How to identify a bad TLS connection?

[tzimmer63]

Hi, I've build a small https server with botan. If a client connects with http instead of https (or I get other garbage), how do I find out that a valid TLS session was not established? I did not find anything in the TLS Callback that informs me about incoming garbage and let me close the TCP connection.

[pstanisz]

Currently Botan (master or 3.0.0-alpha0) is performing some 'pre-check' of the TLS record version and if it does not match the expected one, then the content of the record header is compared with common HTTP request methods: GET, PUT, POST, HEAD, CONNE. If any of the HTTP request methods is matching, then the handshake is immediately interrupted with PROTOCOL_VERSION alert. There are probably no other checks of garbage input, but there is a PR with improved check of record content: https://github.com/randombit/botan/pull/2755

[randombit]

The checking @pstanisz mentioned is also available in 2.18.0 and higher so you don't need to use pre-release software to get this.

[tzimmer63]

I've upgraded to 2.18.1 and I do not get the described behaviour. When calling the server with unencrypted http, I'm not getting a tls_alert() call in the TLS_Callback. Instead, I'm getting an exception "Got unexpected TLS record version". I have no problem with that, it helps a lot, I just wanted to let you know that. Thanks a lot, guys.

[randombit]

tls_alert is only called when you receive an alert from the peer, here we are sending an alert and there is no callback/inspection for this process (though that might indeed be useful for debugging and the like, something to think about there...)