Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Any chance of configuring rustls to support Windows 7 supported Cipher Suites #137

Open
z3ndrag0n opened this issue Jun 4, 2024 · 4 comments
Open

Any chance of configuring rustls to support Windows 7 supported Cipher Suites #137

z3ndrag0n opened this issue Jun 4, 2024 · 4 comments

Comments

@z3ndrag0n
Copy link

Windows 7 does support TLS 1.2 however the only cipher suites supported are the following (which means the TLS 1.2 handshake fails) is there any way to support additional cipher suites in rustls (or use native-tls) for openwec?
image
@vruello
Copy link
Contributor

vruello commented Jun 4, 2024

Hi!

I'm not an expert on this subject.

Did you try to follow the instructions written in the documentation about TLS? There is a script example to generate certificates that should be compatible with old versions of Windows (especially Windows 7), using TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suites.

The cipher suites you listed seem very incomplete to me, even for Windows 7 (see TLS Cipher Suites in Windows 7). Maybe you are missing some KB?

@z3ndrag0n
Copy link
Author

You're 100% right - with the appropriate patch(es) for TLS 1.2 on Windows 7 I do indeed get a Server Hello with an agreed cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, and a certificate request, however Windows 7 immediately tears down the connection. I'll go hunting.

@z3ndrag0n
Copy link
Author

z3ndrag0n commented Jun 11, 2024
edited
Loading

Ok so what seems to happen is that Windows 7 does not present its certificate (the response to the Certificate request is 187 bytes) and the Server then tears down the connection with a Fatal Alert Certificate Required. (And OpenWEC agrees: its corresponding syslog entry is "Jun 11 09:33:16 debian-12-lc openwecd[22803]: 2024-06-11T09:33:16.820272364+00:00 WARN server - Error while establishing a connection: TlsAcceptError { error: Custom { kind: InvalidData, error: NoCertificatesPresented }, peer_addr: 192.168.186.130:49337 }"

@vruello
Copy link
Contributor

vruello commented Jun 13, 2024

Hi! You should make sure that the client is configured correctly , especially that the Network Service account (or the WinRM service account) is allowed to retrieve the private key of the client's authentication certificate.

You should also check Windows Events from Eventlog-ForwardingPlugin (Operational) and Windows Remote Management (Analytics, needs to be enabled in the View drop-down).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vruello @z3ndrag0n