Question: TLS 1.3

[andmisfits89]

Hello!

Do you have plans to implement TLS 1.3 support on SSLProxy?

Best Regards;

[sonertari]

I have just pushed the tls13 branch, which cannot pass travis tests, but I know why and that's alright for now. It passes my e2e tests, so I think it works. Can you try the tls13 branch and report back please?

[andmisfits89]

Hi,

I tested it with the tls13 branch and works.

The test was done with Centos 7, openssl 1.1.1f and libevent 2.1.11

[root@centos src]# ./sslproxy -V
SSLproxy  (built 2020-06-25)
------------------------------------------------------------------------------
WARNING: Something is wrong with the version compiled into sslproxy!
The version should contain a release number and/or a git commit reference.
If using a package, please report a bug to the distro package maintainer.
------------------------------------------------------------------------------
Copyright (c) 2017-2020, Soner Tari <[email protected]>
https://github.com/sonertari/SSLproxy
Copyright (c) 2009-2019, Daniel Roethlisberger <[email protected]>
https://www.roe.ch/SSLsplit
Build info: V:DIR N:475e540
Features: -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST
Local process info support: no
compiled against OpenSSL 1.1.1f  31 Mar 2020 (1010106f)
rtlinked against OpenSSL 1.1.1f  31 Mar 2020 (1010106f)
OpenSSL has support for TLS extensions
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
OpenSSL has engine support
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: tls10 tls11 tls12 tls13
SSL/TLS algorithm availability: !SHA0 RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.1.11-stable
rtlinked against libevent 2.1.11-stable
compiled against libnet 1.1.6
rtlinked against libnet 1.1.6
compiled against libpcap n/a
rtlinked against libpcap 1.5.3
compiled against sqlite 3.7.17
rtlinked against sqlite 3.7.17
2 CPU cores detected

Connection Log:

SNI peek: [tls13.1d.pw] [complete], fd=41
Connecting to [178.128.250.95]:443
SNI peek: [tls13.1d.pw] [complete], fd=43
Connecting to [178.128.250.95]:443
===> Original server certificate:
Subject DN: /CN=tls13.1d.pw
Common Names: tls13.1d.pw/tls13.1d.pw/www.tls13.1d.pw
Fingerprint: C4:12:9C:09:6C:53:7B:0D:55:2714:4C:D2:54:7A:06:22:78:F1:AF
Certificate cache: MISS
===> Original server certificate:
Subject DN: /CN=tls13.1d.pw
Common Names: tls13.1d.pw/tls13.1d.pw/www.tls13.1d.pw
Fingerprint: C4:12:9C:09:6C:53:7B:0D:55:2714:4C:D2:54:7A:06:22:78:F1:AF
Certificate cache: MISS
===> Forged server certificate:
Subject DN: /CN=tls13.1d.pw
Common Names: tls13.1d.pw/tls13.1d.pw/www.tls13.1d.pw
Fingerprint: F6:48:6E:17:CF:0A:11:9C:43:132D:83:BB:84:AF:47:F7:EA:8D:60
HTTPS connected to [178.128.250.95]:443 TLSv1.3 TLS_CHACHA20_POLY1305_SHA256
CLIENT_RANDOM 21BB4E5C37F19AB79D0CFC0D9A8BE3D064A5BAEC1A0554AE64D7055B867A7C4F 000000000000000000000000000000000400000000000000184EC1A4967F00000E0000000000000070660094967F0000
SSL session cache: MISS
Certificate cache: KEEP (SNI match or target mode)
SSL session cache: MISS
Certificate cache: KEEP (SNI match or target mode)
===> Forged server certificate:
Subject DN: /CN=tls13.1d.pw
Common Names: tls13.1d.pw/tls13.1d.pw/www.tls13.1d.pw
Fingerprint: B3:EC:39:0C:BD:1D:60:7F:B1:560E:FE:9E:E2:4E:CB:1D:E3:B9:60
HTTPS connected to [178.128.250.95]:443 TLSv1.3 TLS_AES_256_GCM_SHA384
CLIENT_RANDOM 4D1E3DF57EABA3DB92ECBF7175D956DF72DD028318513C8F63F135C30A2592BC 000000000000000000000000000000000400000000000000184EC1A4967F00000E00000000000000D08F009C967F0000
SSL session cache: MISS
Certificate cache: KEEP (SNI match or target mode)
SSL session cache: MISS
Certificate cache: KEEP (SNI match or target mode)
HTTPS connected to [178.128.250.95]:443 TLSv1.3 TLS_AES_128_GCM_SHA256
CLIENT_RANDOM 9B75C686004C88D7B1F87E6A6179BDC7CC70C921DE246DAC7447DF6EB2BDDF8D 0995A362BC6FEBD6F6A3903C61A6D6E1C0070CDB08636897507F03124A1076F100000000000000000200000000000000
HTTPS connected to [178.128.250.95]:443 TLSv1.3 TLS_AES_128_GCM_SHA256
CLIENT_RANDOM 63608989FC901616D9DE19186F5E509EE27FEE71AAC98640BA4BBA0FD37ABD9C 5608F6B4092BE55FE6CBC03A417522058DDB06C96F5414D07534206D055C5AEC00000000000000000200000000000000
Child connecting to [178.128.250.95]:443
SSL_free() in state 00000001 = 0001 = SSLOK  (SSL negotiation finished successfully) [connect socket]
Child HTTPS disconnected to [178.128.250.95]:443, child fd=49, fd=41
Child HTTPS disconnected from [172.31.190.251]:2364, child fd=49, fd=41
CONN: https 172.31.190.251 2364 178.128.250.95 443 tls13.1d.pw GET / 200 - sni:tls13.1d.pw names:tls13.1d.pw/tls13.1d.pw/www.tls13.1d.pw sproto:TLSv1.3:TLS_AES_128_GCM_SHA256 dproto:TLSv1.3:TLS_AES_256_GCM_SHA384 origcrt:C4129C096C537B0D5527144CD2547A062278F1AF usedcrt:B3EC390CBD1D607FB1560EFE9EE24ECB1DE3B960 user:-
SSL_free() in state 00000001 = 0001 = SSLOK  (SSL negotiation finished successfully) [accept socket]
HTTPS disconnected to [178.128.250.95]:443, fd=41
HTTPS disconnected from [172.31.190.251]:2364, fd=41

Thanks for your support.

[sonertari]

Thanks for testing. Btw, I have fixed the testproxy e2e tests, so travis tests pass now too.

[mrbluecoat]

Will this enable support for Encrypted SNI?

[sonertari]

No, Encrypted SNI is not supported, as mentioned in README.