Comments (4)
I've to say, I disagree with a statement that "server doesn't verify if client has sent a certificate" in case of TLSv1.3 is used (I'm not sure yet about TLSv1.2). It may not be very clear, but in case client doesn't send certificate, the server will return with an alertHandshakeFailure
error. Indeed, returned error is incorrect, but again - it does seem to me that authentication will fail.
In more details, assuming all TLS handshake messages are sent, but Certificate message from client doesn't actually contain any certificate. In case of client authentication on server side:
- During handshake processing code hits line 13.go:361
certs := getCertsFromEntries(certMsg.certificates)
len(certs) == 0
serverHandshakeState.processCertsFromClient
is called- Function returns with
nil,nil
828: if len(certs) == 0 {
829: return nil, nil
830: }
verifyPeerHandshakeSignature
is called withpubKey = nil
pickSignatureAlgorithm
is called withpubkey=nil
- Function returns:
return 0, 0, 0, errors.New("tls: peer doesn't support any common signature algorithms")
alertHandshakeFailure
is sent back to the client
from tls-tris.
Hello @henrydcase,
I should have made this clear in the issue, this issue is kind of a follow-up of #140. Sorry for that. The server is only supposed to read a CertificateVerify
message if the client actually sent a certificate. verifyPeerHandshakeSignature
is then also only called if the client sent a certificate, i.e. your steps 4-7 wouldn't be executed in that case.
I suggest first merging #140, and then afterwards merging #142. If you prefer, I could also combine these two pull requests into one. Please let me know.
from tls-tris.
Yep, I'm aware that we will have this issue if #140 is merged but #142 is not. And this would be quite a bug. I would like to avoid having single commit which introduces security issue.
Nevertheless, #140 and #142 should be merged, this is valuable contribution. Could you squash both to one single commit?
from tls-tris.
Makes sense. #142 it is.
from tls-tris.
Related Issues (20)
- Support for 0-RTT HOT 7
- add a license
- use of internal HOT 2
- Add SM- ciphersuites
- Client certificate has expired on Feb 13, 2019 HOT 1
- Wrong trace, when handshake fails on client side
- testing: one docker for testing is (more than) enough
- Create a standalone tls library that does not require patching the Go standard library HOT 1
- X25519: Check for all zeros value
- BUG: default ciphersSuites for 1.3 HOT 3
- Improve testing HOT 3
- Go 1.12/1.13 compatibility HOT 1
- build: Create debian package during build HOT 3
- Build fail on Arch Linux HOT 2
- Vendoring issues with SIKE and SIDH
- Server does not seem to support season ticket sealer in TLS 1.2
- Rebase on upstream Go crypto/tls
- Check that the library properly builds for all OS
- Add linters and checkers
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tls-tris.