Limited Cipher Suites

Posted on
  • Hello!
    I've noticed that when trying to establish an HTTPS connection to some web-sites I get the "Uncaught InternalError: Failed! mbedtls_ssl_handshake returned -0x7780" error. I compiled the lastest sources on Linux and after playing around with Wireshark, figured out that Espruino only supports a very limited list of Cipher Suites:

                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
    

    The web-site I'm trying to connect to [require('http').get('https://lichess.org')] doesn't support any of them:

              TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
              TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
              TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
              TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
              TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA­256 (0xcca8)
    

    I've tried to search the Espruino source code to find out where the list of Cipher Suites is being set, but had no success. Of course instead of directly accessing the web-site I could use a proxy, but I'd really like to include the above Cipher Suites in Espruino. Where in the source code should I be looking?

  • Mon 2021.03.29

    Hello @akot

    While I'm not the resource you may need to solve encryption issues, I am able to at least point you towards a starting point.

    I recognized the term SHA256 as an item that might encapsulate Http encryption and then did a simple Google search using the site keyword qualifier.

    Google:   SHA256   site:https://github.com/espruino/Espruino/

    The first response coincidentally pointed to the source that you may be after:

    https://github.com/espruino/Espruino/blo­b/master/libs/crypto/jswrap_crypto.c#L27­



    Another method I used was to look over the Class Reference and found:

    http://www.espruino.com/Reference#t_l_AE­S_decrypt

    Noting the right facing arrow, just to the right of that heading is a clickable link that also takes one to the same code file.

    Understanding and navigating will be up to you however. . . .

  • Hello @Robin, thanks for your response.
    I've spent some time researching the source code and found this file:
    https://github.com/espruino/Espruino/blo­b/master/libs/crypto/mbedtls/library/ssl­_ciphersuites.c
    where ciphersuite_definitions array is being filled out depending on defined macros. In https://github.com/espruino/Espruino/blo­b/master/libs/crypto/mbedtls/config.h there's a MBEDTLS_CIPHER_MODE_CBC macro defined, which adds mentioned above Cipher Suites to ciphersuite_definitions . I've added macros MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED, MBEDTLS_DHM_C, MBEDTLS_GCM_C, and also added two lines:
    libs/crypto/mbedtls/library/dhm.c \
    libs/crypto/mbedtls/library/gcm.c
    in https://github.com/espruino/Espruino/blo­b/master/make/crypto/default.make

    Now that's what I see at ClientHello:

            Cipher Suites (13 suites)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
    

    and web-sites that require DHE RSA work.

  • That's great - thanks for the update! I just saw the issue you filed and will continue on there: https://github.com/espruino/Espruino/iss­ues/1994

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

Limited Cipher Suites

Posted by Avatar for akot @akot

Actions