fiber icon indicating copy to clipboard operation
fiber copied to clipboard

Published 20 hours ago verified publisher icon gofiber

🐛 ClientHelloInfo not populated

Open own2pwn opened this issue 2 years ago • 2 comments

Bug Description

ClientHelloInfo will not be populated when using the ListenTLSWithCertificate method. This is because tls.Config uses the GetCertificate method and provides non nil certificates, and it will only be called if the client provides SNI or if the Certificates field is empty, as stated in the documentation.``

How to Reproduce

app := fiber.New()
app.Get("/hello", func(c *fiber.Ctx) error {
    return c.JSON(fiber.Map{"has_hello": c.ClientHelloInfo() != nil})
})
log.Fatal().Err(app.ListenTLS(":1337", "cert.pem", "key.pem"))

Expected Behavior

GetConfigForClient return nil, nil can be used instead of GetCertificate

Fiber Version

v2.46.0, v2.48.0

Code Snippet (optional)

package main

import (
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"github.com/gofiber/fiber/v2"
	"math/big"
	"net"
	"os"
	"time"
)

func generateCerts() {
	privateKey, _ := rsa.GenerateKey(rand.Reader, 2048)

	template := x509.Certificate{
		SerialNumber: big.NewInt(1),
		Subject: pkix.Name{
			Organization: []string{"ACME"},
		},
		IPAddresses: []net.IP{
			net.ParseIP("127.0.0.1"),
		},
		NotBefore:   time.Now(),
		NotAfter:    time.Now().Add(time.Hour * 24 * 365),
		KeyUsage:    x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
		IsCA:        true,
	}

	derBytes, _ := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)

	certOut, _ := os.Create("cert.pem")
	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
	certOut.Close()

	keyOut, _ := os.OpenFile("key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
	pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)})
	keyOut.Close()
}

func main() {
	generateCerts()
	app := fiber.New()
	app.Get(
		"/hello", func(c *fiber.Ctx) error {
			return c.JSON(fiber.Map{"has_hello": c.ClientHelloInfo() != nil})
		},
	)
	println(app.ListenTLS(":1337", "cert.pem", "key.pem"))
}

Checklist:

  • [X] I agree to follow Fiber's Code of Conduct.
  • [X] I have checked for existing issues that describe my problem prior to opening this one.
  • [X] I understand that improperly formatted bug reports may be closed without explanation.

own2pwn avatar Aug 09 '23 22:08 own2pwn

Thanks for opening your first issue here! 🎉 Be sure to follow the issue template! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord

welcome[bot] avatar Aug 09 '23 22:08 welcome[bot]

I've tried the code snippet you sent here and it works well with me. Can you provide another code snippet to reproduce the issue? 2023-10-01_16-06 @own2pwn

I tried ListenTLSWithCertificate with tls.LoadX509KeyPair. It works well too.

efectn avatar Oct 01 '23 13:10 efectn