-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SecurityContext with minimal protocol version #37173
Comments
Hmm. That's not good enough. Wikipedia says "In October 2018, Apple, Google, Microsoft, and Mozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020.[11]" so we should think about that as well. I'll need some time to understand this code a bit better and what incompatibilities/breaking changes might occur if we change this or expose it in Dart. Could be interesting to a do an SSL labs test with a dart client / server and see exactly what they allow. |
Just as info.
Since project is Flutter based, we quickly turn to Platform channel options, and at the moment we are calling native solutions. Java example:
We have probe with Wireshark tool. Using vanilla dart:io in a standalone app, Dart sends a 1.2 Client Hello inside a 1.0 header, offering 15 cipher suites. On Java side there is 1.2 header with 45 chiper suites. |
None, I was afraid I raised “bad” question. This was before I deep dive into Dart source code to find reason of the problem. |
How / When can I enable TLS 1.2 in Dart? Browsers are complaining about the standart settings. |
@ferhatb @yjbanov @jonahwilliams - is this going to impact our developer workflow for flutter web? |
I'm not quite sure what the implications would be for the tool, fyi @zanderso |
/cc @aarongreen for advice about what the right thing to do here is: https://github.com/dart-lang/sdk/blob/master/runtime/bin/security_context.cc#L808 |
Hi all, I too was having issues handshaking from my Flutter app with an IOT message broker that supported a minimum TLS v1.2 connection. Whilst searching for an explanation, I found #37157, #37173 and #41061 which are similar issues discussing problems connecting via TLS with Dart. From what I understand, it appears that the connection message headers are TLS v1.0 conform, meaning my server rejected the request as insecure. In addition, #35462 discusses issues with using the setTrustedCertificates() method from the dart:io library. This lead me to the following TLS/SSL with Dart article that ultimately helped me solve my issue. I have included code snippets of both the solution and what I had previously been doing wrong below. I hope this helps anyone else struggling with this issue and saves you the time and head-scratching that I went through ⏰ Solution 🚀pubspec.yaml ...
assets:
# Add the required certificates to your bundle. Note: Your personal use-case may be different,
# so just make sure to have a reference somewhere to the certificates required to negotiate a
# secure connection.
#
# The certificate_chain.pem file contains the required client certificate together with the root
# authority certificate. Note: order is important. The client certificate must come before the
# root authority in this file! Mine looks something like this:
#
# -----BEGIN CERTIFICATE-----
# Paste your client certificate here
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# Paste your root authority certificate here
# -----END CERTIFICATE-----
#
- assets/path_to_certificates/certificate_chain.pem
- assets/path_to_certificates/private.pem client.dart ...
// Obtain the raw byte data of the certificate chain and private key file contents
ByteData certificateChain = await rootBundle.load("assets/path_to_certificates/certificate_chain.pem");
ByteData privateKey = await rootBundle.load("assets/path_to_certificates/private.pem");
final context = SecurityContext.defaultContext;
context.useCertificateChainBytes(certificateChain.buffer.asUint8List());
context.usePrivateKeyBytes(privateKey.buffer.asUint8List());
await SecureSocket.connect(host, port, context: context)
// Party time 🎉
... Erroneous code (for reference only of what didn't work as expected) ❌The following code results in a HandshakeException SSLV3_ALERT_BAD_CERTIFICATE(tls_record.cc:587) pubspec.yaml ...
assets:
# The root CA and client certificates were previously separate. The solution was to combine
# them into a single certificate chain (see above)
- assets/path_to_certificates/root_ca_cert.pem
- assets/path_to_certificates/client_cert.pem
- assets/path_to_certificates/private.pem client.dart ...
// Obtain the raw byte data of the client & root CA certificates and private key file contents
ByteData rootCACertificate = await rootBundle.load("assets/path_to_certificates/root_ca_cert.pem");
ByteData clientCertificate = await rootBundle.load("assets/path_to_certificates/client_cert.pem");
ByteData privateKey = await rootBundle.load("assets/path_to_certificates/private.pem");
final context = SecurityContext.defaultContext;
context.setClientAuthoritiesBytes(clientCertificate.buffer.asUint8List());
context.setTrustedCertificatesBytes(rootCACertificate.buffer.asUint8List())
context.usePrivateKeyBytes(privateKey.buffer.asUint8List());
await SecureSocket.connect(host, port, context: context)
// HandshakeException 💥
... |
You are a hero. |
This ticket has been opened for almost 2 years yet I can't find official docs or any clear guidance/answers from dart team how to deal with TLS 1.2 / 1.3 problem if there are any :( any updates on this? |
I can confirm that TLS 1.2 works with recent versions of Flutter and its
With this ordering, Flutter will currently connect using My server only supports TLS 1.2 and 1.3. If, for some reason, you don't have control over all this for your HTTP server, then expect Flutter to negotiate a lower quality cipher. |
That TLS 1.2 work is no news. :(
Its TLS 1.3 we need.
…On Sat, 20 Feb 2021 at 14:54, Travis Haagen ***@***.***> wrote:
I can confirm that TLS 1.2 works with recent versions of Flutter and its
HttpClient. I wanted to lock down which algorithms it would negotiate, so
I did some experimenting. For my HTTP server, I landed on the following
cipher suite priority ordering during SSL/TLS negotiation:
// tls 1.3
tls.TLS_AES_256_GCM_SHA384,
tls.TLS_CHACHA20_POLY1305_SHA256,
tls.TLS_AES_128_GCM_SHA256,
// tls 1.2
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
// following is supported by Flutter clients (Jan. 2021)
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
With this ordering, Flutter will currently connect using
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, and that's an acceptable
choice.
My server only supports TLS 1.2 and 1.3.
If, for some reason, you don't have control over all this for your HTTP
server, then expect Flutter to negotiate a lower quality cipher.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#37173 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABCY4M55MSCUZAZBPT67SDS765I7ANCNFSM4HU35DUA>
.
|
Any progress from this issue? We are currently developing a medical device (app) with flutter that has to meet certain securtiy standarts (by law). Additionally, our certificates are created from a common CA , so all HTTPS connections are accepted by default and we cannot "unlock" connections by specifiying a certificate inside the app. Basically we need to make sure that our app only connects to our backend (specific domain) and that only one specific type of encrpytion is accepted. It woult be nice if flutter would support some more strict security features in the future. Also we are currently using dio as http client for the app. Is there a way to meet the specifications mentioned above with it? |
I thought this would be such a simple fix.. We noticed that we could force a secureServerSocket to some unwanted tls1.0 see below.. But good news I think was that I can force a connection to TLS1.3 using openssl. But still there seems no way to only accept version TLS1.x through the dart sdk.. Seeing as behind the scenes openssl is being used it should be exposable, as openssl the command line can do it.. TLS1.3 on Dart version .... Dart SDK version: 2.13.0 (stable) (Wed May 12 12:45:49 2021 +0200) on "windows_x64" runtime code is here line 805
Plus the example connection that is allowed but we would rather it was not
|
Bumping the priority to P1. I suggest the following:
|
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I think this two tasks can be done independently and only first one requires breaking change(#41135) |
https://dart-review.googlesource.com/c/sdk/+/140481 has landed, closing this issue. |
We should be able to choose security protocol as strong as possible.
At present, there is line in runtime file: https://github.com/dart-lang/sdk/blob/master/runtime/bin/security_context.cc which sets protocol to version TLS1.0.
(:825) SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); // cannot be changed from dart
Please, add option to choose minimal protocol version from Dart SecurityContext.
The text was updated successfully, but these errors were encountered: