Re: [9fans] tls 1.2
> The libsec-chacha.diff patch is not useful, since it's not used yet. Just to clarify. The libsec-chacha.diff patch implements ChaCha20 stream cipher in libsec. It was developped by Charles Forsyth. (https://bitbucket.org/plan9-from-bell-labs/plan9). To make use of it, you have to implement Poly1305 algorithm in libsec and change devtls and tlshand to support ChaCha20 and Poly1305. These changes are already available as part of 9front. -- David du Colombier
Re: [9fans] tls 1.2
Sorry, I don't have a 9front so I don't know. -Steve
Re: [9fans] tls 1.2
> The libsec-chacha.diff patch is not useful, since it's not used yet. I suspected as much but thought it wouldn't hurt. > Does it works when you connect to https://9p.io/? > This machine have the same patches applied. yes, this works fine. I am trying to connect to davmail - an exchange / imap+smtp gateway, hosted on windows so I am talking to a windows tls implementation which may well be the cause of my frustration. There is a very suspicious block of code: if((tr->handin == 0) && (header[0] & 0x80)){ if(tr->debug)pprint("weird MS header\n"); /* Cope with an SSL3 ClientHello expressed in SSL2 record format. This is sent by some clients that we must interoperate with, such as Java's JSSE and Microsoft's Internet Explorer. */ len = (get16(header) & ~0x8000) - 3; type = header[2]; ver = get16(header + 3); if(type != SSL2ClientHello || len < 22) rcvError(tr, EProtocolVersion, "invalid initial SSL2-like message"); }else{ /* normal SSL3 record format */ if(tr->debug)pprint("normal SSL3 header\n"); type = header[0]; ver = get16(header+1); len = get16(header+3); } Though I have tried looking at the contents of this buffer in case it has subtly changed and it bears no relation to this case so maybe thats a red herring (false lead to non British people). -Steve
Re: [9fans] tls 1.2
> Just to be sure. Have you rebuilt libsec as well? yep. Wireshark sees TLS 1.2 packets from plan9 so I have that much right... -Steve
Re: [9fans] tls 1.2
> and rebuild my kernel and upas (where I need TLS1.2). Just to be sure. Have you rebuilt libsec as well? -- David du Colombier
Re: [9fans] tls 1.2
> I am trying to get tls 1.2 working on a labs build of plan9. > > What is most infuriating is I am sure I did this a few years ago but I cannot > remember > how (or even if) I got it working. > > what I have done is to install the following patches from 9legacy: > > libsec-chacha.diff tls-devtls12.diff > libsec-tlshand12-norc4.diff tls-tlshand12.diff > libsec-tlshand12-nossl3.diff > > and rebuild my kernel and upas (where I need TLS1.2). > > When I try to connect to a windows machine I get an error > from devtls in the kernel of the length of the message is incorrect. > > I have hacked around inside port/devtls.c but not found anything obvious, > I have also played with wireshark which didn't see anything very wrong. > > I am sure I have missed an obvious step but I cannot see what it is. The libsec-chacha.diff patch is not useful, since it's not used yet. Does it works when you connect to https://9p.io/? This machine have the same patches applied. -- David du Colombier
Re: [9fans] tls 1.2
does it happen on 9front?