TLS Cipher support for CBC_SHA256
103 views
Skip to first unread message
fatm...@gmail.com
Apr 28, 2016, 12:06:08 PM4/28/16
to golang-nuts
Afternoon all
However I've hit an issue with Ciphersuites, as it appears that there are no common CipherSuites between crypt/tls and the 3rd party server.
I'm trying to use GoLang to connect to a 3rd party API.
However I've hit an issue with Ciphersuites, as it appears that there are no common CipherSuites between crypt/tls and the 3rd party server.
It appears that the server is presenting a pretty limited CipherSuite list of:
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
Whereas my client is presenting:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
- TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
- TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
- TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
- TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
- TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
There are some that come close, but it seems that a lot of the CBC ciphers available in Golang don't support SHA256.
Is there a specific reason for that? Or is there a way to enable them? Or am I just out of luck?
Cheers
Gavin
Phus Lu
Apr 28, 2016, 12:58:26 PM4/28/16
to golang-nuts, fatm...@gmail.com
Hi guy,
Please try this patch https://github.com/phuslu/go/commit/353372383f5bf452d3ca4a9425919cc423eb7e97
I use it to build my proxy - github.com/phuslu/goproxy , it works very well.
Regards,
fatmcgav
Apr 28, 2016, 1:39:38 PM4/28/16
to Phus Lu, golang-nuts
Looks sensible to me.. Will give it a go..
Any chance of getting it into official release?
Cheers
Gav
Nick Craig-Wood
Apr 29, 2016, 6:54:58 AM4/29/16
to Phus Lu, golang-nuts, fatm...@gmail.com
That patch looks useful to me. I don't think it decreases the security
of the go TLS implementation. There may be reasons I don't understand
for not including it though.
Did you try sending a CL? https://golang.org/doc/contribute.html
I checked on tip and those ciphers still aren't in there.
(Speculation: I suspect they haven't been added because they include the
CBC mode.)
On 28/04/16 17:30, Phus Lu wrote:
> Hi guy,
>
> Please try this
> patch https://github.com/phuslu/go/commit/353372383f5bf452d3ca4a9425919cc423eb7e97
> I use it to build my proxy - github.com/phuslu/goproxy , it works very well.
>
> Regards,
> Phus Lu
>
> 在 2016年4月29日星期五 UTC+8上午12:06:08,fatm...@gmail.com写道:
>
> Afternoon all
>
> I'm trying to use GoLang to connect to a 3rd party API.
>
> However I've hit an issue with Ciphersuites, as it appears that
> there are no common CipherSuites between crypt/tls and the 3rd party
> server.
>
> It appears that the server is presenting a pretty limited
> CipherSuite list of:
>
> * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> * TLS_RSA_WITH_AES_128_CBC_SHA256
> * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
> * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
> * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
> * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
> * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
> * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
> * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
> * TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
> * TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
> * TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> * TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
> * TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
> * TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
> You received this message because you are subscribed to the Google
> Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to golang-nuts...@googlegroups.com
> <mailto:golang-nuts...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
--
Nick Craig-Wood <ni...@craig-wood.com> -- http://www.craig-wood.com/nick
of the go TLS implementation. There may be reasons I don't understand
for not including it though.
Did you try sending a CL? https://golang.org/doc/contribute.html
I checked on tip and those ciphers still aren't in there.
(Speculation: I suspect they haven't been added because they include the
CBC mode.)
On 28/04/16 17:30, Phus Lu wrote:
> Hi guy,
>
> Please try this
> patch https://github.com/phuslu/go/commit/353372383f5bf452d3ca4a9425919cc423eb7e97
> I use it to build my proxy - github.com/phuslu/goproxy , it works very well.
>
> Regards,
> Phus Lu
>
> 在 2016年4月29日星期五 UTC+8上午12:06:08,fatm...@gmail.com写道:
>
> Afternoon all
>
> I'm trying to use GoLang to connect to a 3rd party API.
>
> However I've hit an issue with Ciphersuites, as it appears that
> there are no common CipherSuites between crypt/tls and the 3rd party
> server.
>
> It appears that the server is presenting a pretty limited
> CipherSuite list of:
>
> * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> * TLS_RSA_WITH_AES_128_CBC_SHA256
>
> Whereas my client is presenting:
>
> * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
> Whereas my client is presenting:
>
> * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
> * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
> * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
> * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
> * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
> * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
> * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
> * TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
> * TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
> * TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> * TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
> * TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
> * TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
>
> There are some that come close, but it seems that a lot of the CBC
> ciphers available in Golang don't support SHA256.
>
> Is there a specific reason for that? Or is there a way to enable
> them? Or am I just out of luck?
>
> Cheers
> Gavin
>
> --
> There are some that come close, but it seems that a lot of the CBC
> ciphers available in Golang don't support SHA256.
>
> Is there a specific reason for that? Or is there a way to enable
> them? Or am I just out of luck?
>
> Cheers
> Gavin
>
> You received this message because you are subscribed to the Google
> Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to golang-nuts...@googlegroups.com
> <mailto:golang-nuts...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
--
Nick Craig-Wood <ni...@craig-wood.com> -- http://www.craig-wood.com/nick
fatm...@gmail.com
Apr 29, 2016, 7:06:13 AM4/29/16
to golang-nuts, phu...@hotmail.com, fatm...@gmail.com
Ok, a quick and dirty test confirms that this patch works...
However it appears that it breaks some of the tests, which I'm confused by as it's not touched those Ciphers etc...
Failed tests are:
--- FAIL: TestHandshakeClientRSARC4 (0.00s)
handshake_client_test.go:240: TLSv10-RSA-RC4 #0: mismatch on read: got:160301008b0100008703030000000000000000000000000000000000000000000000000000000000000000000028c02fc02bc030c02cc011c007c013c027c009c014c00a009c009d0005002f0035003c003dc012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100 want:16030100850100008103030000000000000000000000000000000000000000000000000000000000000000000022c02fc02bc030c02cc011c007c013c009c014c00a009c009d0005002f0035c012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100010000120000
--- FAIL: TestHandshakeClientRSAAES128GCM (0.00s)
handshake_client_test.go:240: TLSv12-AES128-GCM-SHA256 #0: mismatch on read: got:160301008b0100008703030000000000000000000000000000000000000000000000000000000000000000000028c02fc02bc030c02cc011c007c013c027c009c014c00a009c009d0005002f0035003c003dc012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100 want:16030100850100008103030000000000000000000000000000000000000000000000000000000000000000000022c02fc02bc030c02cc011c007c013c009c014c00a009c009d0005002f0035c012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100010000120000
--- FAIL: TestHandshakeClientRSAAES256GCM (0.00s)
handshake_client_test.go:240: TLSv12-AES256-GCM-SHA384 #0: mismatch on read: got:160301008b0100008703030000000000000000000000000000000000000000000000000000000000000000000028c02fc02bc030c02cc011c007c013c027c009c014c00a009c009d0005002f0035003c003dc012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100 want:16030100850100008103030000000000000000000000000000000000000000000000000000000000000000000022c02fc02bc030c02cc011c007c013c009c014c00a009c009d0005002f0035c012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100010000120000
--- FAIL: TestHandshakeClientECDHERSAAES (0.00s)
handshake_client_test.go:240: TLSv10-ECDHE-RSA-AES #0: mismatch on read: got:160301008b0100008703030000000000000000000000000000000000000000000000000000000000000000000028c02fc02bc030c02cc011c007c013c027c009c014c00a009c009d0005002f0035003c003dc012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100 want:16030100850100008103030000000000000000000000000000000000000000000000000000000000000000000022c02fc02bc030c02cc011c007c013c009c014c00a009c009d0005002f0035c012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100010000120000
--- FAIL: TestHandshakeClientECDHEECDSAAES (0.00s)
handshake_client_test.go:240: TLSv10-ECDHE-ECDSA-AES #0: mismatch on read: got:160301008b0100008703030000000000000000000000000000000000000000000000000000000000000000000028c02fc02bc030c02cc011c007c013c027c009c014c00a009c009d0005002f0035003c003dc012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100 want:16030100850100008103030000000000000000000000000000000000000000000000000000000000000000000022c02fc02bc030c02cc011c007c013c009c014c00a009c009d0005002f0035c012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100010000120000
--- FAIL: TestHandshakeClientECDHEECDSAAESGCM (0.00s)
handshake_client_test.go:240: TLSv12-ECDHE-ECDSA-AES-GCM #0: mismatch on read: got:160301008b0100008703030000000000000000000000000000000000000000000000000000000000000000000028c02fc02bc030c02cc011c007c013c027c009c014c00a009c009d0005002f0035003c003dc012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100 want:16030100850100008103030000000000000000000000000000000000000000000000000000000000000000000022c02fc02bc030c02cc011c007c013c009c014c00a009c009d0005002f0035c012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100010000120000
--- FAIL: TestHandshakeClientAES256GCMSHA384 (0.00s)
handshake_client_test.go:240: TLSv12-ECDHE-ECDSA-AES256-GCM-SHA384 #0: mismatch on read: got:160301008b0100008703030000000000000000000000000000000000000000000000000000000000000000000028c02fc02bc030c02cc011c007c013c027c009c014c00a009c009d0005002f0035003c003dc012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100 want:16030100850100008103030000000000000000000000000000000000000000000000000000000000000000000022c02fc02bc030c02cc011c007c013c009c014c00a009c009d0005002f0035c012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100010000120000
--- FAIL: TestHandshakeClientCertRSA (0.00s)
handshake_client_test.go:240: TLSv10-ClientCert-RSA-RSA #0: mismatch on read: got:160301008b0100008703030000000000000000000000000000000000000000000000000000000000000000000028c02fc02bc030c02cc011c007c013c027c009c014c00a009c009d0005002f0035003c003dc012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100 want:16030100850100008103030000000000000000000000000000000000000000000000000000000000000000000022c02fc02bc030c02cc011c007c013c009c014c00a009c009d0005002f0035c012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100010000120000
--- FAIL: TestHandshakeClientCertECDSA (0.02s)
handshake_client_test.go:240: TLSv10-ClientCert-ECDSA-RSA #0: mismatch on read: got:160301008b0100008703030000000000000000000000000000000000000000000000000000000000000000000028c02fc02bc030c02cc011c007c013c027c009c014c00a009c009d0005002f0035003c003dc012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100 want:16030100850100008103030000000000000000000000000000000000000000000000000000000000000000000022c02fc02bc030c02cc011c007c013c009c014c00a009c009d0005002f0035c012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100010000120000
--- FAIL: TestHandshakeClientALPNMatch (0.00s)
handshake_client_test.go:240: TLSv12-ALPN #0: mismatch on read: got:16030100a30100009f03030000000000000000000000000000000000000000000000000000000000000000000028c02fc02bc030c02cc011c007c013c027c009c014c00a009c009d0005002f0035003c003dc012000a0100004e33740000000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100010000100010000e0670726f746f320670726f74 want:160301009d0100009903030000000000000000000000000000000000000000000000000000000000000000000022c02fc02bc030c02cc011c007c013c009c014c00a009c009d0005002f0035c012000a0100004e33740000000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100010000100010000e0670726f746f320670726f746f3100120000
--- FAIL: TestHandshakeClientALPNNoMatch (0.00s)
handshake_client_test.go:240: TLSv12-ALPN-NoMatch #0: mismatch on read: got:160301009c0100009803030000000000000000000000000000000000000000000000000000000000000000000028c02fc02bc030c02cc011c007c013c027c009c014c00a009c009d0005002f0035003c003dc012000a0100004733740000000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff010001000010000900070670726f74 want:16030100960100009203030000000000000000000000000000000000000000000000000000000000000000000022c02fc02bc030c02cc011c007c013c009c014c00a009c009d0005002f0035c012000a0100004733740000000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff010001000010000900070670726f746f3300120000
--- FAIL: TestHandshakClientSCTs (0.00s)
handshake_client_test.go:240: TLSv12-SCT #0: mismatch on read: got:160301008b0100008703030000000000000000000000000000000000000000000000000000000000000000000028c02fc02bc030c02cc011c007c013c027c009c014c00a009c009d0005002f0035003c003dc012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100 want:16030100850100008103030000000000000000000000000000000000000000000000000000000000000000000022c02fc02bc030c02cc011c007c013c009c014c00a009c009d0005002f0035c012000a01000036000500050100000000000a00080006001700180019000b00020100000d000e000c040104030501050302010203ff0100010000120000
FAIL
FAIL crypto/tls 0.487s
Any ideas what the cause might be?
Would be keen to get this patch into core, but obviously those tests need to pass... :s
Cheers
Gav
fatm...@gmail.com
Apr 29, 2016, 7:38:33 AM4/29/16
to golang-nuts, phu...@hotmail.com, fatm...@gmail.com
Have raised an issue on Github - https://github.com/golang/go/issues/15487. Feel free to add your support ;)
Will see what the general consensus is before I press ahead with trying to understand/fix the test failures, and add additional tests for the new ciphers...
Cheers
Gav
> <mailto:golang-nuts+unsub...@googlegroups.com>.
Reply all
Reply to author
Forward
0 new messages