Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow selection of TLS ciphers and options (+ show debugging info in console) #5918

Closed
shamasis opened this issue Feb 13, 2019 · 12 comments
Closed

Comments

@shamasis
Copy link
Member

shamasis commented Feb 13, 2019

Currently, Postman App does not show helpful debugging information regarding SSL /TLS protocol configuration / state during request and response. As such, it is difficult to distinguish between Postman issues vs handshake issues. Additionally, the TLS configurations and ciphers are not tweakable and as such, results in some specific requests to fail or negotiate an unexpected TLS version.

  1. Add additional configurations in protocolProfileBehaviour to control TLS
  2. Show TLS debug information in console (or somewhere else.)
@sam-github
Copy link

the TLS configurations and ciphers are not tweakable

ciphers are configurable by CLI or programmatically:

What specific configurability are you looking for?

Show TLS debug information in console

Is nodejs/node@5b55c60 what you are looking for? If so, I'll try to get something like it into node. Not sure if direct printf is OK, or whether a programmatic API that just callbacks the SSL_trace output to JS, and lets the user do with them what they will is the way to go. Do you have opinions?

sam-github added a commit to sam-github/node that referenced this issue Apr 26, 2019
Enable the same trace output that the OpenSSL s_client and s_server
support with their `-trace` option. This is invaluable when debugging
reports of TLS bugs as well as when debugging the internal TLS
implementation.

See:
- nodejs#25383
- nodejs#17936
- postmanlabs/postman-app-support#5918 (comment)
sam-github added a commit to nodejs/node that referenced this issue Apr 29, 2019
Enable the same trace output that the OpenSSL s_client and s_server
support with their `-trace` option. This is invaluable when debugging
reports of TLS bugs as well as when debugging the internal TLS
implementation.

See:
- #25383
- #17936
- postmanlabs/postman-app-support#5918 (comment)

PR-URL: #27376
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
targos pushed a commit to nodejs/node that referenced this issue Apr 30, 2019
Enable the same trace output that the OpenSSL s_client and s_server
support with their `-trace` option. This is invaluable when debugging
reports of TLS bugs as well as when debugging the internal TLS
implementation.

See:
- #25383
- #17936
- postmanlabs/postman-app-support#5918 (comment)

PR-URL: #27376
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
@MauriceS
Copy link

The commit to nodejs/node might have caused issues with Newman postmanlabs/newman#1991

@garyng
Copy link

garyng commented May 28, 2019

Is this feature live?

@shamasis
Copy link
Member Author

shamasis commented Jun 3, 2019

@garyng not yet. We ran into some hiccups with NodeJS and also some UI aspects around incorporating these settings.

@slaman75
Copy link

slaman75 commented Jul 9, 2019

I still don't understand how this is an issue:

This is the default cipher list used by NodeJS (https://nodejs.org/api/tls.html#tls_modifying_the_default_tls_cipher_suite)

When support all of these... but when we turn off SSLv3 support, POSTMAN can't establish a handshake. Are you SURE that Postman is using the default NodeJS ciphers for TLS?

TLS_AES_256_GCM_SHA384:
TLS_CHACHA20_POLY1305_SHA256:
TLS_AES_128_GCM_SHA256:
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA256:
ECDHE-RSA-AES256-SHA384:
DHE-RSA-AES256-SHA384:
ECDHE-RSA-AES256-SHA256:
DHE-RSA-AES256-SHA256:
HIGH:
!aNULL:
!eNULL:
!EXPORT:
!DES:
!RC4:
!MD5:
!PSK:
!SRP:
!CAMELLIA

@codenirvana
Copy link
Member

We've added support for Request Level Configurations in the latest version of the Postman App which allows to:

  • Specify the order of cipher suites
  • Specify the SSL and TLS protocol versions to be disabled during the handshake
  • Use the server's cipher suite order instead of the client's during the handshake

Screenshot 2019-11-04 at 1 28 54 PM

We'll be adding support for the folder and collection-level configurations soon!

Also, all the low-level TLS information is accessible in the Postman Console (Postman v7.10).

Screenshot 2019-11-04 at 1 30 37 PM

@nils-work
Copy link

Hi @codenirvana
Postman v7.30.1 (Windows) doesn't seem to show the TLS detail as you highlighted in your screenshot, was it removed or not available in Windows?

@codenirvana
Copy link
Member

@nils-work are you requesting an HTTPS API? can you share the screenshot of your Postman Console (hide sensitive details)?

@nils-work
Copy link

Hi @codenirvana

Hope this is enough? -
image

I also don't have the globe icon shown on this page, but understand that may be an older version? -
https://learning.postman.com/docs/sending-requests/certificates/

image

I'm interested in seeing and ideally being able to test the cipher being used with a request if possible.

Thanks

@codenirvana
Copy link
Member

@nils-work I see you are behind a proxy and that's why Postman doesn't have all the information about the final request sent.

@nils-work
Copy link

Thanks @codenirvana
When not behind a proxy, is the information that's logged to the console (the Network detail including ciphers and TLS version) available for use in a test script at all? (it doesn't seem to be available in pm.request/pm.response)

@codenirvana
Copy link
Member

@nils-work Network details are not available in the test script at the moment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants