Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement TLS 1.3 Client Authentication #62

Open
dundic987 opened this issue Aug 29, 2019 · 4 comments
Open

Implement TLS 1.3 Client Authentication #62

dundic987 opened this issue Aug 29, 2019 · 4 comments
Labels
enhancement

Comments

@dundic987
Copy link

Hello,

I intend to construct a worksflow trace in TLS-Attacker's Java code and send it to a server in order to establish a TLS handshake. However, I have two issues here:

  1. How do I demand/specify to use TLS 1.3?
  2. How do I (as the client) add a certificate and key (e.g. client-cert.pem and client-key.pem) to the configuration?

For now, my code looks as follows:

Config config = Config.createConfig();
WorkflowTrace trace = new WorkflowTrace();
trace.addTlsAction(new SendAction(new ClientHelloMessage()));
trace.addTlsAction(new ReceiveAction(new ServerHelloMessage()));
trace.addTlsAction(new ReceiveAction(new EncryptedExtensionsMessage()));
trace.addTlsAction(new ReceiveAction(new CertificateRequestMessage()));
trace.addTlsAction(new ReceiveAction(new CertificateMessage()));
trace.addTlsAction(new ReceiveAction(new CertificateVerifyMessage()));
trace.addTlsAction(new ReceiveAction(new FinishedMessage()));
trace.addTlsAction(new SendAction(new CertificateMessage()));
trace.addTlsAction(new SendAction(new CertificateVerifyMessage()));
trace.addTlsAction(new SendAction(new FinishedMessage()));
config.setDefaultClientSupportedCiphersuites(CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384);
State state = new State(config, trace);
DefaultWorkflowExecutor executor = new DefaultWorkflowExecutor(state);
executor.executeWorkflow();

Thank you!
@ic0ns
Copy link
Contributor

ic0ns commented Sep 6, 2019

Hey,
The problem is in the Config object. TLS-Attacker requires you to explicitly set default values for everything such that TLS-Attacker know how it is supposed to send its messages. Without you explicitly telling TLS-Attacker to send a TLS 1.3 ClientHello message it will just use a ClientHello with default values (found here: https://github.com/RUB-NDS/TLS-Attacker/blob/master/TLS-Core/src/main/resources/default_config.xml). You can can find an example of TLS-Attacker + TLS 1.3 in our TLS-Scanner project: https://github.com/RUB-NDS/TLS-Scanner/blob/master/src/main/java/de/rub/nds/tlsscanner/probe/Tls13Probe.java. Additonally there should be a prepared Config file here: https://github.com/RUB-NDS/TLS-Attacker/blob/master/resources/configs/tls13.config I hope this helps.

You can specify a Certificate and private key yourself by setting the defaultExplicitCertificateKeyPair and setting autoSelectCertificate to false. However I do not think we support TLS 1.3 client authentication as of now. I will put it on the TODO list and try to find a student to implement it.
cheers
Robert

@dundic987
Copy link
Author

dundic987 commented Sep 10, 2019
edited
Loading

Thank you for the help!
But yeah, my intention is to establish a TLS 1.3 handshake with a TLS 1.3 implementation...

@ic0ns ic0ns changed the title TLS 1.3, key+cert Implement TLS 1.3 Client Authentication Sep 9, 2021
@ic0ns
Copy link
Contributor

ic0ns commented Sep 9, 2021

Update: I think a student of mine implemented this. I will have to check if its actually working before finally closing this issue.

@ic0ns
Copy link
Contributor

ic0ns commented Jun 8, 2022

This feature will be probably added in TLS-Attacker 4.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ic0ns @dundic987