Skip to content

Commit

Permalink
Fix ssl compatibility with older clients, prefer chacha20-poly1305 if…
Browse files Browse the repository at this point in the history 
… possible
  • Loading branch information
@shortcutme
shortcutme committed Mar 27, 2019
1 parent cdd0f9c commit 5ab2031
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/Crypt/CryptConnection.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ def selectCrypt(self, client_supported):
# Return: wrapped socket
def wrapSocket(self, sock, crypt, server=False, cert_pin=None):
if crypt == "tls-rsa":
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CBC-SHA:ECDHE-ECDSA-AES128-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES256-CBC-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:RSA-AES128-SHA:RSA-AES256-SHA:RSA-DES-192-CBC3-SHA:"

This comment has been minimized.

Sign in to view

Copy link
@ValdikSS

ValdikSS Mar 27, 2019

@shortcutme what incompatibility did this change introduce? This exact cipher set has been added to mimic common browsers, to complicate ZeroNet fingerprinting.

This comment has been minimized.

Sign in to view

Copy link
@HelloZeroNet

HelloZeroNet Mar 27, 2019

Owner

I have seen SSLV3_ALERT_HANDSHAKE_FAILURE errors after changing this

This comment has been minimized.

Sign in to view

Copy link
@ValdikSS

ValdikSS Mar 27, 2019

@HelloZeroNet, what peers use SSLv3, and how many? Are they running outdates OS or ZeroNet?
Try to replace chipherlist with this one then: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29

This comment has been minimized.

Sign in to view

Copy link
@HelloZeroNet

HelloZeroNet Mar 27, 2019

Owner

It could be possible to fallback and retry the connection with the "compatibility" cipher list only if the SSLV3_ALERT_HANDSHAKE_FAILURE error received
ciphers = "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA256:AES256-SHA:"
ciphers += "!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK"
if server:
sock_wrapped = ssl.wrap_socket(
Expand Down

0 comments on commit 5ab2031

Please sign in to comment.