TLS-Attacker Implement TLS 1.3 Client Authentication

Hello,

I intend to construct a worksflow trace in TLS-Attacker's Java code and send it to a server in order to establish a TLS handshake. However, I have two issues here:

How do I demand/specify to use TLS 1.3?
How do I (as the client) add a certificate and key (e.g. client-cert.pem and client-key.pem) to the configuration?

For now, my code looks as follows:

Config config = Config.createConfig();
WorkflowTrace trace = new WorkflowTrace();
trace.addTlsAction(new SendAction(new ClientHelloMessage()));
trace.addTlsAction(new ReceiveAction(new ServerHelloMessage()));
trace.addTlsAction(new ReceiveAction(new EncryptedExtensionsMessage()));
trace.addTlsAction(new ReceiveAction(new CertificateRequestMessage()));
trace.addTlsAction(new ReceiveAction(new CertificateMessage()));
trace.addTlsAction(new ReceiveAction(new CertificateVerifyMessage()));
trace.addTlsAction(new ReceiveAction(new FinishedMessage()));
trace.addTlsAction(new SendAction(new CertificateMessage()));
trace.addTlsAction(new SendAction(new CertificateVerifyMessage()));
trace.addTlsAction(new SendAction(new FinishedMessage()));
config.setDefaultClientSupportedCiphersuites(CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384);
State state = new State(config, trace);
DefaultWorkflowExecutor executor = new DefaultWorkflowExecutor(state);
executor.executeWorkflow();

Thank you!

Aug 29 '19 14:08 dundic987

Hey, The problem is in the Config object. TLS-Attacker requires you to explicitly set default values for everything such that TLS-Attacker know how it is supposed to send its messages. Without you explicitly telling TLS-Attacker to send a TLS 1.3 ClientHello message it will just use a ClientHello with default values (found here: https://github.com/RUB-NDS/TLS-Attacker/blob/master/TLS-Core/src/main/resources/default_config.xml). You can can find an example of TLS-Attacker + TLS 1.3 in our TLS-Scanner project: https://github.com/RUB-NDS/TLS-Scanner/blob/master/src/main/java/de/rub/nds/tlsscanner/probe/Tls13Probe.java. Additonally there should be a prepared Config file here: https://github.com/RUB-NDS/TLS-Attacker/blob/master/resources/configs/tls13.config I hope this helps.

You can specify a Certificate and private key yourself by setting the defaultExplicitCertificateKeyPair and setting autoSelectCertificate to false. However I do not think we support TLS 1.3 client authentication as of now. I will put it on the TODO list and try to find a student to implement it. cheers Robert

Sep 06 '19 07:09 ic0ns

Thank you for the help! But yeah, my intention is to establish a TLS 1.3 handshake with a TLS 1.3 implementation...

Sep 10 '19 12:09 dundic987

Update: I think a student of mine implemented this. I will have to check if its actually working before finally closing this issue.

Sep 09 '21 16:09 ic0ns

This feature will be probably added in TLS-Attacker 4.0

Jun 08 '22 14:06 ic0ns

TLS-Attacker TLS-Attacker copied to clipboard

Implement TLS 1.3 Client Authentication

TLS-Attacker
TLS-Attacker copied to clipboard