Node not respecting tls options

1

I have got a self-compiled version of Nodejs but I am still able to reproduce these issues on nodejs v15.8.0. I am trying to modify my client hello signature but it does not seem like nodesj is allowing me to do that.

I have the following script.

const tls = require('tls'),
   crypto = require('crypto');

let ciphers = [
   //'3a3a',
   //'GREASE-0A0A',
   'TLS_AES_128_GCM_SHA256',
   'TLS_CHACHA20_POLY1305_SHA256',
   'TLS_AES_256_GCM_SHA384',
   'ECDHE-ECDSA-AES128-GCM-SHA256',
   'ECDHE-RSA-AES128-GCM-SHA256',
   'ECDHE-ECDSA-CHACHA20-POLY1305',
   'ECDHE-RSA-CHACHA20-POLY1305',

   'ECDHE-ECDSA-AES256-GCM-SHA384',
   'ECDHE-RSA-AES256-GCM-SHA384',

   'ECDHE-ECDSA-AES256-SHA',
   'ECDHE-ECDSA-AES128-SHA',

   'ECDHE-RSA-AES128-SHA',
   'ECDHE-RSA-AES256-SHA',
   'AES128-GCM-SHA256',
   'AES256-GCM-SHA384',
   'AES128-SHA',
   'AES256-SHA',
   'DES-CBC3-SHA',
   'AES128-GCM-SHA256',
   'AES256-GCM-SHA384',
   'DES-CBC3-SHA', //
   //'-TLS_EMPTY_RENEGOTIATION_INFO_SCSV',
];

let cipher_list = ciphers.join(':');

const sigalgs = [
   'ecdsa_secp256r1_sha256',
   'ecdsa_secp384r1_sha384',
   'ecdsa_secp521r1_sha512',
   'rsa_pss_rsae_sha256',
   'rsa_pss_rsae_sha384',
   'rsa_pss_rsae_sha512',
   'rsa_pkcs1_sha256',
   'rsa_pkcs1_sha384',
   'rsa_pkcs1_sha512',
   //'ecdsa_sha1',
   //'rsa_pkcs1_sha1',
];

let sigalgs_list = sigalgs.join(':');

const socket = tls.connect({
    host: 'webpage.com',
    port: 443,
    servername: 'webpage.com',
    ciphers: cipher_list,
    sigalgs: sigalgs_list,
    secureOptions: //crypto.constants.SSL_OP_NO_RENEGOTIATION
        //|
        //455555|
        //crypto.constants.SSL_OP_NO_TICKET
        //crypto.constants.SSL_OP_NO_SSLv2
        //| crypto.constants.SSL_OP_NO_SSLv3
        crypto.constants.SSL_OP_NO_COMPRESSION
        | crypto.constants.SSL_OP_NO_RENEGOTIATION
        //| crypto.constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION //doesn't make any effect ?
        | 0x00000010 //crypto.constants.SSL_OP_TLSEXT_PADDING
        //| crypto.constants.SSL_OP_ALL
        //| crypto.constants.SSLcom
    ,
    ALPNProtocols:  ['h2', 'http/1.1'],
    minVersion: 'TLSv1.2',
    requestOCSP: true,
 });

 socket.on('secureConnect', () => console.log('connected to', socket.remoteAddress));

From my code, I expect nodejs to modify my client hello to include the specified Cipher suites and the specified signature algorithms but nodejs does not. In fact, including 'ecdsa_sha1' in the list of signature algorithms triggers a possible bug

node:_tls_common:237
    c.context.setSigalgs(sigalgs);
              ^

Error: error:00000000:lib(0):func(0):reason(0)
    at Object.createSecureContext (node:_tls_common:237:15)
    at Object.connect (node:_tls_wrap:1614:48)
    at Object.<anonymous> (/home/ghoul/Node/script.js:52:20)
    at Module._compile (node:internal/modules/cjs/loader:1092:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1121:10)
    at Module.load (node:internal/modules/cjs/loader:972:32)
    at Function.Module._load (node:internal/modules/cjs/loader:813:14)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:76:12)
    at node:internal/main/run_main_module:17:47

Is this possible that I am missing out on something simple?

I observe my client hello via wireshark, it does not look like nodejs respects any part of the configuration.

javascript
c++
node.js
security
ssl
asked on Stack Overflow Apr 8, 2021 by gholg

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0