Questions tagged [tls1.3]
TLS (Transport Layer Security) version 1.3 is a security protocol. It is an upgrade of TLS version 1.2, and provides improvements in speed, efficiency, security and privacy.
437
questions
24
votes
2
answers
19k
views
How to enable TLSv1.3 for OkHttp 3.12.x on Android 8/9?
I'm using OkHttp 3.12.2 on Android 9 (Pixel 2 device) and try to connect to an nginx 1.14.0 running with OpenSSL 1.1.1. The nginx is capable of TLSv1.3, I verified this with Firefox 66.0.2 on Ubuntu ...
- 559
23
votes
1
answer
48k
views
Java 11 and 12 SSL sockets fail on a handshake_failure error with TLSv1.3 enabled
While developing a SSL-based (non HTTP) server in Java 12, I met unexpected difficulties for having the server and the client talk together. The connection was always interrupted with a ...
- 689
14
votes
1
answer
36k
views
How to handle HttpWebRequest C# with Tls 1.3
I am unable to connect to an HTTPS server (TLS 1.3) using WebRequest because of this error message:
The request was aborted: Could not create SSL/TLS secure channel.
The previous TLS version was 1.2 ...
- 143
12
votes
1
answer
618
views
How can I get just the TLS handshake, without the record layer?
I was looking at the recent Internet drafts for the QUIC transport protocol (transport and TLS), and wondered how that could be implemented in Java (or another JVM language), assuming I don't want to ...
- 74.1k
11
votes
2
answers
39k
views
11
votes
0
answers
9k
views
Is there a way for Windows 7 to support TLS 1.3 (.NET 4.8)
As far as I have read Win7 doesn't support TLS1.3, although there is rare information on this. Is there a way for Windows 7 to support TLS1.3, and if so how to do it?
I have coded my application in ....
- 111
10
votes
2
answers
23k
views
Apache 2.4.37 with openssl 1.1.1: cannot perform post-handshake authentication
I updated apache to last version 2.4.37 and openssl to 1.1.1 and now, when client authenticates, I get this error only with Firefox 63, but not in Chrome:
[ssl:error] AH: verify client post handshake,...
- 101
9
votes
1
answer
5k
views
SpringBoot MVC - Warning: org.apache.tomcat.util.net.SSLUtilBase : The JSSE TLS 1.3 implementation does not support authentication
A question about Spring Boot MVC with Tomcat and TLSv1.3
I used to have a Spring Boot MVC, Tomcat based web app, with very simple business logic, over ssl HTTPS.
Per security team review, I had to ...
- 4,262
9
votes
2
answers
4k
views
How to make OpenSSL C server only support TLS 1.3?
We are having a Linux C program making use of OpenSSL APIs, acting as a TLS server. It currently has code as:
context = SSL_CTX_new(TLS_method());
Which the OpenSSL v1.1.1 manual page says will ...
- 93
9
votes
1
answer
16k
views
Filter TLS 1.3 traffic in Wireshark
Is there a simple way to filter TLS 1.3 packets in Wireshark?
tls.record.version will not work because it usually contains a value of 0x0303 (TLS 1.2).
I assume that Wireshark recognizes TLS 1.3 by ...
- 914
9
votes
5
answers
30k
views
curl: RSA_padding_check_PKCS1_type_1:invalid padding
I am generating an X509 certificate through code (using OpenSSL APIs) for my server application. I have just added support for TLSv1.3 by adding TLSv1.3 ciphers in the supported list in my code.
...
- 1,107
8
votes
1
answer
15k
views
SSL handshake failure with TLS 1.3
curl fails with openssl version 1.1.1d butt works fine with OpenSSL/1.0.1t. I am trying to debug the reason and unable tto find one.
Please find below trace from curl logs.
Failure case (curl 7.64.0 (...
- 2,168
6
votes
1
answer
3k
views
Tls 1.3 client does not report failed handshake when client certificate verification by server failed
I have a C client using OpenSSL that is failing a test when using a certificate that fails validation on the server side during the SSL_do_handshake() call on the server. When the application was ...
- 120
6
votes
0
answers
437
views
Google suggested Security ProviderInstaller downgrade TLS to 1.2?
Using OkHttp and Google Security ProviderInstaller any connection to a domain that supports both TLS1.2 and TLS1.3 are made using 1.2 version. Without ProviderInstaller all works fine using 1.3.
this ...
- 4,338
6
votes
1
answer
2k
views
Deno / Postgres "invalid peer certificate contents: invalid peer certificate" error
I'm using deno db to connect to a supabase postgres server.
Here's the error from deno deploy.
TLS connection failed with message: invalid peer certificate contents: invalid peer certificate: ...
- 57.4k
5
votes
2
answers
3k
views
Changes in SSLEngine usage when going up to TLSv1.3
Java 11 was released with TLSv1.3 support, used by default.
It works OK in context of HTTPS and SSL sockets, but it seems that when using SSLEngine there are additional hurdles due to changes in ...
- 19k
5
votes
1
answer
22k
views
Does .NET Core 3 support TLS 1.3
I am using .NET Core 3.0 to make a proxy which support only TLS 1.3, I saw that Tls13 = 12288 is defined in SslProtocols. But during my test it only throws exception "The client and server cannot ...
user8882898
5
votes
2
answers
1k
views
$ssl_early_data from nginx: should the application use it somehow?
I'm preparing to turn on nginx ssl_early_data to enable RTT-0 with TLS 1.3.
I understand that, if I don't do it right, replay attacks become possible. I understand that, to prevent this, you need to ...
5
votes
0
answers
1k
views
nginx TLSv1.3 redundant post-handshake session ticket?
So I was playing with TLSv1.3 in nginx and during the tests with curl and openssl I saw the following pattern:
curl -v https://domain-using-tls2:
...
<request headers>
>
* TLSv1.2 (IN), TLS ...
- 81
4
votes
1
answer
23k
views
How to implement TLS 1.3 in Java Spring boot Application?
I want to implement TLS 1.3 in my spring boot application.
https://blog.gypsyengineer.com/en/security/an-example-of-tls-13-client-and-server-on-java.html
In this blog i have seen that TLS 1.3 can be ...
- 51
4
votes
1
answer
14k
views
.NET 4.8 TLS 1.3 Issue on Windows 10
A .NET 4.8 application running on Windows 10 (version 10.0.19041) with enabled TLS 1.3 using the registry as per how to enable TLS 1.3 in windows 10
However running the following code:
try
...
- 88
4
votes
1
answer
12k
views
How do you make an ssl certificate with tls 1.3?
so, for a while now I've been trying to figure out how do you issue an SSL certificate with tls 1.3 and not tls 1.2 because I'm not sure if I need to change something in my OpenSSL.cnf file or if I ...
- 61
4
votes
1
answer
2k
views
Is Traefik on Docker significantly slower with HTTPS (vs HTTP)?
I've deployed a local instance of https://librespeed.org/ in order to test my LAN speeds. After changing some old cables, the speeds were good (~800mpbs symmetric).
I wanted to leave the service ...
- 109
4
votes
1
answer
8k
views
Is it possible to Make HTTP/2 requests with Apache HTTPClient 4.2.5?
I'm trying to make an HTTP/2 request with apache client. Is it possible with the below versions?
migrating the versions in my web application cost me heavy code changes. Is there any workaround to ...
4
votes
1
answer
2k
views
What's the purpose of OpenSSL's internal client-side session cache?
I'm making changes to a client-side SSL application in order to support TLSv1.3. In order to support session reuse, I'm calling SSL_CTX_sess_set_new_cb to register a callback that OpenSSL calls ...
- 3,554
4
votes
1
answer
7k
views
socat openssl-listen - ensuring TLSv1.3 is in use
I have a working client/server scenario using socat with the following commands:
Server
socat openssl-listen:5000,reuseaddr,cert=server.pem,cafile=server.crt,verify=0 STDIO
Client
socat stdio ...
- 662
4
votes
0
answers
297
views
Configure key material for SSL session tickets
I can see from the Erlang TLS 1.3 documentation that we can enable session resumption on the server by setting, for eg.
{session_tickets, stateless},
The documentation also states
Session tickets ...
- 3,471
4
votes
2
answers
6k
views
C# HttpClient: Could not create SSL/TLS secure channel
i want to send a simple request to "https://etebarkala.com".
Tried from .net versions 4.5 to 4.8 with no success
This website opens easily with a browser
There isn't any ssl validation ...
3
votes
1
answer
1k
views
Perl: send mail using office 365
I am trying to send mail using perl through server office 365
The operation succeed 8 times out of 10 (i.e. randomly fail in 20% of cases).
use Net::SMTPS;
my $mailer = Net::SMTPS->new("smtp....
- 33
3
votes
1
answer
3k
views
How do I configure PostgreSQL's pg_hba.conf to allow connections with a verified certificate but to reject them (incl. localhost) if they don't?
I've set up PostgreSQL (v.15) server on my local machine using the PostgreSQL Binaries.
And I've generated certificates using this link.
I've stored the certificates in c:/certs and have also copied ...
3
votes
1
answer
15k
views
Apache reporting "Illegal protocol" when using TLSv1.3 with OpenSSL 1.1.1b installed
I'm trying to test TLSv1.3 support and Apache is failing to start with the following output from systemctl status httpd...
systemd[1]: Starting The Apache HTTP Server...
httpd[6001]: AH00526: Syntax ...
- 4,393
3
votes
2
answers
4k
views
HTTP Web Request TLS 1.3 with C# .NET Core 3.1 exception "The client and server cannot communicate, because they do not possess a common algorithm."
When attempting a web request to a site which requires TLS 1.3 https://shop.claytonengineering.com/. I'm receiving the following exception on "request.GetResponse();".
Exception: The SSL ...
- 31
3
votes
1
answer
8k
views
SSLContext.getInstance("TLS") vulnerability
We get the call SSLContext.getInstance("TLS") reported as vulnerability. The recommended fix is to use SSLContext.getInstance("TLSv1.2").
I learnt that TLSv1.1 and TLSv1 are ...
- 211
3
votes
1
answer
5k
views
Python pyOpenssl server doesn't negotiate TLS 1.3
I'm having hard time with pyOpenssl server to negotiate TLS 1.3. I used openssl s_client(1.3 supported) to connect to the server with no luck. However the server works with version TLS 1.2 and below.
...
- 61
3
votes
1
answer
6k
views
Handshake Failure with TLS1.2 client and TLS1.3 server
After openssl upgrade to 1.1.1 version, I have a cenario where my client ( odbc) is running at TLS1.2 and my server (database) is running at TLS 1.3 and it fails with
following error at client side. ...
3
votes
1
answer
124
views
Go's TLS 1.3 Implementation Ignores Key Usage
Doing some work with TLS 1.3 in both Go and Java, I recently found that Go ignores Key Usage status flags. On the other hand, Java's implementation checks key usage following the RFC. I'm thinking in ...
- 1,686
3
votes
1
answer
3k
views
Wireshark/QUIC - Cannot decrypt QUIC
I'm trying to view the payload of QUIC packets although, with no luck. I can decrypt fine TLS packets using SSLLOGFILE file that generated by the browser and load it to Wireshark, I can see HTTPS and ...
- 33
3
votes
0
answers
1k
views
How to setup AWS Network Load Balancer (NLB) with TLS termination for Grpc service running in EKS?
I'm using AWS Load Balancer Controller for setup AWS NLB with TLS termination for Grpc service (grpc-dotnet implementation) running in EKS. Traffic between NLB and Pod in EKS is unencrypted. I also ...
3
votes
0
answers
518
views
Can I change client certificate in the browser without a restart?
I am working on using client-side certificates MTLS certificates in FireFox/Chrome and that works fine.
But, is there any way I can get the client certificate selector to open so that I can change the ...
- 341
3
votes
0
answers
3k
views
How to use TLSv1.3 with nodejs 10.x
I was trying to make an external api call using https and got the following error.
Error: Client network socket disconnected before secure TLS connection was established
at TLSSocket....
- 31
2
votes
1
answer
952
views
Updating Fuse to have TLS v1.3
I am new to JBoss Fuse server. The Fuse server version we are using is 7.2. According to undertow.xml file in ${karaf.home}/etc location, we currently support TLSv1, TLSv1.1 and TLSv1.2. Requirement ...
- 6,540
2
votes
1
answer
1k
views
AttributeError: module 'ssl' has no attribute 'PROTOCOL_TLSv1_3'
I am trying to setup a tls context in python. I want to force TLSv1.3 usng:
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_3)
This does not work as I receive the following error:
AttributeError: module '...
- 713
2
votes
3
answers
38k
views
The request was aborted could not create SSL/TLS secure channel - HttpWebRequest
I am making a webrequest to an 3rd party api and it was working fine. In between the certificate was changed for the API and now when i make the request from our dev environment, I am getting response ...
2
votes
2
answers
2k
views
Nginx with TLS 1.3
Trying to use TLS 1.3 certificates in Nginx (1.15.8), I found that the official Nginx was built with openssl 1.1.0, where as for TLS 1.3, openssl 1.1.1 is needed.
To solve this, I built my own ...
- 10.8k
2
votes
3
answers
4k
views
Has anyone tried using TLS 1.3 using SChannel with Windows-11 21h2?
I'm working on a TLS client that needs to be upgraded to use TLS 1.3 on Windows-11. Has anyone successfully implemented TLS 1.3 using SChannel APIs?
As per Microsoft below link TLS 1.3 is supported in ...
2
votes
1
answer
4k
views
TLS 1.3 to 1.2 downgrading in a proxy
I'm trying to set up a HTTPS proxy that would allow to downgrade TLS 1.3 to TLS 1.2.
My actual problem is :
old browser + OS, only supports TLS 1.2, can't upgrade...
new web server added in the ...
2
votes
2
answers
9k
views
OpenSSL 1.1.1 it supports only 3 out of 5 ciphers TLS 1.3
I have a simple site by using Apache web server and OpenSSL 1.1.1. I have configured everything as it supposed to be, the thing is while TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, ...
- 23
2
votes
2
answers
8k
views
TLSv1.3 - java.io.EOFException: SSL peer shut down incorrectly
I am trying to connect to a response from a external site
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl....
- 4,510
2
votes
1
answer
2k
views
How to check TLS version of request
I have okhttp3.OkHttpClient and I make REST request using Retrofit2.
interface WebService {
@GET("/httptwo")
public Call<String> executeRequest();
}
//in these 2 methods I ...
- 318
2
votes
1
answer
696
views
Http Over TLS Golang Not Receiving Headers
I am sending 'User-Agent Header' from my client but not receiving on server-side but when i use browser it works.
server code :
package main
import (
"crypto/tls"
"fmt"
&...
- 49