Self supplied CipherSuites without TLS_EMPTY_RENEGOTIATION_INFO_SCSV #2485
Description
Checklist
- [ X] I've searched the issue tracker for similar requests
Is your feature request related to a problem? Please describe.
When supplying a self defined list of cipher suites to a crypto provider and using this to open a TLS connection the ciphersuite TLS_EMPTY_RENEGOTIATION_INFO_SCSV - id:255 is always appended to the list. Is there maybe already a way to prevent that?
Describe the solution you'd like
An optional flag in the CryptoProvider . if set, TLS_EMPTY_RENEGOTIATION_INFO_SCSV will not be pushed to ciphersuites.
Describe alternatives you've considered
A way to supply the vec for client hello directly.
Additional context
I found that for the client hello message, there will always be this ciphersuite pushed to final vec.
src/client/hs.rs:line 442:
let mut cipher_suites: Vec<_> = config
.provider
.cipher_suites
.iter()
.filter_map(|cs| match cs.usable_for_protocol(cx.common.protocol) {
true => Some(cs.suite()),
false => None,
})
.collect();
// We don't do renegotiation at all, in fact.
cipher_suites.push(CipherSuite::TLS_EMPTY_RENEGOTIATION_INFO_SCSV);no matter the content of my vec, there will always be this Ciphersuite pushed.
This is the code I'm working with:
use rustls::{crypto::ring::cipher_suite::*, CipherSuite, CipherSuiteCommon, SupportedCipherSuite, Tls12CipherSuite};
#[tokio::main(flavor = "current_thread")]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let cipher_suites: Vec<rustls::SupportedCipherSuite> = vec![
TLS13_AES_128_GCM_SHA256,
TLS13_CHACHA20_POLY1305_SHA256,
TLS13_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
];
let default_crypto_provider = rustls::crypto::ring::default_provider();
let crypto_provider = rustls::crypto::CryptoProvider {
cipher_suites: cipher_suites,
..default_crypto_provider.clone()
};
let mut root_store = rustls::RootCertStore::empty();
root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
let provider = std::sync::Arc::new(crypto_provider);
let client_config: rustls::client::ClientConfig = rustls::client::ClientConfig::builder_with_provider(provider.clone())
.with_protocol_versions(&[&rustls::version::TLS13])?
.with_root_certificates(root_store)
.with_no_client_auth();
let client = reqwest::Client::builder()
.use_preconfigured_tls(client_config)
.build()?;
let res = client
.get("https://tls.browserleaks.com/")
.send()
.await?;
let json = res.json::<serde_json::Value>().await?;
println!("{}", serde_json::to_string_pretty(&json).unwrap());
Ok(())
}->
{
"akamai_hash": "",
"akamai_text": "",
"http2": null,
"ja3_hash": "c93bce36d409674a3fea95dfdc25516d",
"ja3_text": "771,4865-4867-4866-49195-49199-52393-52392-49196-49200-255,43-10-5-51-13-0-45-11-23,29-23-24,0",
"ja3n_hash": "d75ef2923ef3542fa05a782c42231e22",
"ja3n_text": "771,4865-4867-4866-49195-49199-52393-52392-49196-49200-255,0-5-10-11-13-23-43-45-51,29-23-24,0",
"ja4": "t13d100900_61a7ad8aa9b6_6a7d638fc319",
"ja4_o": "t13d100900_da283e221b71_da5409cbb5a7",
"ja4_r": "t13d100900_00ff,1301,1302,1303,c02b,c02c,c02f,c030,cca8,cca9_0005,000a,000b,000d,0017,002b,002d,0033_0503,0403,0807,0806,0805,0804,0601,0501,0401",
"ja4_ro": "t13d100900_1301,1303,1302,c02b,c02f,cca9,cca8,c02c,c030,00ff_002b,000a,0005,0033,000d,0000,002d,000b,0017_0503,0403,0807,0806,0805,0804,0601,0501,0401",
"tls": {
"cipher_suite": [
{
"name": "TLS_AES_128_GCM_SHA256",
"value": 4865
}
],
"cipher_suites": [
{
"name": "TLS_AES_128_GCM_SHA256",
"value": 4865
},
{
"name": "TLS_CHACHA20_POLY1305_SHA256",
"value": 4867
},
{
"name": "TLS_AES_256_GCM_SHA384",
"value": 4866
},
{
"name": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"value": 49195
},
{
"name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"value": 49199
},
{
"name": "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"value": 52393
},
{
"name": "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"value": 52392
},
{
"name": "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"value": 49196
},
{
"name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"value": 49200
},
{
"name": "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
"value": 255
}
],
"connection_version": [
{
"name": "TLS 1.3",
"value": 772
}
],
"extensions": [
{
"data": {
"supported_versions": [
{
"name": "TLS 1.3",
"value": 772
}
]
},
"name": "supported_versions",
"value": 43
},
{
"data": {
"named_groups": [
{
"name": "X25519",
"value": 29
},
{
"name": "secp256r1",
"value": 23
},
{
"name": "secp384r1",
"value": 24
}
]
},
"name": "supported_groups",
"value": 10
},
{
"data": {
"request_extensions": 0,
"responder_id_list": 0,
"status_type": [
{
"name": "ocsp",
"value": 1
}
]
},
"name": "status_request",
"value": 5
},
{
"data": {
"named_groups": [
{
"key_exchange_length": 32,
"name": "X25519",
"value": 29
}
]
},
"name": "key_share",
"value": 51
},
{
"data": {
"algorithms": [
{
"name": "ecdsa_secp384r1_sha384",
"value": 1283
},
{
"name": "ecdsa_secp256r1_sha256",
"value": 1027
},
{
"name": "ed25519",
"value": 2055
},
{
"name": "rsa_pss_rsae_sha512",
"value": 2054
},
{
"name": "rsa_pss_rsae_sha384",
"value": 2053
},
{
"name": "rsa_pss_rsae_sha256",
"value": 2052
},
{
"name": "rsa_pkcs1_sha512",
"value": 1537
},
{
"name": "rsa_pkcs1_sha384",
"value": 1281
},
{
"name": "rsa_pkcs1_sha256",
"value": 1025
}
]
},
"name": "signature_algorithms",
"value": 13
},
{
"data": {
"server_name": "tls.browserleaks.com"
},
"name": "server_name",
"value": 0
},
{
"data": {
"ke_modes": [
{
"name": "psk_dhe_ke",
"value": 1
}
]
},
"name": "psk_key_exchange_modes",
"value": 45
},
{
"data": {
"ec_point_format_list": [
{
"name": "uncompressed",
"value": 0
}
]
},
"name": "ec_point_formats",
"value": 11
},
{
"name": "extended_master_secret",
"value": 23
}
],
"handshake_version": [
{
"name": "TLS 1.2",
"value": 771
}
],
"record_version": [
{
"name": "TLS 1.0",
"value": 769
}
]
},
"user_agent": ""
}