Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specifying min/max TLS versions doesn't work #543

Open
gaardiolor opened this issue Jan 30, 2025 · 3 comments
Open

Specifying min/max TLS versions doesn't work #543

gaardiolor opened this issue Jan 30, 2025 · 3 comments

Comments

@gaardiolor
Copy link

Hello,

Using tlslite-ng 0.8.2:

from tlslite.tlsconnection import TLSConnection
from tlslite import HandshakeSettings
import socket

settings = HandshakeSettings()
settings.minVersion = (3, 3)  # TLS 1.2
settings.maxVersion = (3, 4)  # TLS 1.3

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('letsencrypt.org', 443))

c = TLSConnection(sock)
c.handshakeClientCert(settings=settings)

I'd expect the supported_versions extension in the ClientHello to only support TLS 1.2 and 1.3 . However, TLS 1.0 and TLS 1.1 are also present.

Image

Why.. ?

Thanks!
@tomato42
Copy link
Member

yes, looks like a check is missing, probably here:

tlslite-ng/tlslite/handshakesettings.py

Lines 623 to 624 in c93df82

if other.maxVersion < (3, 4):
other.versions = [i for i in other.versions if i < (3, 4)]

and it's missing a documentation string too

adding a check in the above location to see if .versions and minversion maxversion are consistent should be quite simple, would you like to do that?

@gaardiolor
Copy link
Author

I don't know, I think the check is ok. It's not failing. I'm not sure what the purpose of those 2 lines of code is though:

        if other.maxVersion < (3, 4):
            other.versions = [i for i in other.versions if i < (3, 4)]

Just figured out that if I set it like this it works: settings.versions = [(3, 3), (3, 4)]

It looks like settings.versions is not automatically changed to match settings.minVersion and settings.maxVersion. And in tlsconnection.py, settings.version is used (not minVersion and maxVersion)

@tomato42
Copy link
Member

I don't know, I think the check is ok. It's not failing. I'm not sure what the purpose of those 2 lines of code is though:

I meant that we need more code to handle the minVersion limitation, precisely to fix this part:

It looks like settings.versions is not automatically changed to match settings.minVersion and settings.maxVersion.

regarding:

And in tlsconnection.py, settings.version is used (not minVersion and maxVersion)

that's because later code looks at the sent extension values, not HandshakeSettings

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomato42 @gaardiolor