I have got a self-compiled version of Nodejs but I am still able to reproduce these issues on nodejs v15.8.0
. I am trying to modify my client hello signature but it does not seem like nodesj is allowing me to do that.
I have the following script.
const tls = require('tls'),
crypto = require('crypto');
let ciphers = [
//'3a3a',
//'GREASE-0A0A',
'TLS_AES_128_GCM_SHA256',
'TLS_CHACHA20_POLY1305_SHA256',
'TLS_AES_256_GCM_SHA384',
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-CHACHA20-POLY1305',
'ECDHE-RSA-CHACHA20-POLY1305',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES256-SHA',
'ECDHE-ECDSA-AES128-SHA',
'ECDHE-RSA-AES128-SHA',
'ECDHE-RSA-AES256-SHA',
'AES128-GCM-SHA256',
'AES256-GCM-SHA384',
'AES128-SHA',
'AES256-SHA',
'DES-CBC3-SHA',
'AES128-GCM-SHA256',
'AES256-GCM-SHA384',
'DES-CBC3-SHA', //
//'-TLS_EMPTY_RENEGOTIATION_INFO_SCSV',
];
let cipher_list = ciphers.join(':');
const sigalgs = [
'ecdsa_secp256r1_sha256',
'ecdsa_secp384r1_sha384',
'ecdsa_secp521r1_sha512',
'rsa_pss_rsae_sha256',
'rsa_pss_rsae_sha384',
'rsa_pss_rsae_sha512',
'rsa_pkcs1_sha256',
'rsa_pkcs1_sha384',
'rsa_pkcs1_sha512',
//'ecdsa_sha1',
//'rsa_pkcs1_sha1',
];
let sigalgs_list = sigalgs.join(':');
const socket = tls.connect({
host: 'webpage.com',
port: 443,
servername: 'webpage.com',
ciphers: cipher_list,
sigalgs: sigalgs_list,
secureOptions: //crypto.constants.SSL_OP_NO_RENEGOTIATION
//|
//455555|
//crypto.constants.SSL_OP_NO_TICKET
//crypto.constants.SSL_OP_NO_SSLv2
//| crypto.constants.SSL_OP_NO_SSLv3
crypto.constants.SSL_OP_NO_COMPRESSION
| crypto.constants.SSL_OP_NO_RENEGOTIATION
//| crypto.constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION //doesn't make any effect ?
| 0x00000010 //crypto.constants.SSL_OP_TLSEXT_PADDING
//| crypto.constants.SSL_OP_ALL
//| crypto.constants.SSLcom
,
ALPNProtocols: ['h2', 'http/1.1'],
minVersion: 'TLSv1.2',
requestOCSP: true,
});
socket.on('secureConnect', () => console.log('connected to', socket.remoteAddress));
From my code, I expect nodejs to modify my client hello to include the specified Cipher suites and the specified signature algorithms but nodejs does not. In fact, including 'ecdsa_sha1' in the list of signature algorithms triggers a possible bug
node:_tls_common:237
c.context.setSigalgs(sigalgs);
^
Error: error:00000000:lib(0):func(0):reason(0)
at Object.createSecureContext (node:_tls_common:237:15)
at Object.connect (node:_tls_wrap:1614:48)
at Object.<anonymous> (/home/ghoul/Node/script.js:52:20)
at Module._compile (node:internal/modules/cjs/loader:1092:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1121:10)
at Module.load (node:internal/modules/cjs/loader:972:32)
at Function.Module._load (node:internal/modules/cjs/loader:813:14)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:76:12)
at node:internal/main/run_main_module:17:47
Is this possible that I am missing out on something simple?
I observe my client hello via wireshark, it does not look like nodejs respects any part of the configuration.
User contributions licensed under CC BY-SA 3.0