Merge TLS1.3 Feature Branch into Main #406
Conversation
* [DRAFT] Handshake logs * Removed heartbleed * Added handshake logs for ZGrab2 * Added handshake logs for ZGrab2 * TLS1.3: added cert logs * TLS1.3: adding keyAgreement logs * TLS1.3: log SignatureAndHashes * TLS1.3: log SupportedCurves * TLS1.3: log ServerKeyExchange * TLS 1.3: adding legacy Key Agreement algs
Co-authored-by: Denis Issoupov <[email protected]>
* Extract and output session ticket lifetime hint This restores the functionality from commit db98bd3, on the TLSv13 branch * tls: support ForceSessionTicketExt for ticketSupported
For TLS 1.3 connections, SupportedVersions.SelectedVersions will be present, and be 0x0304. Add this to the HandshakeLog, if present.
Do not overwrite collected server certs when we are asked for a client cert.
#331) * Added extension IDs for Server Hello messages to handshake log * Added marshalling capabilities for unknown extensions with empty data * Switched to extension extract function on serverHelloMsg * Re-added whitespace break
…erNotice (#334) * x509: make jsonifyExtensions() public * Certificate Policies: add grouped user notices field The separate fields for NoticeReferencNumbers, NoticeRefOrganization, and ExplicitTexts introduce ambiguity since these fields are structured and optional in the source data. A certificate with a mixture of UserNotices that have only one of ExplicitText or NoticeReference would previously be impossible to reconstruct. Add a new field, UserNotices, which preserved the original grouping of values, leaving the old format exposed in place, so that this case can be reconstructed without breaking existing usage.
Add option for CT log client to emit unparseable certs
Prior to the TLS 1.3 backport, there was a type assertion to make sure that cert.PublicKey.(*rsa.PublicKey) was true. This was lost in the backport work, and while very rare we did recently hit a case where this assertion is not true. Doing it inline in the call leads to a panic. This restores the prior type assertion check, and returns err if it fails.
Expose 'validSignature' field
The x509 package sets this field true when it finds a valid signature while validating certificates; copy the behavior here for consistency.
verifier: set ValidSignature field
Run go fmt to fix CI
verifier: add AppendFromPEMErr method
verifier: set ValidSignature for certificates in the graph
pkix: marshal nonstandard name attributes only once
* make extension parsing more permissive * allow permissive errros through on server certs
ignore permissive errors
A change in ECDSA signature generation made old flow data incompatible with newer Go versions: golang/go@08f2091
This reverts commit 90dd94c.
A change in ECDSA signature generation made old flow data incompatible with newer Go versions: golang/go@08f2091
There was a problem hiding this comment.
This is too large to reasonably review line-by-line. I've done some sanity checks and wanted to report back on why I think this is safe to merge.
After running a 1% of IPv4 space ZMap scan to ports 443 (HTTPS) and 587 (SMTP), I followed up with running a ZGrab scan on the hits with tls.
Of the over 700k targets, there was a slight uplift in success rate with TLS 1.3 included:
- master -> 67.43%
- TLS13 -> 68.03%
With 4,206 new successful hosts able to handshake with TLS13 support.
This tracks with my observed ratio of hosts that only support TLS 1.3, I found that 0.6% of hosts only supported TLS 1.3 on 100k targets, so this explains the difference.
There are some removed fields from the handshake_log, specifically:
data.tls.result.handshake_log.key_material, data.tls.result.handshake_log.client_key_exchange, data.tls.result.handshake_log.server_key_exchange,data.tls.result.handshake_log.client_finished, data.tls.result.handshake_log.server_finished, data.tls.result.handshake_log.key_material.pre_master_secret
|
How many SSLv3 hosts were lost on those two scans?
…On Thu, Mar 6, 2025 at 12:50 PM Phillip Stephens ***@***.***> wrote:
***@***.**** approved this pull request.
This is too large to reasonably review line-by-line. I've done some sanity
checks and wanted to report back on why I think this is safe to merge.
After running a 1% of IPv4 space ZMap scan to ports 443 (HTTPS) and 587
(SMTP), I followed up with running a ZGrab scan on the hits with tls.
Of the over 700k targets, there was a slight uplift in success rate with
TLS 1.3 included:
- master -> 67.43%
- TLS13 -> 68.03%
With 4,206 new successful hosts able to handshake with TLS13 support.
This tracks with my observed ratio of hosts that only support TLS 1.3, I
found that 0.6% of hosts *only* supported TLS 1.3 on 100k targets, so
this explains the difference.
There are some removed fields from the handshake_log, specifically:
data.tls.result.handshake_log.key_material,
data.tls.result.handshake_log.client_key_exchange,
data.tls.result.handshake_log.server_key_exchange,data.tls.result.handshake_log.client_finished,
data.tls.result.handshake_log.server_finished,
data.tls.result.handshake_log.key_material.pre_master_secret
These were removed in TLS1.3 and we'd need to add our own support for
parsing them if provided in TLS1.2
—
Reply to this email directly, view it on GitHub
<#406 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABREUCP4HIH4ICUA7YTVUD2TCYKHAVCNFSM6AAAAABXLQ47OGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDMNRVGU4TMMJZHE>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Out of 705,737 targets |
There was a problem hiding this comment.
@developStorm This looks significantly better w.r.t. bringing back TLS 1.2 scan data. There are 2 things I'm noticing in the diff though:
CLI invocation - echo "100.0.59.51, , , 443" | ./zgrab2 tls | jq
diff /tmp/master-100.0.59.51.json /tmp/branch-100.0.59.51.json
...
133c133
< "browser_error": "x509: failed to load system roots and no roots provided"
---
> "browser_error": "x509: unknown error"
...
159,160c159,160
< "signature_algorithm": "rsa",
< "hash_algorithm": "sha256"
---
> "signature_algorithm": "unknown.227",
> "hash_algorithm": "sha384"
Can we:
- Bring that
browser_errorback if it indeed was caused by not loading the certs? - Figure out why that signature algorithm says
unknown.227
I'm running a bulk scan to be sure there's no regressions there now.
|
A 1% scan of TLS and SMTP services yields a 1.24% increase in successful responses between So large-scale scans look good. I think if we can get those two fields fixed, this is good to go. |
|
@developStorm once you've gotten those fields added back in, can you paste before and after scans of a few hosts to spot check? |
I manually inspected every failed Go official unit test after the merge with Wireshark, confirming root cause of the change in recorded traffic flow, and apply fix or adopt the new flow as appropriate.
I also tested this with zgrab. Confirmed we are using TLS 1.3 (and also seems like we supported some new signature algorithms too!)
(Left original, right with new zcrypto)
Features discontinued to support
This list may be incomplete due to the significant differences between branches. I discussed this with @phillip-stephens, and we agreed to identify any missing features on the fly after merging. Since basic TLS and testing with Censys went smoothly, I’m confident that any missing features are unlikely to cause major issues.