zcrypto use branch master and feature/tlsv1.3 to scan the same ip+port, the results of secure

use branch master and feature/tlsv1.3 to scan the same ip+port, the results of secure_renegotiation and scts are different

Open chushuai opened this issue 3 years ago • 2 comments

Use branch master and feature/tlsv1.3 to scan the same ip+port, The results of secure_renegotiation and scts are different

func TestTls(t *testing.T){
	tests := []string{ "138.201.124.182:10250"}
	for _, test := range tests {
		conn, err := Dial("tcp", test, &Config{
			InsecureSkipVerify: true,
		})
		data, _ := json.Marshal(conn.GetHandshakeLog())
		fmt.Println(string(data))
		if err != nil {
			fmt.Println("failed to connect: " + err.Error())
		}
	}

}

Jul 29 '22 11:07 chushuai

The tls1.3 branch includes tls1.3 support and also includes other enhancements- anything added to the upstream golang tls code since the (very old) tls implementation was lifted from upstream- at least 5 years ago

This includes (at least) early renegotiation handling. I'm not certain but I believe the portable ciphers profile is also exclusive to the tls1.3 branch for no particular reason aside from the fact that those interested in "better" tls support were using that branch

You can see part of this if you track the zcrypto portion of https://github.com/zmap/zgrab2/pull/334

tl; dr; this is expected behavior as far as I know

Sep 07 '23 01:09 mzpqnxow

zcrypto zcrypto copied to clipboard

use branch master and feature/tlsv1.3 to scan the same ip+port, the results of secure_renegotiation and scts are different

zcrypto
zcrypto copied to clipboard