Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

How to not send TLS_EMPTY_RENEGOTIATION_INFO ? #503

Open
GunGunGun opened this issue Aug 18, 2023 · 1 comment
Open

How to not send TLS_EMPTY_RENEGOTIATION_INFO ? #503

GunGunGun opened this issue Aug 18, 2023 · 1 comment

Comments

@GunGunGun
Copy link

GunGunGun commented Aug 18, 2023
edited
Loading

Sending TLS_EMPTY_RENEGOTIATION_INFO is OpenSSL's specific and usually be treated as a bot.

Is there a way to not send it ?

Code:

import tlslite
import socket
from tlslite.integration import *
from tlslite.tlsconnection import TLSConnection

settings = tlslite.HandshakeSettings()
settings.sendFallbackSCSV = False
settings.cipherNames = ["aes128gcm", "chacha20-poly1305", "aes256gcm"]
s = socket.socket()
s.settimeout(100)
s.connect(("tls.peet.ws", 443))
s.settimeout(None)
c = TLSConnection(s)
c.handshakeClientCert(settings=settings)
c.sendall(b'''GET /api/all HTTP/1.1\r\nHost: tls.peet.ws\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/jxl,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: none\r\nSec-Fetch-User: ?1\r\n''')
content = b''
while True:
    data = c.recv(4028)
    if data == b'':
        break
    content += data

print(content)

Result:

b'HTTP/1.1 200 OK\r\nContent-Length: 2805\r\nContent-Type: application/json; charset=utf-8\r\nServer: TrackMe\r\n\r\n{\n  "ip": "14.177.213.243:60591",\n  "http_version": "HTTP/1.1",\n  "method": "GET",\n  "tls": {\n    "ciphers": [\n      "TLS_EMPTY_RENEGOTIATION_INFO",\n      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",\n      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",\n      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",\n      "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",\n      "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",\n      "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",\n      "TLS_RSA_WITH_AES_256_GCM_SHA384",\n      "TLS_RSA_WITH_AES_128_GCM_SHA256"\n    ],\n    "extensions": [\n      {\n        "name": "encrypt_then_mac (22)",\n        "data": ""\n      },\n      {\n        "name": "extended_master_secret (23)",\n        "master_secret_data": "",\n        "extended_master_secret_data": ""\n      },\n      {\n        "name": "ec_point_formats (11)",\n        "elliptic_curves_point_formats": [\n          "0x00"\n        ]\n      },\n      {\n        "name": "supported_groups (10)",\n        "supported_groups": [\n          "X25519 (29)",\n          "X448 (30)",\n          "P-384 (24)",\n          "P-256 (23)",\n          "P-521 (25)",\n          "ffdhe2048 (256)",\n          "ffdhe3072 (257)",\n          "ffdhe4096 (258)",\n          "ffdhe6144 (259)",\n          "ffdhe8192 (260)"\n        ]\n      },\n      {\n        "name": "signature_algorithms (13)",\n        "signature_algorithms": [\n          "rsa_pss_rsae_sha512",\n          "rsa_pss_rsae_sha384",\n          "rsa_pss_rsae_sha256",\n          "rsa_pkcs1_sha512",\n          "rsa_pkcs1_sha384",\n          "rsa_pkcs1_sha256",\n          "0x301",\n          "rsa_pkcs1_sha1"\n        ]\n      },\n      {\n        "name": "cert_type (9)",\n        "data": "0100"\n      }\n    ],\n    "tls_version_record": "771",\n    "tls_version_negotiated": "771",\n    "ja3": "771,255-52392-49200-49199-52394-159-158-157-156,22-23-11-10-13-9,29-30-24-23-25-256-257-258-259-260,0",\n    "ja3_hash": "5f76d72163bd108e030427e44e671465",\n    "peetprint": "||29-30-24-23-25-256-257-258-259-260|2054-2053-2052-1537-1281-1025-769-513|0||255-52392-49200-49199-52394-159-158-157-156|10-11-13-22-23-9",\n    "peetprint_hash": "57c813e9ab2472fe6389340d26a2d158",\n    "client_random": "caa0cbef7f55621cb6d593127eb1399ae9c68c2460cfc9a967da0e947f2d70a7",\n    "session_id": ""\n  },\n  "http1": {\n    "headers": [\n      "Host: tls.peet.ws",\n      "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0",\n      "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/jxl,image/webp,*/*;q=0.8",\n      "Accept-Language: en-US,en;q=0.5",\n      "Accept-Encoding: gzip, deflate, br",\n      "Connection: keep-alive",\n      "Upgrade-Insecure-Requests: 1",\n      "Sec-Fetch-Dest: document",\n      "Sec-Fetch-Mode: navigate",\n      "Sec-Fetch-Site: none",\n      "Sec-Fetch-User: ?1"\n    ]\n  }\n}\r\n\r\n'
@tomato42
Copy link
Member

TLS_FALLBACK_SCSV is different than TLS_EMPTY_RENEGOTIATION_INFO_SCSV

there is not setting to control TLS_EMPTY_RENEGOTIATION_INFO_SCSV, it's always sent: https://github.com/tlsfuzzer/tlslite-ng/blob/master/tlslite/tlsconnection.py#L680C4-L680C4

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomato42 @GunGunGun