Hi Dan, On 13/07/2018 22:12, Daniel Lenski wrote: > On Fri, Jul 13, 2018 at 2:03 PM, Daniel Lenski <dlenski at gmail.com> wrote: >> Something in between the client and server is injecting an RST,ACK in >> both directions. > If you tweak the signature of the ClientHello, for example by changing > the cipher list with `gnutls-cli --priority=SECURE128` (default is > `--priority=NORMAL`). Does it still get intercepted and reset? I've made some progress. I captured the client side with Wireshark while connecting first with openssl, then with gnutls-cli.? I then compare the two. My initial observation was that openssl sends a much smaller cipher list to the server.? I therefore played around with the priority strings on gnutls-cli to decrease the cipher list until a) it worked over xDSL and b) it was smaller than openssl's, before testing it on the mobile network.? I ended up with a list of one; but while it worked over xDSL, it still failed over the mobile network.? Obviously, this issue isn't down to cipher list size. I then noticed that the TLS extensions are different.? In a desparate attempt, I added the --disable-extensions option to gnutls-cli and found it worked over the mobile network. OpenSSL's extensions are: ---------------------------------------------------------------------->8---------------------------------------------------------------------- ??????????? Extensions Length: 70 ??????????? Extension: ec_point_formats (len=4) ??????????????? Type: ec_point_formats (11) ??????????????? Length: 4 ??????????????? EC point formats Length: 3 ??????????????? Elliptic curves point formats (3) ??????????????????? EC point format: uncompressed (0) ??????????????????? EC point format: ansiX962_compressed_prime (1) ??????????????????? EC point format: ansiX962_compressed_char2 (2) ??????????? Extension: supported_groups (len=10) ??????????????? Type: supported_groups (10) ??????????????? Length: 10 ??????????????? Supported Groups List Length: 8 ??????????????? Supported Groups (4 groups) ??????????????????? Supported Group: x25519 (0x001d) ??????????????????? Supported Group: secp256r1 (0x0017) ??????????????????? Supported Group: secp521r1 (0x0019) ??????????????????? Supported Group: secp384r1 (0x0018) ??????????? Extension: SessionTicket TLS (len=0) ??????????????? Type: SessionTicket TLS (35) ??????????????? Length: 0 ??????????????? Data (0 bytes) ??????????? Extension: signature_algorithms (len=32) ??????????????? Type: signature_algorithms (13) ??????????????? Length: 32 ??????????????? Signature Hash Algorithms Length: 30 ??????????????? Signature Hash Algorithms (15 algorithms) ??????????????????? Signature Algorithm: rsa_pkcs1_sha512 (0x0601) ??????????????????????? Signature Hash Algorithm Hash: SHA512 (6) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: SHA512 DSA (0x0602) ??????????????????????? Signature Hash Algorithm Hash: SHA512 (6) ??????????????????????? Signature Hash Algorithm Signature: DSA (2) ??????????????????? Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) ??????????????????????? Signature Hash Algorithm Hash: SHA512 (6) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ??????????????????? Signature Algorithm: rsa_pkcs1_sha384 (0x0501) ??????????????????????? Signature Hash Algorithm Hash: SHA384 (5) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: SHA384 DSA (0x0502) ??????????????????????? Signature Hash Algorithm Hash: SHA384 (5) ??????????????????????? Signature Hash Algorithm Signature: DSA (2) ??????????????????? Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) ??????????????????????? Signature Hash Algorithm Hash: SHA384 (5) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ??????????????????? Signature Algorithm: rsa_pkcs1_sha256 (0x0401) ??????????????????????? Signature Hash Algorithm Hash: SHA256 (4) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: SHA256 DSA (0x0402) ??????????????????????? Signature Hash Algorithm Hash: SHA256 (4) ??????????????????????? Signature Hash Algorithm Signature: DSA (2) ??????????????????? Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) ??????????????????????? Signature Hash Algorithm Hash: SHA256 (4) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ??????????????????? Signature Algorithm: SHA224 RSA (0x0301) ??????????????????????? Signature Hash Algorithm Hash: SHA224 (3) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: SHA224 DSA (0x0302) ??????????????????????? Signature Hash Algorithm Hash: SHA224 (3) ??????????????????????? Signature Hash Algorithm Signature: DSA (2) ??????????????????? Signature Algorithm: SHA224 ECDSA (0x0303) ??????????????????????? Signature Hash Algorithm Hash: SHA224 (3) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ??????????????????? Signature Algorithm: rsa_pkcs1_sha1 (0x0201) ??????????????????????? Signature Hash Algorithm Hash: SHA1 (2) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: SHA1 DSA (0x0202) ??????????????????????? Signature Hash Algorithm Hash: SHA1 (2) ??????????????????????? Signature Hash Algorithm Signature: DSA (2) ??????????????????? Signature Algorithm: ecdsa_sha1 (0x0203) ??????????????????????? Signature Hash Algorithm Hash: SHA1 (2) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ??????????? Extension: encrypt_then_mac (len=0) ??????????????? Type: encrypt_then_mac (22) ??????????????? Length: 0 ??????????? Extension: extended_master_secret (len=0) ??????????????? Type: extended_master_secret (23) ??????????????? Length: 0 ---------------------------------------------------------------------->8---------------------------------------------------------------------- GnuTLS's extensions are: ---------------------------------------------------------------------->8---------------------------------------------------------------------- ??????????? Extensions Length: 107 ??????????? Extension: extended_master_secret (len=0) ??????????????? Type: extended_master_secret (23) ??????????????? Length: 0 ??????????? Extension: encrypt_then_mac (len=0) ??????????????? Type: encrypt_then_mac (22) ??????????????? Length: 0 ??????????? Extension: status_request (len=5) ??????????????? Type: status_request (5) ??????????????? Length: 5 ??????????????? Certificate Status Type: OCSP (1) ??????????????? Responder ID list Length: 0 ??????????????? Request Extensions Length: 0 ??????????? Extension: server_name (len=29) ??????????????? Type: server_name (0) ??????????????? Length: 29 ??????????????? Server Name Indication extension ??????????????????? Server Name list length: 27 ??????????????????? Server Name Type: host_name (0) ??????????????????? Server Name length: 24 ??????????????????? Server Name: vpn.my.fqdn.here ??????????? Extension: renegotiation_info (len=1) ??????????????? Type: renegotiation_info (65281) ??????????????? Length: 1 ??????????????? Renegotiation Info extension ??????????????????? Renegotiation info extension length: 0 ??????????? Extension: SessionTicket TLS (len=0) ??????????????? Type: SessionTicket TLS (35) ??????????????? Length: 0 ??????????????? Data (0 bytes) ??????????? Extension: supported_groups (len=12) ??????????????? Type: supported_groups (10) ??????????????? Length: 12 ??????????????? Supported Groups List Length: 10 ??????????????? Supported Groups (5 groups) ??????????????????? Supported Group: secp256r1 (0x0017) ??????????????????? Supported Group: secp384r1 (0x0018) ??????????????????? Supported Group: secp521r1 (0x0019) ??????????????????? Supported Group: secp224r1 (0x0015) ??????????????????? Supported Group: secp192r1 (0x0013) ??????????? Extension: ec_point_formats (len=2) ??????????????? Type: ec_point_formats (11) ??????????????? Length: 2 ??????????????? EC point formats Length: 1 ??????????????? Elliptic curves point formats (1) ??????????????????? EC point format: uncompressed (0) ??????????? Extension: signature_algorithms (len=22) ??????????????? Type: signature_algorithms (13) ??????????????? Length: 22 ??????????????? Signature Hash Algorithms Length: 20 ??????????????? Signature Hash Algorithms (10 algorithms) ??????????????????? Signature Algorithm: rsa_pkcs1_sha256 (0x0401) ??????????????????????? Signature Hash Algorithm Hash: SHA256 (4) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) ??????????????????????? Signature Hash Algorithm Hash: SHA256 (4) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ??????????????????? Signature Algorithm: rsa_pkcs1_sha384 (0x0501) ??????????????????????? Signature Hash Algorithm Hash: SHA384 (5) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) ??????????????????????? Signature Hash Algorithm Hash: SHA384 (5) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ??????????????????? Signature Algorithm: rsa_pkcs1_sha512 (0x0601) ??????????????????????? Signature Hash Algorithm Hash: SHA512 (6) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) ??????????????????????? Signature Hash Algorithm Hash: SHA512 (6) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ??????????????????? Signature Algorithm: SHA224 RSA (0x0301) ??????????????????????? Signature Hash Algorithm Hash: SHA224 (3) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: SHA224 ECDSA (0x0303) ??????????????????????? Signature Hash Algorithm Hash: SHA224 (3) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ??????????????????? Signature Algorithm: rsa_pkcs1_sha1 (0x0201) ??????????????????????? Signature Hash Algorithm Hash: SHA1 (2) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: ecdsa_sha1 (0x0203) ??????????????????????? Signature Hash Algorithm Hash: SHA1 (2) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ---------------------------------------------------------------------->8---------------------------------------------------------------------- Oddly enough, gnutls-cli still sends the following extensions when --disable-extensions is set: ---------------------------------------------------------------------->8---------------------------------------------------------------------- ??????????? Extensions Length: 57 ??????????? Extension: encrypt_then_mac (len=0) ??????????????? Type: encrypt_then_mac (22) ??????????????? Length: 0 ??????????? Extension: renegotiation_info (len=1) ??????????????? Type: renegotiation_info (65281) ??????????????? Length: 1 ??????????????? Renegotiation Info extension ??????????????????? Renegotiation info extension length: 0 ??????????? Extension: supported_groups (len=12) ??????????????? Type: supported_groups (10) ??????????????? Length: 12 ??????????????? Supported Groups List Length: 10 ??????????????? Supported Groups (5 groups) ??????????????????? Supported Group: secp256r1 (0x0017) ??????????????????? Supported Group: secp384r1 (0x0018) ??????????????????? Supported Group: secp521r1 (0x0019) ??????????????????? Supported Group: secp224r1 (0x0015) ??????????????????? Supported Group: secp192r1 (0x0013) ??????????? Extension: ec_point_formats (len=2) ??????????????? Type: ec_point_formats (11) ??????????????? Length: 2 ??????????????? EC point formats Length: 1 ??????????????? Elliptic curves point formats (1) ??????????????????? EC point format: uncompressed (0) ??????????? Extension: signature_algorithms (len=22) ??????????????? Type: signature_algorithms (13) ??????????????? Length: 22 ??????????????? Signature Hash Algorithms Length: 20 ??????????????? Signature Hash Algorithms (10 algorithms) ??????????????????? Signature Algorithm: rsa_pkcs1_sha256 (0x0401) ??????????????????????? Signature Hash Algorithm Hash: SHA256 (4) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) ??????????????????????? Signature Hash Algorithm Hash: SHA256 (4) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ??????????????????? Signature Algorithm: rsa_pkcs1_sha384 (0x0501) ??????????????????????? Signature Hash Algorithm Hash: SHA384 (5) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) ??????????????????????? Signature Hash Algorithm Hash: SHA384 (5) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ??????????????????? Signature Algorithm: rsa_pkcs1_sha512 (0x0601) ??????????????????????? Signature Hash Algorithm Hash: SHA512 (6) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) ??????????????????????? Signature Hash Algorithm Hash: SHA512 (6) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ??????????????????? Signature Algorithm: SHA224 RSA (0x0301) ??????????????????????? Signature Hash Algorithm Hash: SHA224 (3) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: SHA224 ECDSA (0x0303) ??????????????????????? Signature Hash Algorithm Hash: SHA224 (3) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ??????????????????? Signature Algorithm: rsa_pkcs1_sha1 (0x0201) ??????????????????????? Signature Hash Algorithm Hash: SHA1 (2) ??????????????????????? Signature Hash Algorithm Signature: RSA (1) ??????????????????? Signature Algorithm: ecdsa_sha1 (0x0203) ??????????????????????? Signature Hash Algorithm Hash: SHA1 (2) ??????????????????????? Signature Hash Algorithm Signature: ECDSA (3) ---------------------------------------------------------------------->8---------------------------------------------------------------------- While I'd need to figure out the risks of disabling extensions (once I'd figured out what they are), I thought I'd continue and look at how to disable or manage extensions with the priority strings.? It turns out that %NO_EXTENSIONS is available for this. However, replacing --disable-extensions with %NO_EXTENSIONS in the priority string causes gnutls-cli to fail further down the handshake. A quick Wireshark capture of this shows that with %NO_EXTENSIONS gnutls-cli sends no extensions at all, unlike the --disable-extensions command-line option. However, it dawned on me afterwards that setting priority strings on the server would be pointless anyway as this issue is in the client hello message generated by the openconnect client on the Windows laptop. So while I may have narrowed down the cause of this issue, I'm still no closer to a resolution. Kind regards, Gareth > Dan --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
