mountebank icon indicating copy to clipboard operation
mountebank copied to clipboard
verified publisher icon bbyars

ERR_SSL_NO_CIPHER_MATCH when use TLS v1.0 cipher in proxy setting

Open raditp opened this issue 5 years ago • 3 comments

Expected behaviour

I config mountebank with below proxy setting to proxy to real service.

    "proxy": {
        "to": "https://myserver.test.com",
        "mode": "proxyAlways",
        "ciphers": "RC4-SHA"
    }

RC4-SHA should be a valid TLS v1 cipher.

Actual behaviour

I got no cipher match error when proxy to real service:

::ffff:10.131.15.102:42356 X=> {"library":"SSL routines","function":"SSL_CTX_set_cipher_list","reason":"no cipher match","code":"ERR_SSL_NO_CIPHER_MATCH","message":"error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match","name":"Error","stack":"Error: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match\n    at Object.createSecureContext (_tls_common.js:177:13)\n    at Object.connect (_tls_wrap.js:1401:48)\n    at Agent.createConnection (https.js:125:22)\n    at Agent.createSocket (_http_agent.js:234:26)\n    at Agent.addRequest (_http_agent.js:193:10)\n    at new ClientRequest (_http_client.js:276:16)\n    at Object.request (https.js:309:10)\n    at Object.<anonymous> (/usr/local/mountebank-v2.1.2-linux-x64/mountebank/node_modules/agent-base/patch-core.js:23:20)\n    at Object.request (/usr/local/mountebank-v2.1.2-linux-x64/mountebank/node_modules/https-proxy-agent/node_modules/agent-base/patch-core.js:25:22)\n    at getProxyRequest (/usr/local/mountebank-v2.1.2-linux-x64/mountebank/src/models/http/httpProxy.js:93:41)"}

Not sure if this is because these ciphers are not available in recent node.js version or not.

Steps to reproduce

  1. use node.js version 12.13.1 with latest mb version
  2. use "ciphers": "RC4-SHA" in proxy
  3. try create request that would proxy to real service

Software versions used

OS         : MacOS 10.14.6
mountebank : 2.1.2
node.js    : 12.13.1
  (only if installed via npm)
Installation method : npm

raditp avatar Jan 22 '20 09:01 raditp

Hi there, You may have to change node's default cipher list to use an older cipher. See the documentation here: https://nodejs.org/dist/latest-v12.x/docs/api/tls.html#tls_tls_connect_options_callback . -Brandon

On Wed, Jan 22, 2020 at 3:33 AM raditp [email protected] wrote:

Expected behaviour

I config mountebank with below proxy setting to proxy to real service.

"proxy": {
    "to": "https://myserver.test.com",
    "mode": "proxyAlways",
    "ciphers": "RC4-SHA"
}

RC4-SHA should be a valid TLS v1 cipher. Actual behaviour

I got no cipher match error when proxy to real service:

::ffff:10.131.15.102:42356 X=> {"library":"SSL routines","function":"SSL_CTX_set_cipher_list","reason":"no cipher match","code":"ERR_SSL_NO_CIPHER_MATCH","message":"error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match","name":"Error","stack":"Error: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match\n at Object.createSecureContext (_tls_common.js:177:13)\n at Object.connect (_tls_wrap.js:1401:48)\n at Agent.createConnection (https.js:125:22)\n at Agent.createSocket (_http_agent.js:234:26)\n at Agent.addRequest (_http_agent.js:193:10)\n at new ClientRequest (_http_client.js:276:16)\n at Object.request (https.js:309:10)\n at Object. (/usr/local/mountebank-v2.1.2-linux-x64/mountebank/node_modules/agent-base/patch-core.js:23:20)\n at Object.request (/usr/local/mountebank-v2.1.2-linux-x64/mountebank/node_modules/https-proxy-agent/node_modules/agent-base/patch-core.js:25:22)\n at getProxyRequest (/usr/local/mountebank-v2.1.2-linux-x64/mountebank/src/models/http/httpProxy.js:93:41)"}

Not sure if this is because these ciphers are not available in recent node.js version or not. Steps to reproduce

  1. use node.js version 12.13.1 with latest mb version
  2. use "ciphers": "RC4-SHA" in proxy
  3. try create request that would proxy to real service

Software versions used

OS : MacOS 10.14.6 mountebank : 2.1.2 node.js : 12.13.1 (only if installed via npm) Installation method : (npm, zip, tar, pkg, deb, rpm)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/bbyars/mountebank/issues/503?email_source=notifications&email_token=AAARFP4E5NPZHUYA2LDWNPTQ7AHF7A5CNFSM4KKCQQ7KYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IH4ON7Q, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAARFP7CDDP4JFSYOHEPXKLQ7AHF7ANCNFSM4KKCQQ7A .

bbyars avatar Jan 22 '20 14:01 bbyars

Hi Brandon, I tried this config from the document to override the default TLS cipher suite. but it does not make any difference. `export NODE_OPTIONS=--tls-cipher-list="RC4-SHA"

mb --configfile imposters.ejs --allowInjection` Am I missing something?

raditp avatar Jan 24 '20 04:01 raditp

Some Resources RC4 prohibited - https://tools.ietf.org/html/rfc7465 apparently RC4 support is also dropped in nodejs Try https://www.ssllabs.com/ssltest/index.html to verify if server indeed supports RC4-SHA

dcRUSTy avatar Jul 07 '20 07:07 dcRUSTy