tlse
tlse copied to clipboard
eduardsui
nginx servers need signature algorithm extension
Without it they throw an ALERT MESSAGE 0x02 0x50 which is of course totally unhelpful. Increasing extension_len by 22 and then adding this extension to the hello seems to fix it. Note this pretty much allows any kind of cert; maybe we should pare it back to what TLSe actually supports.
/* CK: accept any signature algorithm */
tls_packet_uint16(packet, 0x000d);
tls_packet_uint16(packet, 0x0012);
tls_packet_uint16(packet, 0x0010);
tls_packet_uint16(packet, 0x0401);
tls_packet_uint16(packet, 0x0403);
tls_packet_uint16(packet, 0x0501);
tls_packet_uint16(packet, 0x0503);
tls_packet_uint16(packet, 0x0601);
tls_packet_uint16(packet, 0x0603);
tls_packet_uint16(packet, 0x0201);
tls_packet_uint16(packet, 0x0203);
Didn't know that. Can you provide an address to test it with?
This is the list of supported signatures:
if (!context->is_server) {
// signature algorithms
tls_packet_uint16(packet, 0x0D);
tls_packet_uint16(packet, 24);
tls_packet_uint16(packet, 22);
tls_packet_uint16(packet, 0x0403);
tls_packet_uint16(packet, 0x0503);
tls_packet_uint16(packet, 0x0603);
tls_packet_uint16(packet, 0x0804);
tls_packet_uint16(packet, 0x0805);
tls_packet_uint16(packet, 0x0806);
tls_packet_uint16(packet, 0x0401);
tls_packet_uint16(packet, 0x0501);
tls_packet_uint16(packet, 0x0601);
tls_packet_uint16(packet, 0x0203);
tls_packet_uint16(packet, 0x0201);
}
Ok, so after a little debugging, ish.app and std.fyi are working. Not sure about lobste.rs. I think is the same problem that Ron is having. I'm comparing clienthello generated with openssl and TLSe. OpenSSl works, mine doesn't...