zcrypto icon indicating copy to clipboard operation
zcrypto copied to clipboard

Published 20 hours ago verified publisher icon zmap

why handshake failure ?

Open chushuai opened this issue 5 years ago • 5 comments

Can be accessed normally through the browser

https://1.179.232.207:1080

Here is the test code

import (
	"fmt"
	"github.com/zmap/zcrypto/tls"
	"testing"
)

func TestTLS(t *testing.T) {
	config := tls.Config{
		InsecureSkipVerify: true,
		MaxVersion:         tls.VersionTLS12,
	}
	/*
	https://1.179.232.207:1080
	*/
	conn, err := tls.Dial("tcp", "1.179.232.207:1080", &config)
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Println(conn)
	defer conn.Close()
}

chushuai avatar Nov 16 '20 11:11 chushuai

This seems to be the same as https://github.com/zmap/zgrab2/issues/281, you can read what I wrote there

I wonder if the default cipher-suite profiles need to be updated in zcrypto to be more inclusive to junk like this device (which seems to be an old NETGEAR router)

mzpqnxow avatar Dec 06 '20 19:12 mzpqnxow

I don't have this problem with the latest version of golang crypto/tls. zcrypto's crypto/tls is too old version @cpu @mzpqnxow

chushuai avatar Dec 07 '20 03:12 chushuai

@chushuai are you building from source, or using a release package from somewhere?

EDIT: Wait- @chushuai you're talking about golang crypto/tls or zcrypto/tls? This is specific to zcrypto, which is not vanilla golang/tls. This is expected to work on vanilla golang tls. Am I misunderstanding what you're saying? To clarify, the goal of zcrypto is not to provide equivalent functionality (or cutting edge functionality) like upstream golang. It's to support obsolete and insecure cipher-suites and protocol versions. You can always use the upstream golang TLS, but you'll lose support for older protocols and ciphers (e.g. SSLv3, RC4-based cipher-suites, etc)

mzpqnxow avatar Dec 07 '20 21:12 mzpqnxow

@chushuai if you would like to test, I have a zcrypto branch @ https://github.com/mzpqnxow/zcrypto/tree/feature/portable-cipher-suite-profile that provides a pre-built list of cipher-suites that will address this and should handle any similar issues you run into with other endpoints that are picky. If you use that branch, you'd need to update your code to specify CipherSuites in the TLS config:

CipherSuites = tls.PortableCiphers

I sent in a PR for this, but please feel free to test in the mean time. I also tested it with zgrab2 and will add a branch that makes use of this once/if this is merged

mzpqnxow avatar Dec 07 '20 21:12 mzpqnxow

Was this issue resolved for you @chushuai ? A lot of work has been done in zcrypto since the time you created this

mzpqnxow avatar Oct 31 '21 18:10 mzpqnxow

Was this issue resolved for you @chushuai ? A lot of work has been done in zcrypto since the time you created this

Pretty sure this is resolved and can be closed

mzpqnxow avatar Sep 07 '23 00:09 mzpqnxow