[9fans] tls 1.2

[9fans] tls 1.2

[Steve Simon]

Hi,

I am trying to get tls 1.2 working on a labs build of plan9.

What is most infuriating is I am sure I did this a few years ago but I cannot remember
how (or even if) I got it working.

what I have done is to install the following patches from 9legacy:

	libsec-chacha.diff				tls-devtls12.diff
	libsec-tlshand12-norc4.diff		tls-tlshand12.diff
	libsec-tlshand12-nossl3.diff

and rebuild my kernel and upas (where I need TLS1.2).

When I try to connect to a windows machine I get an error
from devtls in the kernel  of the length of the message is incorrect.

I have hacked around inside port/devtls.c but not found anything obvious,
I have also played with wireshark which didn't see anything very wrong.

I am sure I have missed an obvious step but I cannot see what it is.

Anyone help?

Thanks,

-Steve

Re: [9fans] tls 1.2

[hiro]

does it happen on 9front?

Re: [9fans] tls 1.2

[David du Colombier]

> I am trying to get tls 1.2 working on a labs build of plan9.
>
> What is most infuriating is I am sure I did this a few years ago but I cannot remember
> how (or even if) I got it working.
>
> what I have done is to install the following patches from 9legacy:
>
>         libsec-chacha.diff                              tls-devtls12.diff
>         libsec-tlshand12-norc4.diff             tls-tlshand12.diff
>         libsec-tlshand12-nossl3.diff
>
> and rebuild my kernel and upas (where I need TLS1.2).
>
> When I try to connect to a windows machine I get an error
> from devtls in the kernel  of the length of the message is incorrect.
>
> I have hacked around inside port/devtls.c but not found anything obvious,
> I have also played with wireshark which didn't see anything very wrong.
>
> I am sure I have missed an obvious step but I cannot see what it is.

The libsec-chacha.diff patch is not useful, since it's not used yet.

Does it works when you connect to https://9p.io/?
This machine have the same patches applied.

--
David du Colombier

Re: [9fans] tls 1.2

[David du Colombier]

> and rebuild my kernel and upas (where I need TLS1.2).

Just to be sure. Have you rebuilt libsec as well?

--
David du Colombier

Re: [9fans] tls 1.2

[Steve Simon]

> The libsec-chacha.diff patch is not useful, since it's not used yet.

I suspected as much but thought it wouldn't hurt.

> Does it works when you connect to https://9p.io/?
> This machine have the same patches applied.

yes, this works fine.

I am trying to connect to davmail - an exchange / imap+smtp gateway, hosted on windows
so I am talking to a windows tls implementation which may well be the cause of my frustration.

There is a very suspicious block of code:

	if((tr->handin == 0) && (header[0] & 0x80)){
	if(tr->debug)pprint("weird MS header\n");
		/* Cope with an SSL3 ClientHello expressed in SSL2 record format.
			This is sent by some clients that we must interoperate
			with, such as Java's JSSE and Microsoft's Internet Explorer. */
		len = (get16(header) & ~0x8000) - 3;
		type = header[2];
		ver = get16(header + 3);
		if(type != SSL2ClientHello || len < 22)
			rcvError(tr, EProtocolVersion, "invalid initial SSL2-like message");
	}else{  /* normal SSL3 record format */
	if(tr->debug)pprint("normal SSL3 header\n");
		type = header[0];
		ver = get16(header+1);
		len = get16(header+3);
	}

Though I have tried looking at the contents of this buffer in case it has subtly changed and
it bears no relation to this case so maybe thats a red herring (false lead to non British people).

-Steve

Re: [9fans] tls 1.2

[Steve Simon]

> Just to be sure. Have you rebuilt libsec as well?

yep.

Wireshark sees TLS 1.2 packets from plan9 so I have that much right...

-Steve

Re: [9fans] tls 1.2

[Steve Simon]

Sorry, I don't have a 9front so I don't know.

-Steve

Re: [9fans] tls 1.2

[David du Colombier]

> The libsec-chacha.diff patch is not useful, since it's not used yet.

Just to clarify. The libsec-chacha.diff patch implements ChaCha20
stream cipher in libsec. It was developped by Charles Forsyth.
(https://bitbucket.org/plan9-from-bell-labs/plan9).

To make use of it, you have to implement Poly1305 algorithm in libsec
and change devtls and tlshand to support ChaCha20 and Poly1305. These
changes are already available as part of 9front.

--
David du Colombier