Skip to content
This repository has been archived by the owner on May 9, 2020. It is now read-only.

Backport TLSv1.3 secure ciphers #212

Merged
merged 1 commit into from May 2, 2019
Merged

Backport TLSv1.3 secure ciphers #212

merged 1 commit into from May 2, 2019

Conversation

ghost
Copy link

@ghost ghost commented May 1, 2019

Fixes #211

@ghost
Copy link
Author

ghost commented May 1, 2019

I've ran some feature tests on 155 different versions of node: https://github.com/pro-src/node-ciphers-ci-test

Due to the complicated nature of this problem, I can't say for certain that this is a guaranteed fix but it should at least mitigate some of the problems that users have been experiencing. Also, I'm thinking that Cloudflare is likely to update their SSL related checks so we'll need to keep an eye on this.

@codemanki
Copy link
Owner

Merging and releasing
1_snTXFElFuQLSFDnvZKJ6IA

@codemanki
Copy link
Owner

@pro-src it is ready to be merged, right?

@ghost
Copy link
Author

ghost commented May 2, 2019

Yeah, it is ready to be merged. TLSv1.3 is TLS done right. We're only backporting a few very secure openssl options to avoid triggering a CAPTCHA. At worst, it does nothing since openssl will simply ignore any unsupported ciphers. At best, it completely solves the problem by changing the defaults to more closely match the defaults of current openssl versions.

Node will call this openssl function to set the ciphers: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_cipher_list.html

The control string str should be universally usable and not depend on details of the library configuration (ciphers compiled in). Thus no syntax checking takes place. Items that are not recognized, because the corresponding ciphers are not compiled in or because they are mistyped, are simply ignored. Failure is only flagged if no ciphers could be collected at all.

Simply put, we're using a cipher list control string that includes the already existing defaults, plus a few additions if the openssl version is outdated.

I tested a 155 versions of node between v6 and the latest v12. I found that there is generally only 4 unique default cipher suite lists. Every version of the list is a subset of the most recent list and several cipher suites are present in all 4 lists. Thus, we can conclude that it is not the inclusion of the default ciphers that are causing the problem. It is the absence of expected ciphers and/or other attributes of the SSL negotiation. The chief difference in the lists being that some of the TLSv1.3 options present in recent versions of node are not present in versions of node that were compiled with openssl <= 1.1.0.

It still remains to be seen if this completely solves the problem since there are other variables in the TLS clientHello that could potentially cause our requests to be uniquely identified. Particularly, the signature algorithms extension: https://timtaubert.de/blog/2016/07/the-evolution-of-signatures-in-tls/

@codemanki codemanki merged commit f6d64b6 into codemanki:master May 2, 2019
@codemanki
Copy link
Owner

codemanki commented May 2, 2019

Released as 4.1.0. Thank you @pro-src for the pr and detailed explanation :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CaptchaError: captcha v4.0.1 (SSL negotiation)
1 participant