Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS client authentication: missing ciphers #249

Open
tmanninger opened this issue Jun 7, 2021 · 4 comments
Open

TLS client authentication: missing ciphers #249

tmanninger opened this issue Jun 7, 2021 · 4 comments

Comments

@tmanninger
Copy link

Hi,

i am using haproxy and sslscan 2.0.10

Before i enabled client certificate authentication, sslscan returned the following ciphers:

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   enabled

...
  Supported Server Cipher(s):
Preferred TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253
Accepted  TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve 25519 DHE 253
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-RSA-CHACHA20-POLY1305   Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve 25519 DHE 253

After i enabled certificate authentication, sslscan is only returning TLSv1.3 ciphers:

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   enabled

  Supported Server Cipher(s):
Preferred TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253
Accepted  TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve 25519 DHE 253

I also started a test with https://www.ssllabs.com/ssltest/ , this tools returns all TLSv1.2 + TLSv1.3 ciphers while client authentication is enabled.

Therefore i think, this is a bug.
@rbsec
Copy link
Owner

rbsec commented Jun 7, 2021

Do you have a pcap you could share for this? Client certs aren't very common, so this code hasn't really had a huge amount of testing.

@tmanninger
Copy link
Author

tmanninger commented Jun 8, 2021
edited
Loading

I uploaded 2 pcaps, one without client auth (which returns the correct ciphers) and one with client auth (which returns only TLSv1.3 ciphers)

sslscan_pcaps.zip

@rbsec
Copy link
Owner

rbsec commented Jun 11, 2021

Thanks. I'm afraid I don't have a huge amount of time for this project at the moment, but I'll take a look at these when I get a chance and see if I can work out what's going wrong.

@rbsec
Copy link
Owner

rbsec commented Jul 2, 2021

I had a look into this earlier in the week and I couldn't see anything obviously wrong in the pcap files. The client certificate stuff is all just using built-in OpenSSL functionality, so there's not much custom stuff we're doing with it.

I don't have a haproxy instance to test against, but the badssl.com client certificate sites seemed to work fine with sslcsan for me. Do they work correctly with the version you're running, or is that broken as well?

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rbsec @tmanninger