tlslite-ng icon indicating copy to clipboard operation
tlslite-ng copied to clipboard

Published 20 hours ago verified publisher icon tlsfuzzer

Adding ECPoints TLS 1.2 formats

Open alitteration opened this issue 1 year ago • 6 comments

Hello,

I have some client that does the handshake with the following extenstion

            Type: ec_point_formats (11)
            Length: 4
            EC point formats Length: 3
            Elliptic curves point formats (3)
                EC point format: uncompressed (0)
                EC point format: ansiX962_compressed_prime (1)
                EC point format: ansiX962_compressed_char2 (2)

I know this is obsolete, but is there a chance to actually add those ?

Thanks!

alitteration avatar Nov 09 '23 10:11 alitteration

I'm sorry, I don't understand the request, we do have those codepoints: https://github.com/tlsfuzzer/tlslite-ng/blob/master/tlslite/constants.py#L442

are you using a recent 0.8.0 release?

tomato42 avatar Nov 09 '23 12:11 tomato42

Oh, I'm extremely sorry hmm, I'm using this great client https://github.com/charxhit/httpx-tls and it tells me raise ValueError("only the uncompressed point format (0) is supported for ECPointFormat extension") ValueError: only the uncompressed point format (0) is supported for ECPointFormat extension

So i thought it's tl-lite issue, thanks for confirming they are there.

What about extension 13172 It's not IANA assigned, but some clients use that, are there any plans to add that ?

alitteration avatar Nov 09 '23 17:11 alitteration

well, it is using a custom version of tlslite-ng: https://github.com/charxhit/httpx-tls/blob/c214f1aee0c64a1e25e4cbb4340135ef1391a7c8/setup.py#L26

that being said, the code in tlslite-ng has sending of uncompressed hardcoded. If you want it to offer and accept compressed points, you will need to write a bit of glue code. I know it works, as I use it in tlsfuzzer, just didn't extend tlslite-ng as I have no need for that (and uncompressed is mandatory anyway).

See also #103

tomato42 avatar Nov 09 '23 21:11 tomato42

It would be nice if you would extend tlslite-ng for the future, I'm doubting my abilities to actually be able to implement this(write the glue code you speaking of), but I will have a look at it anyway, thank you

alitteration avatar Nov 10 '23 08:11 alitteration

basically you need to change tlslite-ng to use the https://github.com/tlsfuzzer/python-ecdsa/blob/eed49e25683d656ba211a8cd97bf93da34450cf5/src/ecdsa/keys.py#L219 function with the valid_encodings matching what was sent in the ec_point_formats extension

tomato42 avatar Nov 10 '23 15:11 tomato42

basically you need to change tlslite-ng to use the https://github.com/tlsfuzzer/python-ecdsa/blob/eed49e25683d656ba211a8cd97bf93da34450cf5/src/ecdsa/keys.py#L219 function with the valid_encodings matching what was sent in the ec_point_formats extension

Thanks a bunch :)

alitteration avatar Nov 22 '23 11:11 alitteration

Duplicate of #103

tomato42 avatar May 14 '24 11:05 tomato42