Comments (5)
jason-riddle
commented on May 25, 2024
1
Sure maybe sometime this week or next.
from certigo.
mbyczkowski
commented on May 25, 2024
@csstaub are you running 1.11 or have you built from master? There hasn't been a new release since Nov '18.
from certigo.
jason-riddle
commented on May 25, 2024
I ran into this issue as well, installing from brew install certigo, and did some debugging and there are two problems.
- On v1.11.0,
lib.lookupreturnsUNKNOWN_304for TLS 1.3.lib.explainCipherdoes a
split on_WITH_but the array is only populated with one element and it
is assumed thatkexAndCipherhas two elements.Note: This was fixed in master @ 79de7d2
cipherSuitesis missing support for some TLS 1.3 cipher suites.
Quick, insecure fix
Checkout master branch.
Patch
tls13_ciphers.patch
diff --git a/lib/tls.go b/lib/tls.go
index a9fefcd..5c0855d 100644
--- a/lib/tls.go
+++ b/lib/tls.go
@@ -206,4 +206,10 @@ var cipherSuites = map[uint16]description{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: {"", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", good},
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: {"", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", good},
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: {"", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", good},
+
+ tls.TLS_AES_128_GCM_SHA256: {"", "TLS_AES_128_GCM_SHA256", good},
+ tls.TLS_AES_256_GCM_SHA384: {"", "TLS_AES_256_GCM_SHA384", good},
+ tls.TLS_CHACHA20_POLY1305_SHA256: {"", "TLS_CHACHA20_POLY1305_SHA256", good},
+
+ tls.TLS_FALLBACK_SCSV: {"", "TLS_FALLBACK_SCSV", insecure},
}
Apply
git apply tls13_ciphers.patch
Build
go build -o certigo-with-tls13-ciphers
Validate
TODO: Why is Cipher Suite still empty? Maybe this isn't fixed yet..
./certigo-with-tls13-ciphers connect --verbose squareup.com:443
** TLS Connection **
Version: TLS 1.3
Cipher Suite:
...
Possible Future TODO
As of go1.14rc1 (golang/go@0ee22d9), it looks like there now exists a tls.CipherSuites which looks something like
func CipherSuites() []*CipherSuite {
return []*CipherSuite{
{TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, false},
{TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
...
{TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", supportedOnlyTLS13, false},
{TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", supportedOnlyTLS13, false},
...
}
}
It may prove useful to use this instead of maintaining a map of hand-maintained cipher suites when go1.14 is released.
from certigo.
mbyczkowski
commented on May 25, 2024
@jason-riddle thanks for looking into this! 💯 Would you like to turn your patch into a PR?
from certigo.
mbyczkowski
commented on May 25, 2024
This has been fixed via #208 and released in 1.12.1
from certigo.
Related Issues (20)
- Panic in master when printing certificates in 'certigo connect ...' HOT 2
- Spinnaker recommends 1.2.840.10070.8.1 for RBAC
- Add support for SQL Server
- Error: unsupported encrypted-private-key algorithm HOT 3
- Build failure with current Go versions due to needing a go.sum update for github.com/fatih/color HOT 1
- Support `-h` in addition to `--help` HOT 1
- certigo connect dereferences nil when using Postgres StartTLS HOT 2
- CI/CD key leakage HOT 1
- Tests take a dependency on an internal test certificate
- No binaries for 1.15.0 HOT 1
- Unit tests fail on macOS with Go 1.18 because of 1024-bit RSA test certificate HOT 3
- Make tests robust to non-AES ciphersuites HOT 3
- OCSP unauhtorized error HOT 1
- OCSP lookups should unconditionally add "/"
- Use zlint for certificate warnings HOT 1
- undefined: time.UnixMilli and lib/ocsp.go:151:17: undefined: io.ReadAll HOT 4
- Add scoop.sh support HOT 3
- Crypto Go :we are a research group to help developers build secure applications.
- Build with CGO disabled
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certigo.