Limited Cipher Suites

[espruino-discuss]

Posted at 2021-03-29 by akot

Hello!
I've noticed that when trying to establish an HTTPS connection to some web-sites I get the "Uncaught InternalError: Failed! mbedtls_ssl_handshake returned -0x7780" error. I compiled the lastest sources on Linux and after playing around with Wireshark, figured out that Espruino only supports a very limited list of Cipher Suites:
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

The web-site I'm trying to connect to [require('http').get('https://lichess.org')] doesn't support any of them:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)

I've tried to search the Espruino source code to find out where the list of Cipher Suites is being set, but had no success. Of course instead of directly accessing the web-site I could use a proxy, but I'd really like to include the above Cipher Suites in Espruino. Where in the source code should I be looking?

[espruino-discuss]

Posted at 2021-03-29 by Robin

Mon 2021.03.29

Hello @akot

While I'm not the resource you may need to solve encryption issues, I am able to at least point you towards a starting point.

I recognized the term SHA256 as an item that might encapsulate Http encryption and then did a simple Google search using the site keyword qualifier.

Google:   SHA256   site:https://github.com/espruino/Espruino/

The first response coincidentally pointed to the source that you may be after:

https://github.com/espruino/Espruino/blob/master/libs/crypto/jswrap_crypto.c#L27

Another method I used was to look over the Class Reference and found:

http://www.espruino.com/Reference#t_l_AES_decrypt

Noting the right facing arrow, just to the right of that heading is a clickable link that also takes one to the same code file.

Understanding and navigating will be up to you however. . . .

---

Posted at 2021-03-30 by akot

Hello @robin, thanks for your response.
I've spent some time researching the source code and found this file:
https://github.com/espruino/Espruino/blob/master/libs/crypto/mbedtls/library/ssl_ciphersuites.c
where ciphersuite_definitions array is being filled out depending on defined macros. In https://github.com/espruino/Espruino/blob/master/libs/crypto/mbedtls/config.h there's a MBEDTLS_CIPHER_MODE_CBC macro defined, which adds mentioned above Cipher Suites to ciphersuite_definitions . I've added macros MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED, MBEDTLS_DHM_C, MBEDTLS_GCM_C, and also added two lines:
libs/crypto/mbedtls/library/dhm.c
libs/crypto/mbedtls/library/gcm.c
in https://github.com/espruino/Espruino/blob/master/make/crypto/default.make

Now that's what I see at ClientHello:

        Cipher Suites (13 suites)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
            Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
            Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

and web-sites that require DHE RSA work.

---

Posted at 2021-04-06 by @gfwilliams

That's great - thanks for the update! I just saw the issue you filed and will continue on there: espruino/Espruino#1994