howsmyssl icon indicating copy to clipboard operation
howsmyssl copied to clipboard

Published 20 hours ago verified publisher icon jmhodges

`Handshake failure` when using Schannel's new TLS1_3_CLIENT on Win11

Open wqweto opened this issue 4 years ago • 1 comments

Windows built-in Schannel library supports TLS 1.3 since Win11 but has trouble connecting to howsmyssl.com with the error message returned being The message received was unexpected or badly formatted.

The problem seems to be that the initial ClientHello message which Schannel library sends is missing ec_point_formats (11) extension and this brings golang server-side TLS 1.3 implementation to a halt.

RFC8422 says:

5.1. Client Hello Extensions

This section specifies two TLS extensions that can be included with the ClientHello message as described in [RFC4366]: the Supported Elliptic Curves Extension and the Supported Point Formats Extension.

When these extensions are sent:

The extensions SHOULD be sent along with any ClientHello message that proposes ECC cipher suites.

Here SHOULD means "recommended" but it's not clear if ec_point_formats (11) is required when supported_groups (10) is sent in CH which is exactly the case with Schannel's TLS1_3_CLIENT.

The same problem appears to be present with all golang https servers with TLS 1.3 support e.g. here is the error log from https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

Connecting to clienttest.ssllabs.com
Error: The message received was unexpected or badly formatted. Handshake failure.

This problem should probably be reported upstream or it could be already fixed in recent version of golang runtime or whatever TLS 1.3 library the site is using.

Unfortunately Win11 built-in curl.exe although using Schannel library is still not updated to enable TLS1_3_CLIENT support, so it still uses TLS 1.2 max to access howsmyssl.com (or any other site) and the bug cannot be easily reproduced with existing tools.

Edit: Yes, the bug is in goalng's crypto/tls in handshake_server.go the supportsECDHE function incorrectly assumes that when the supportedPoints array does not contain pointFormatUncompressed then ECDHE is unavailable and it misses empty array check i.e. the case when the supported_groups (10) extension is not sent in CH which should be interpreted as every possible format supported incl. pointFormatUncompressed.

Oops, it's even reported here.

Sorry to bother you. This will probably need to be fixed upstream.

wqweto avatar Nov 18 '21 15:11 wqweto

Ah, good work!

jmhodges avatar Jul 08 '23 00:07 jmhodges