client: detect protocol downgrade and report it

Tested locally with a terminating TLS proxy. Consider "OK" because the protocol finishes normally, it is up to the application to verify the actual certificate, etc.
cloudflare · Dec 28, 2017 · b2aff92 · b2aff92
1 parent 9ab88b8
commit b2aff92
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/index.html b/index.html
@@ -300,8 +300,8 @@ <h2 class="results-text">Results</h2>
   } else if (status == STATUS_NA) {
     desc = exp.Result;
     row.className = "status-na";
-  } else if (exp.Expected) {
-    desc = "Matches expected: " + exp.Expected;
+  } else if (exp.IsMitm) {
+    desc = "Communication succeeded, but interference by a MITM was detected";
     row.className = "status-ok";
   } else {
     desc = "";

diff --git a/main.go b/main.go
@@ -30,6 +30,7 @@ type Experiment struct {
 	Version uint16
 	Result  string
 	Failed  bool
+	IsMitm  bool
 }
 
 type keyLogPrinter struct {
@@ -126,6 +127,15 @@ func runTests(testId string, specs []SubtestSpec, verbose bool) {
 				exp.Result = response
 				exp.Failed = false
 			}
+			// if a version is negotiated, but does not match the
+			// expected version, it is likely being intercepted.
+			if result.ActualTLSVersion != 0 {
+				maxTLSVersion := spec.MaxTLSVersion
+				if maxTLSVersion == tls.VersionTLS13 {
+					maxTLSVersion = tls.VersionTLS13Draft22
+				}
+				exp.IsMitm = maxTLSVersion != result.ActualTLSVersion
+			}
 			// display in UI
 			updateExperiment(i, exp)
 		}()