Various TLS changes (#193)

* Enable the MITM SSL Client (from MITM to RDP Server) to use TLS 1.2 * Enable the MITM SSL Server (from RDP Client to MITM) to use TLS 1.2 * Allow any TLS version between client and MITM / MITM and server. * lock pyopenssl version to its major version to avoid breaking changes (see https://www.pyopenssl.org/en/stable/changelog.html) * Disable TLS 1.3 to avoid "impossible to decrypt" pcaps scenarios
GoSecure · Mar 25, 2020 · a7452b4 · a7452b4
1 parent 3660443
commit a7452b4
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/pyrdp/core/ssl.py b/pyrdp/core/ssl.py
@@ -27,9 +27,16 @@ class ClientTLSContext(ssl.ClientContextFactory):
     """
 
     def getContext(self):
-        context = SSL.Context(SSL.TLSv1_METHOD)
+        # Allow the MITM to connect to an RDP Server with ANY TLS version supported by the installed
+        # OpenSSL version. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784153
+        # It was removed from OpenSSL, but PyOpenSSL has not changed their constant names yet.
+        context = SSL.Context(SSL.SSLv23_METHOD)
         context.set_options(SSL.OP_DONT_INSERT_EMPTY_FRAGMENTS)
         context.set_options(SSL.OP_TLS_BLOCK_PADDING_BUG)
+
+        # We disable TLS 1.3 because the way to decrypt TLS 1.3 traffic differs from
+        # previous TLS versions and is not yet supported by PyRDP.
+        context.set_options(SSL.OP_NO_TLSv1_3)
         return context
 
 
@@ -47,5 +54,9 @@ def __init__(self, method):
                 self.set_options(SSL.OP_DONT_INSERT_EMPTY_FRAGMENTS)
                 self.set_options(SSL.OP_TLS_BLOCK_PADDING_BUG)
 
+                # See comment in ClientTLSContext
+                self.set_options(SSL.OP_NO_TLSv1_3)
+
+        # See comment in ClientTLSContext
         ssl.DefaultOpenSSLContextFactory.__init__(self, privateKeyFileName, certificateFileName, SSL.SSLv23_METHOD,
-                                                  TPDUSSLContext)
+                                                  TPDUSSLContext)
diff --git a/setup.py b/setup.py
@@ -32,7 +32,7 @@
         'names',
         'pyasn1',
         'pycryptodome',
-        'pyopenssl',
+        'pyopenssl==19',
         'pytz',
         'rsa',
         'scapy',