Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ClientHello custom extension field #483

Open
guilef opened this issue Sep 28, 2022 · 5 comments
Open

ClientHello custom extension field #483

guilef opened this issue Sep 28, 2022 · 5 comments
Labels

Comments

@guilef
Copy link

guilef commented Sep 28, 2022

Hi, I would like to extract data from an custom extension field injected after the browser sent clienthello. The value is injected in our routers. Where is a good starting point to restore the packet integrity (HMAC, size)?

Thanks

@tomato42
Copy link
Member

Since adding an extension will change the length of the extensions field and the length of the ClientHelllo, you need to recreate the changed ClientHello and then feed it into the HandshakeHashes object.
But at this point, why you just don't modify the the Client Hello from tlsfuzzer to include the extension in the first place?

Honestly, I'm not sure what you want to do: if you have a middle box that wants to change the CH message, then it needs to be a TLS endpoint, as that's the only way to calculate correct Finished message...

@guilef
Copy link
Author

guilef commented Sep 29, 2022

Since adding an extension will change the length of the extensions field and the length of the ClientHelllo, you need to recreate the changed ClientHello and then feed it into the HandshakeHashes object. But at this point, why you just don't modify the the Client Hello from tlsfuzzer to include the extension in the first place?

Honestly, I'm not sure what you want to do: if you have a middle box that wants to change the CH message, then it needs to be a TLS endpoint, as that's the only way to calculate correct Finished message...

Yes you are right, I have a middle box that append the custom CH field, adding an information that I want to extract on tlsliste-ng. The problem is that it raises a SSL_ERROR_BAD_MAC_ALERT during handshake.

Is there a way to disable MAC verification on tlslite-ng ?

@tomato42
Copy link
Member

No, there isn't an API to do that.

@guilef
Copy link
Author

guilef commented Oct 3, 2022

Thanks @tomato42 for your help.

One more question, is it possible to plug an flask/uwsgi app on tlslite-ng? I'm trying to change tls.py to do it, with no success so far.

@tomato42
Copy link
Member

tomato42 commented Oct 3, 2022

no idea, never used flask or uwsgi, see into tlslite/integration for some examples of integrating tlslite-ng with other projects

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants