uint16(packet, 0x000d);
                tls_packet_uint16(packet, 0x0012);
                tls_packet_uint16(packet, 0x0010);
                tls_packet_uint16(packet, 0x0401);
                tls_packet_uint16(packet, 0x0403);
                tls_packet_uint16(packet, 0x0501);
                tls_packet_uint16(packet, 0x0503);
                tls_packet_uint16(packet, 0x0601);
                tls_packet_uint16(packet, 0x0603);
                tls_packet_uint16(packet, 0x0201);
                tls_packet_uint16(packet, 0x0203);
@eduardsui
Copy link
Owner

Didn't know that. Can you provide an address to test it with?

This is the list of supported signatures:

            if (!context->is_server) {
                // signature algorithms
                tls_packet_uint16(packet, 0x0D);
                tls_packet_uint16(packet, 24);
                tls_packet_uint16(packet, 22);
                tls_packet_uint16(packet, 0x0403);
                tls_packet_uint16(packet, 0x0503);
                tls_packet_uint16(packet, 0x0603);
                tls_packet_uint16(packet, 0x0804);
                tls_packet_uint16(packet, 0x0805);
                tls_packet_uint16(packet, 0x0806);
                tls_packet_uint16(packet, 0x0401);
                tls_packet_uint16(packet, 0x0501);
                tls_packet_uint16(packet, 0x0601);
                tls_packet_uint16(packet, 0x0203);
                tls_packet_uint16(packet, 0x0201);
            }

@classilla
Copy link
Author

lobste.rs and ish.app were the ones I believe I ran into this first on.

@eduardsui
Copy link
Owner

Ok, so after a little debugging, ish.app and std.fyi are working. Not sure about lobste.rs. I think is the same problem that Ron is having. I'm comparing clienthello generated with openssl and TLSe. OpenSSl works, mine doesn't...

@dpronin
Copy link
Contributor

dpronin commented Aug 20, 2024

@classilla this has helped me

@dpronin
Copy link
Contributor

dpronin commented Oct 9, 2024

@classilla could we close the issue?

@classilla
Copy link
Author

I have my own fork of TLSe now and made my own fix for this a long time ago, so I can't say if your fix works or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dpronin @classilla @eduardsui