-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature request] Verify support for long CilentHello messages #2493
Comments
Good idea, @dcooper16 . Do you know of any public web sites which fail, best deliberately? |
No. Yesterday, a co-worker pointed out an article noting that some users are experiencing problems now that the latest versions of some browsers are offering post-quantum algorithms for key agreement by default. I just wanted to raise the issue here before I forgot. Given that testing was done before the browsers enabled this by default, the problem must not be that common. That may make it difficult to find a site to test against to help verify that the code is correct. |
Not sure I understand the python program correctly *) . Am I right there should be just an exception after the first write (Sending the ClientHello in a single write) *) This PR needed to be applied in my case: https://patch-diff.githubusercontent.com/raw/dadrian/tldr.fail/pull/5.diff |
Found more information. The guys from cyberstorm.mu (hi/bonjour) tested IP from their country, see https://github.com/JoottunAtish/TLDR_TESTING . There's also information which failed by the time of the assessment, i.e. 2 months ago. |
Which version are you referring to
3.2+
Please check this repo whether this is a known feature request
no
Describe your feature request (if it's a technical feature)
According to https://tldr.fail/ there are some servers that will fail if the ClientHello message is long. The issue mainly occurs if the ClientHello message is not sent in a single packet. This is causing problems now as browsers are starting to send ClientHello messages with post-quantum public keys in the key share extension. testssl.sh should consider adding a test for this issue.
If your feature request otherwise is related to a usage problem, please describe it
no
Describe the solution you'd like
https://tldr.fail/ provides a Python script to test servers for this problem. However, testing for this should be a simple as starting with a ClientHello that is known to work against the server and then adding enough data to it to ensure that it won't fit into a single packet. For example, including a large key in the key share extension. Another option would be to send a short ClientHello, but break it up into multiple packets, but implementing that might be a little more difficult.
The text was updated successfully, but these errors were encountered: