help
help copied to clipboard
Published
20 hours ago •
nodejs
nodejs
tlsoption.enableTrace does not show correct tls protocol 1.3 (it shows 1.2 instead)
- Node.js Version: v14.15.1 & v12.14.0
- OS: MAC
- Scope (install, code, runtime, meta, other?): runtime
- Module (and version) (if relevant): crypto/tls
When enableTrace is configured, node does not show the correct TLS protocol. nodejs shows tls1.2, while wireshark shows 1.3 (and wireshark is showing the correct one)
-- -- (master origin)
~/dev/curl/sample (💃 ) node app.js
Sent Record
Header:
Version = TLS 1.0 (0x301)
Content Type = Handshake (22)
Length = 236
ClientHello, Length=232
client_version=0x303 (TLS 1.2)
Random:
gmt_unix_time=0xAFAB92C9
random_bytes (len=28): 3F4E6CC15602951A8236C732E7E2E188E5B427A6797D67FDBB9FE01E
session_id (len=32): BEA460F6C1ADD6AA33D66B7CFC5ED0CF2D37374859FA3E73D209768ABA9149CD
cipher_suites (len=12)
...............
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ApplicationData (23)
Length = 16401
Inner Content Type = ApplicationData (23)
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ApplicationData (23)
Length = 15504
Inner Content Type = ApplicationData (23)
Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ApplicationData (23)
Length = 19
Inner Content Type = Alert (21)
Level=warning(1), description=close notify(0)
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ApplicationData (23)
Length = 19
Inner Content Type = Alert (21)
Level=warning(1), description=close notify(0)
-- -- (master origin)
~/dev/curl/sample (💃 ) node -v
v14.15.1
-- -- (master origin)
~/dev/curl/sample (💃 ) ping www.cdn77.com
PING 1669655317.rsc.cdn77.org (89.187.164.10): 56 data bytes
64 bytes from 89.187.164.10: icmp_seq=0 ttl=56 time=14.569 ms
^C
--- 1669655317.rsc.cdn77.org ping statistics ---
2 packets transmitted, 1 packets received, 50.0% packet loss
round-trip min/avg/max/stddev = 14.569/14.569/14.569/0.000 ms
For the same request above, here is the wireshark pcap: (remove the .txt first) tls13.pcapng.txt
screen from wireshark :
app.js to demo the problem.
'use strict';
// spoon for testing the tls1.3
const https = require('https');
const tls = require('tls');
const _ = require('lodash');
const tls13Ciphers = [
// below are new TLS1.3 ciphers
'TLS_AES_256_GCM_SHA384', // 'TLS_AES_256_GCM_SHA384',
'TLS_CHACHA20_POLY1305_SHA256', // 'TLS_CHACHA20_POLY1305_SHA256',
'TLS_AES_128_GCM_SHA256', // 'TLS_AES_128_GCM_SHA256',
'TLS_AES_128_CCM_SHA256', // 'TLS_AES_128_CCM_SHA256',
'TLS_AES_128_CCM_8_SHA256' // 'TLS_AES_128_CCM_8_SHA256'
];
const nonTlsCiphers = [
'ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', // ecdhe-ecdsa-aes256-gcm-sha384
'ECDHE_RSA_WITH_AES_256_GCM_SHA384', // ecdhe-rsa-aes256-gcm-sha384
'ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', // ecdhe-ecdsa-aes256-sha384
'ECDHE_RSA_WITH_AES_256_CBC_SHA384', // ecdhe-rsa-aes256-sha384
'ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // ecdhe-ecdsa-aes256-sha
'ECDHE_RSA_WITH_AES_256_CBC_SHA', // ecdhe-rsa-aes256-sha
'DHE_DSS_WITH_AES_256_GCM_SHA384', // dhe-dss-aes256-gcm-sha384
'DHE_RSA_WITH_AES_256_GCM_SHA384', // dhe-rsa-aes256-gcm-sha384
'DHE_RSA_WITH_AES_256_CBC_SHA256', // dhe-rsa-aes256-sha256
'DHE_DSS_WITH_AES_256_CBC_SHA256', // dhe-dss-aes256-sha256
'DHE_RSA_WITH_AES_256_CBC_SHA', // dhe-rsa-aes256-sha
'DHE_DSS_WITH_AES_256_CBC_SHA', // dhe-dss-aes256-sha
'RSA_WITH_AES_256_GCM_SHA384', // aes256-gcm-SHA384
'RSA_WITH_AES_256_CBC_SHA256' // AES256-SHA256
];
var options = {
// 1.2
// host: 'httpbin.org',
// path: '/get',
// 1.2 and 1.3
// host: 'google.com',
// path: '/',
// 1.2 and 1.3
host: 'www.cdn77.com',
path: '/tls-test',
port: 443,
method: 'GET',
rejectUnauthorized: false,
// secureProtocol: 'TLSv1_2_method',
minVersion: 'TLSv1.3',
maxVersion: 'TLSv1.3',
enableTrace: true,
ciphers: _.join(tls13Ciphers, ':')
};
https.request(options, res => {
let body = '';
res.on('data', data => body += data);
res.on('end', () => {
// console.log('response data: ' + body);
});
}).on('error', err => {
console.warn(err);
}).end();
// https://www.cdn77.com/tls-test
// https://google.com
// node app.js
-->
