Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for TLSv1.3 #588

Merged
merged 2 commits into from
Sep 8, 2020
Merged

Add support for TLSv1.3 #588

merged 2 commits into from
Sep 8, 2020

Conversation

jjnicola
Copy link
Member

@jjnicola jjnicola commented Aug 24, 2020
edited
Loading

What:
Add support for TLSv1.3

Why:
GnuTLS 3.6.5+ has enabled TLS 1.3 by default.

How:

  • create certs
    openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

  • start web server forcing the usage of tls1_3 only
    openssl s_server -tls1_3 -key key.pem -cert cert.pem -accept 44330 -www

The new TLSv1.3 has the transport value 8 internally in openvas. So, for testing, both values will be used: 7 -> TLS_12 and 8 -> TLS_13

tls_13_test.nasl:

port = 44330;
if( ! soc = open_sock_tcp( port ) )
  exit( 0 );

soc = socket_negotiate_ssl( socket:soc, transport:8 );

if (! soc)
   {
     display("no socket");
     return;
   }
display("There is a socket");     
send( socket:soc, data:'GET / HTTP/1.0\r\n\r\n' );

display("Received !!!");     

res = recv( socket:soc, length:512 );
display("Show!!!");     
display( res );
display("Close!!");     
close( soc );
exit( 0 );

Execute the script twice, first with transport: 7 and then with transport:8 as argument in soclet_negotiate_ssl()

With transport 7, the communication fails.

$ sudo openvas-nasl -X -B -d -i /home/jnicola/install/var/lib/openvas/vts/scripts -t 127.0.0.1 tls_v13.nasl
lib  nasl-Message: 16:11:17.512: Transport set in nasl: 7
lib  misc-Message: 16:11:17.513: Function socket_negotiate_ssl called from tls_v13.nasl: SSL/TLS connection failed.
lib  nasl-Message: 16:11:17.513: no socket
lib  nasl-Message: 16:11:17.514: Transport set in nasl: 7
lib  misc-Message: 16:11:17.514: Function socket_negotiate_ssl called from tls_v13.nasl: SSL/TLS connection failed.
lib  nasl-Message: 16:11:17.514: no socket

With transport 8, an answer is received from the openssl s_server.

jnicola@malleus:~/my_nasl$ sudo openvas-nasl -X -B -d -i /home/jnicola/install/var/lib/openvas/vts/scripts -t 127.0.0.1 tls_v13.nasl
lib  nasl-Message: 16:12:43.540: Transport set in nasl: 8
lib  nasl-Message: 16:12:43.543: There is a socket
lib  nasl-Message: 16:12:43.543: Recieved !!!
lib  nasl-Message: 16:12:43.585: Show!!!
lib  nasl-Message: 16:12:43.586: HTTP/1.0 200 ok
Content-type: text/html

<HTML><BODY BGCOLOR="#ffffff">
<pre>

s_server -tls1_3 -key key.pem -cert cert.pem -accept 44330 -www 
Secure Renegotiation IS NOT supported
Ciphers supported in s_server binary
TLSv1.3    :TLS_AES_256_GCM_SHA384    TLSv1.3    :TLS_CHACHA20_POLY1305_SHA256 
TLSv1.3    :TLS_AES_128_GCM_SHA256    TLSv1.2    :ECDHE-ECDSA-AES256-GCM-SHA384 
TLSv1.2    :ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2    :DHE-RSA-AES256-GCM-SHA384 
TLSv1.2    :ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 
lib  nasl-Message: 16:12:43.586: Close!!

@jjnicola jjnicola force-pushed the tls13 branch 2 times, most recently from cfefe78 to 1990eaf Compare August 24, 2020 15:16
@jjnicola jjnicola marked this pull request as ready for review September 7, 2020 11:16
@ArnoStiefvater ArnoStiefvater merged commit 607b9db into greenbone:openvas-20.08 Sep 8, 2020
@jjnicola jjnicola deleted the tls13 branch September 8, 2020 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ArnoStiefvater ArnoStiefvater ArnoStiefvater approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jjnicola @ArnoStiefvater @nichtsfrei