Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

handshake_failure #113

Open
wutengcoding opened this issue Jan 5, 2016 · 19 comments
Open

handshake_failure #113

wutengcoding opened this issue Jan 5, 2016 · 19 comments

Comments

@wutengcoding
Copy link

hi tls-dev:
i successfully install the tls, and run the test-suite like this:

./tlstest.py server localhost:4443 .
and open another shell, type
./tlstest.py client localhost:4443 .
then i get an error log like this. could you please help me to solve this problem.

Traceback (most recent call last):
File "./tlstest.py", line 981, in
clientTestCmd(sys.argv[2:])
File "./tlstest.py", line 478, in clientTestCmd
connection.handshakeClientCert()
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 308, in handshakeClientCert
for result in handshaker:
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 324, in _handshakeClientAsync
for result in self._handshakeWrapperAsync(handshaker, checker):
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 1777, in _handshakeWrapperAsync
for result in handshaker:
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 418, in _handshakeClientAsyncHelper
for result in self._clientGetServerHello(settings, clientHello):
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 559, in _clientGetServerHello
HandshakeType.server_hello):
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsrecordlayer.py", line 722, in _getMsg
raise TLSRemoteAlert(alert)
tlslite.errors.TLSRemoteAlert: handshake_failure
@tomato42
Copy link
Contributor

tomato42 commented Jan 5, 2016

you need to specify key and certificate for the server, the tlstest.py client can't use anonymous connections

@deostroll
Copy link

@tomato42 how do you have to specify this?

@tomato42
Copy link
Contributor

tomato42 commented Jul 6, 2016

-k path/to/key.pem -c path/to/user/certificate.pem

@deostroll
Copy link

No. I gave it a go. Here were my observations:

The tests folder has some certs:

root@ba38dded5b35:/home/tlslite/tests# ls -l
total 112
-rw-r--r-- 1 root root   325 Jul  6 11:12 TACK1.pem
-rw-r--r-- 1 root root   325 Jul  6 11:12 TACK2.pem
-rw-r--r-- 1 root root   325 Jul  6 11:12 TACK_Key1.pem
-rw-r--r-- 1 root root   325 Jul  6 11:12 TACK_Key2.pem
-rw-r--r-- 1 root root   650 Jul  6 11:12 TACKs.pem
-rw-r--r-- 1 root root   325 Jul  6 11:12 TACKunrelated.pem
-rw-r--r-- 1 root root   924 Jul  6 11:12 clientX509Cert.pem
-rw-r--r-- 1 root root   891 Jul  6 11:12 clientX509Key.pem
-rwxr-xr-x 1 root root   327 Jul  6 11:12 httpsclient.py
-rwxr-xr-x 1 root root   113 Jul  6 11:12 httpsserver.sh
-rw-r--r-- 1 root root   152 Jul  6 11:12 index.html
-rw-r--r-- 1 root root  1094 Jul  6 11:12 serverX509Cert.pem
-rw-r--r-- 1 root root  1704 Jul  6 11:12 serverX509Key.pem
-rwxr-xr-x 1 root root 34354 Jul  6 11:12 tlstest.py
-rw-r--r-- 1 root root 24576 Jul  6 11:12 verifierDB

I think the test server is somehow consuming those certificates:
https://github.com/trevp/tlslite/blob/master/tests/tlstest.py#L578-L581

Anyway I still manually provided the certs:
./tlstest.py server localhost:4443 . -k serverX509Key.pem -c serverX509Cert.pem

I ran the test client as I did before (without certs) and the issue replicated.

Then I ran the client it with the certs:
./tlstest.py client localhost:4443 . -k serverX509Key.pem -c serverX509Cert.pem

Still the issue replicates.

@tomato42
Copy link
Contributor

tomato42 commented Jul 7, 2016

Sorry, I completely confused issues. I have no idea why I wrote the #113 (comment)

Can you explain what is the issue exactly?

I'm guessing that you have no tlslite installed (pip list | grep tls returns nothing), you clone the repo, run make install, then go to tests directory and run the ./tlstest.py client localhost:4433 . and ./tlstest.py server localhost:4433 . commands?

if that is the case, can you try to reproduce the issue with current master of https://github.com/tomato42/tlslite-ng ? (please uninstall any tlslite or tlslite-ng installed before)

@deostroll
Copy link

Can you explain what is the issue exactly?

That is explained above. The client runs a battery of test which are numbered. That specific error happens at Test 26.b. (You shouldn't run make test here, rather do it manually as mentioned in the readme). I studied the code according to the stacktrace, but failed to understand the root cause.

if that is the case, can you try to reproduce the issue with current master of https://github.com/tomato42/tlslite-ng ?

I've downloaded your repo installed it and ran the test...and it went fine.

@tomato42
Copy link
Contributor

tomato42 commented Jul 8, 2016

if that is the case, can you try to reproduce the issue with current master of https://github.com/tomato42/tlslite-ng ?

I've downloaded your repo installed it and ran the test...and it went fine.

then can I suggest switching to it? it's a superset of the tlslite, is API compatible, has new features and as you can see, has some bugs fixed

@deostroll
Copy link

Okay. I will switch. But my goal is understand ssl/tls. Someone pointed me to this repo. But this is a library where most of the stuff is abstracted. But so is your repo.

I want to understand the handshaking process through code. Can you guide me here?

Ps: This was my actual need.

@tomato42
Copy link
Contributor

tomato42 commented Jul 8, 2016

I don't know of any project like this

if you want to understand what each party does in the handshake, you may actually have better luck with taking a look at the library I constructed on top of tlslite-ng, the tlsfuzzer

I'm building it to test behaviour of servers, so it has fairly simple examples of RSA, DHE-RSA and ECDHE-RSA key exchange. It still has quite a few levels of indirection, but I think it does limit the complexity for a particular situation and at least limits the amount of code you have to read to understand what is happening for any particular case.

anyway, this is unrelated to the original bug report so we probably should move from this issue tracker - feel free to file documentation bugs on tlsfuzzer or tlslite-ng

@kasserater
Copy link

hi @tomato42 , is there a planned fix here?

i have version 0.4.9 and have reproduced the problem
will check 0.4.8 shortly
i was using a very old version until recently with no issues and once started using 0.4.9 - this issue emerged almost immediately

thanks

@tomato42
Copy link
Contributor

I'm working on tlslite-ng only and the fix is already released there, so from my point of view the issue is closed (unless you are able to reproduce it there with either the 0.5.1 or current 0.6.0-beta1, then please open an issue on its issue tracker)

@trevp
Copy link
Owner

trevp commented Aug 11, 2016

On Thu, Aug 11, 2016 at 7:59 AM, kasserater [email protected]
wrote:

i have version 0.4.9 and have reproduced the problem

I'd apply a fix to tlslite, if someone submits a PR.

Trevor

@kasserater
Copy link

kasserater commented Aug 12, 2016
edited
Loading

What info is needed to open a PR?

@kasserater
Copy link

@trevp / @tomato42 - why was tlslite-ng branched off of tlslite? is there any reason for anyone to use tlslite and not tlslite-ng?

@tomato42
Copy link
Contributor

What info is needed to open a PR?

Pull Request is a set of patches, it's a proposed solution to the issue, not just submission of a new bug

why was tlslite-ng branched off of tlslite?

because I don't consider waiting half a year for a pull request review to be reasonable; especially not when I want to build on top of it the TLSv1.3 test suite and the standard is in the last drafts

I am writing code an order of magnitude faster than Trevor was able to review it.

is there any reason for anyone to use tlslite and not tlslite-ng?

that's for you to decide, obviously I'm biased, but in the time I (and few others) nearly doubled the amount of changes to the library since the fork (we're short 24 patches to doubling, 20 of which are waiting for review or slight reworking already), adding a lot of new features or simplifying old code, all while improving code quality and increasing test coverage. Or in other words, tlslite-ng supports the most commonly used cipher on the Internet, the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tlslite does not.

@kasserater
Copy link

@tomato42 i reproduced the issue with 0.5.2
i will attempt with 0.5.1 and with 0.6.1-beta1

@kasserater
Copy link

0.5.1 has same result
can't use 0.6.1-beta1 as i currently can't install ecdsa package on my test machine

@tomato42
Copy link
Contributor

If you can reproduce it, and you don't have tlslite installed (don't install tlslite and tlslite-ng side by side), then please file a bug in the tlslite-ng tracker and include the following information:

  • installed version of tlslite-ng (and method of installation)
  • system version
  • python version
  • whether virtualenv is used

@kasserater
Copy link

Totally reproducible. Will open

@kasserater kasserater mentioned this issue Aug 16, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@deostroll @tomato42 @trevp @wutengcoding @kasserater