Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dev.boringcrypto: Unable to connect to a server using the tls.TLS_RSA_WITH_AES_256_CBC_SHA CipherSuite #44050

Open
kevindflynn opened this issue Feb 1, 2021 · 0 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@kevindflynn
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.15.7b5 linux/amd64

Does this issue reproduce with the latest release?

Yes, on the dev.boringcrypto branch

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
root@120657b4c6e8:/go# go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build340154431=/tmp/go-build -gno-record-gcc-switches"
root@120657b4c6e8:/go#

What did you do?

I am unable to create a TLS connection to the server at email-smtp-fips.us-east-1.amazonaws.com:25 using the dev.boringcrypto branch of golang.
The error I received is remote error: tls: error decoding message
I have attached a sample program which reproduces this behavior.
main.go

package main

import (
	"context"
	"crypto/tls"
	_ "crypto/tls/fipsonly"
	"fmt"
	"net"
	"net/smtp"
	"strconv"
)

func main() {

	state, err := try("email-smtp-fips.us-east-1.amazonaws.com", 25)
	if state != nil {
		fmt.Printf("\t\tcerts: %+v\n", state.PeerCertificates)
		fmt.Printf("\t\tprotocol: %s - version: %d - cipher suite: %s\n", state.NegotiatedProtocol, state.Version, tls.CipherSuiteName(state.CipherSuite))
	}
	if err != nil {
		fmt.Printf("\t\terror: %s\n", err)
	}
}

func try(host string, port int) (*tls.ConnectionState, error) {
	ctx := context.Background()

	// Dial with provided context to allow for cancelling
	var dialer net.Dialer
	conn, err := dialer.DialContext(ctx, "tcp", host+":"+strconv.Itoa((port)))
	if err != nil {
		return nil, err
	}
	defer conn.Close()

	fmt.Println("opening connection")

	c, err := smtp.NewClient(conn, host)
	if err != nil {
		return nil, err
	}

	fmt.Println("starting TLS handshake")

	err = c.StartTLS(&tls.Config{ // nolint
		ServerName: host,
		MinVersion: tls.VersionTLS12,
		MaxVersion: tls.VersionTLS13,

		PreferServerCipherSuites: true,

		CipherSuites: []uint16{tls.TLS_RSA_WITH_AES_256_CBC_SHA},

		InsecureSkipVerify: true,
	})
	if err != nil {
		return nil, err
	}

	state, ok := c.TLSConnectionState()
	if ok {
		return &state, err
	}
	return nil, err
}

I have confirmed that I am able to create a TLS connection to this server using the same cipher suite using openssl. The openssl command I ran is:

openssl s_client -starttls smtp -crlf -cipher 'AES256-SHA' -connect email-smtp-fips.us-east-1.amazonaws.com:25

According to this documentation from openssl, TLS_RSA_WITH_AES_256_CBC_SHA maps to AES256-SHA in openssl.

What did you expect to see?

A log message indicating a successful TLS connection, with details about the certificates and protocol.

What did you see instead?

remote error: tls: error decoding message
@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Feb 1, 2021
@seankhliao seankhliao added this to the Unplanned milestone Aug 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

2 participants