Error: TLS error: Unsupported protocol version

[vulpicastor]

When I tried to use certassist.mit.edu today, I got an error message:

Opening session
Error: TLS error: Unsupported protocol version.

It also seems that ca.mit.edu now supports TLS 1.3, from visiting it in my browser. Could it be that the JavaScript TLS implementation needs to be updated to support it?

Here's my browser version info. I can replicate this in Chrome 125 on both Chrome OS and Windows 10, as well as Firefox 127.0 on Windows 10.

Google Chrome	125.0.6422.169 (Official Build) (64-bit) 
Revision	0f77f18373e678a3da07c74a63d9452a7ab970a6-refs/branch-heads/6422@{#1281}
Platform	15853.61.0 (Official Build) stable-channel brya
Firmware Version	Google_Osiris.14505.682.0
Customization ID	osiris
ARC	11931015 SDK Version: 33
JavaScript	V8 12.5.227.13
User Agent	Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36

[andersk]

Hmm. ca.mit.edu supports TLS 1.2 and 1.3, but it looks like node-forge supports neither. Upstream issues:

• tls 1.1 depreciation warning digitalbazaar/forge#883
• TLS Broken on modern websites digitalbazaar/forge#1045

[andersk]

ca.mit.edu also has a misordered certificate chain.

• Should not assume TLS certificate chain is provided in order digitalbazaar/forge#1086

[andersk]

Possible alternative to investigate: https://github.com/jawj/subtls, although it’s covered in “NOT READY FOR USE IN PRODUCTION” warnings.

[andersk]

Based on the monitoring logs that have been going to my spam folder 🤭, this broke on Jun 3 between 18:30 and 19:00 EDT.

I’ve deployed an update v1-175-gb507476 that adds digitalbazaar/forge#581 for TLS 1.2 support. I reported the misordered chain to ops, who says it will be sorted shortly.

[andersk]

Ops fixed the certificate chain ordering, but the server has changed the way it performs Duo authentication in a way that’s going to take more work to handle—I assume this is related to https://ist.mit.edu/news/touchstone-okta.