TLS 1.2 request #16

New Issue

Closed

opened 2016-08-30 04:35:52 +02:00 by Ghost · 2 comments

Ghost commented 2016-08-30 04:35:52 +02:00 (Migrated from codeberg.org)

Copy Link

Hi
I was test alpha 15

• work fine

but TLS 1.0 work
-- alpha 15 : TLS 1.0
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: Peer sent flags ---
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: [eaptls verify] = ok
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: Done initial handshake
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: (other): before/accept initialization
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: before/accept initialization
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: <<< recv TLS 1.0 Handshake [length 005a], ClientHello
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: SSLv3 read client hello A
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: >>> send TLS 1.0 Handshake [length 0039], ServerHello
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: SSLv3 write server hello A
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: >>> send TLS 1.0 Handshake [length 066c], Certificate
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: SSLv3 write certificate A
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: >>> send TLS 1.0 Handshake [length 00cb], ServerKeyExchange
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: SSLv3 write key exchange A
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: SSLv3 write server done A
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: SSLv3 flush data
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client certificate A
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client certificate A
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: In SSL Handshake Phase
Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: In SSL Accept mode

Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: [eaptls process] = handled

but window now support TLS 1.2
--- Windows TLS 1.2
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: Continuing EAP-TLS
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: Peer sent flags --L
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: Peer indicated complete TLS record size will be 182 bytes
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: Got complete TLS record (182 bytes)
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: [eaptls verify] = length included
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: <<< recv TLS 1.2 [length 0046]
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: TLS_accept: SSLv3 read client key exchange A
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: TLS_accept: SSLv3 read certificate verify A
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: <<< recv TLS 1.2 [length 0001]
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: <<< recv TLS 1.2 [length 0010]
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: TLS_accept: SSLv3 read finished A
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: >>> send TLS 1.2 [length 0001]
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: TLS_accept: SSLv3 write change cipher spec A
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: >>> send TLS 1.2 [length 0010]
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: TLS_accept: SSLv3 write finished A
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: TLS_accept: SSLv3 flush data
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: (other): SSL negotiation finished successfully
Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: SSL Connection Established

Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: [eaptls process] = handled

check it
Thanks

Hi I was test alpha 15 - work fine but TLS 1.0 work -- alpha 15 : TLS 1.0 Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: Peer sent flags --- Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: [eaptls verify] = ok Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: Done initial handshake Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: (other): before/accept initialization Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: before/accept initialization Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: <<< recv TLS 1.0 Handshake [length 005a], ClientHello Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: SSLv3 read client hello A Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: >>> send TLS 1.0 Handshake [length 0039], ServerHello Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: SSLv3 write server hello A Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: >>> send TLS 1.0 Handshake [length 066c], Certificate Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: SSLv3 write certificate A Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: >>> send TLS 1.0 Handshake [length 00cb], ServerKeyExchange Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: SSLv3 write key exchange A Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: SSLv3 write server done A Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: SSLv3 flush data Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client certificate A Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client certificate A Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: In SSL Handshake Phase Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: In SSL Accept mode ## Tue Aug 30 11:26:15 2016 : Debug: (2) eap_ttls: [eaptls process] = handled but window now support TLS 1.2 --- Windows TLS 1.2 Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: Continuing EAP-TLS Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: Peer sent flags --L Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: Peer indicated complete TLS record size will be 182 bytes Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: Got complete TLS record (182 bytes) Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: [eaptls verify] = length included Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: <<< recv TLS 1.2 [length 0046] Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: TLS_accept: SSLv3 read client key exchange A Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: TLS_accept: SSLv3 read certificate verify A Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: <<< recv TLS 1.2 [length 0001] Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: <<< recv TLS 1.2 [length 0010] Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: TLS_accept: SSLv3 read finished A Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: >>> send TLS 1.2 [length 0001] Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: TLS_accept: SSLv3 write change cipher spec A Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: >>> send TLS 1.2 [length 0010] Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: TLS_accept: SSLv3 write finished A Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: TLS_accept: SSLv3 flush data Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: (other): SSL negotiation finished successfully Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: SSL Connection Established ## Tue Aug 30 11:31:31 2016 : Debug: (8) eap_peap: [eaptls process] = handled check it Thanks

Ghost commented 2016-08-30 09:53:16 +02:00 (Migrated from codeberg.org)

Copy Link

Yes, I am aware of this. Older versions of GÉANTLink used my own TLS implementation, supporting TLS 1.2.

However, GÉANT insisted I switch to Microsoft Schannel library to do the TLS.

I noticed on my computer too, that Schannel chooses TLS 1.0 by default (Windows 7). It is not exactly something we are happy with, but unfortunately I didn’t have time yet to explore how one can configure Schannel to use newer versions of TLS. But it should be possible, as Microsoft does advertise Schannel is capable of TLS 1.2. I need to find the right “button” to push, I suppose. 

Yes, I am aware of this. Older versions of GÉANTLink used my own TLS implementation, supporting TLS 1.2. However, GÉANT insisted I switch to Microsoft Schannel library to do the TLS. I noticed on my computer too, that Schannel chooses TLS 1.0 by default (Windows 7). It is not exactly something we are happy with, but unfortunately I didn’t have time yet to explore how one can configure Schannel to use newer versions of TLS. But it should be possible, as Microsoft does advertise Schannel is capable of TLS 1.2. I need to find the right “button” to push, I suppose. 

Ghost commented 2016-08-31 18:20:32 +02:00 (Migrated from codeberg.org)

Copy Link

For the time being, I have changed Schannel from "use default protocol selection logic" to "use TLS 1.0, 1.1, or 1.2". And it negotiates 1.2 now.

The idea at GÉANT was to leave Schannel to defaults as much as possible and hope Microsoft does configure it to use the most secure version available in the future to come.

Our humbe whishes... :|

Developer's remark:
I have tried the following values of grbitEnabledProtocols member of SCHANNEL_CRED structure:
0 - Proposed by Microsoft, got TLS 1.0
SP_PROT_TLS1_X_CLIENT - got TLS 1.2, but it won't switch to TLS 1.3 once available
0xffffffc0 - my wild guess to allow all protocols equal or newer to TLS 1.0; got error
0xffffffff aka SP_PROT_ALL - guess to enable all protocols whatever; got TLS 1.0

For the time being, I have changed Schannel from "use default protocol selection logic" to "use TLS 1.0, 1.1, or 1.2". And it negotiates 1.2 now. The idea at GÉANT was to leave Schannel to defaults as much as possible and hope Microsoft does configure it to use the most secure version available in the future to come. Our humbe whishes... :| Developer's remark: I have tried the following values of `grbitEnabledProtocols` member of [`SCHANNEL_CRED`](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379810.aspx) structure: `0` - Proposed by Microsoft, got TLS 1.0 `SP_PROT_TLS1_X_CLIENT` - got TLS 1.2, but it won't switch to TLS 1.3 once available `0xffffffc0` - my wild guess to allow all protocols equal or newer to TLS 1.0; got error `0xffffffff` aka `SP_PROT_ALL` - guess to enable all protocols whatever; got TLS 1.0

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

ver1.0

ver1.1

1.3g

1.3f

1.3e

1.3d

1.3c

1.3b

1.3a

1.3

1.2g

1.2f

1.1h

1.0i

1.2e

1.1g

1.0h

1.2d

1.1f

1.0g

1.2c

1.1e

1.0f

1.2b

1.1d

1.0e

1.2a

1.1c

1.0d

1.2

1.1b

1.0c

1.2-beta2

1.2-beta1

1.2-beta

1.1a

1.0b

1.1

1.1-beta2

1.1-beta1

1.0a

1.1-beta

1.0

1.0-beta8

1.0-beta7

1.0-beta6

1.0-beta5

1.0-beta4

1.0-beta3

1.0-beta2

1.0-beta1

1.0-beta

1.0-alpha17

1.0-alpha16

1.0-alpha15

1.0-alpha14

1.0-alpha13

1.0-alpha12

1.0-alpha11

1.0-alpha10

1.0-alpha10-owntls

1.0-alpha9

1.0-alpha8

1.0-alpha7

1.0-alpha6

1.0-alpha5

1.0-alpha4

1.0-alpha3

1.0-alpha2

1.0-alpha1

1.0-alpha0

Labels

Clear labels

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

question

More information is needed

wontfix

This won't be fixed

No Label

enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Aljaz Iztok Jure Luka MatejR Miro Peter Simon Tone lidija nadzorni

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Amebis/GEANTLink#16

No description provided.