1. Forum
  2. fsxNet
  3. FSX NET

  • binkps TLS 1.3, (was: Hub 4 Upgraded)

    From Oli@21:1/151 to Al on Mon Mar 2 18:35:34 2020
    Reply to a message from FSX_MYS

    On Mon, 2 Mar 2020 03:54:50 -0800
    "Al -> Oli" <0@106.4.21> wrote:

    Hello Oli,

    Good start, but there is room for much more coolness. Using
    obsoleted encryption is kind of uncool ;).

    Yep, there probably is. If we can get these mailers talking securely
    we can always settle on a good default way of doing it.

    Me and my fidonet uplink are using binkps with TLS 1.3 for
    quite some time now. Beat that! :-P

    This is the openssl command I use that you gave me a month or three
    ago for the node line..

    -pipe "openssl s_client -quiet -alpn binkp -connect *H:*I"

    Does that give you a TLS 1.3 session? Is that a good default?

    That depends on your openssl version and if the remote binkps server supports it. You can test it if you omit the -quiet parameter, like

    $ openssl s_client -alpn binkp -connect trmb.ca:24553

    (just use it on the command line)

    [...]
    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    [...]

    It seems your TLS reverse proxy and/or your openssl version doesn't support TLS
    1.3. What software are you using / which Linux distro?

    There is also the -tls1_3 parameter, that enforces TLS 1.3 (if it is not available, the handshake fails)

    $ openssl s_client -alpn binkp -tls1_3 -connect trmb.ca:24553

    CONNECTED(00000003)
    1996050448:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1544:SSL alert number 70
    [...]

    (that is a cryptic error message)

    ---
    * Origin: REPLY (21:1/151)
  • From Oli@21:1/151 to Oli on Mon Mar 2 18:55:26 2020
    On Mon, 2 Mar 2020 18:35:34 +0100
    "Oli -> Al" <0@151.1.21> wrote:

    -pipe "openssl s_client -quiet -alpn binkp -connect *H:*I"

    Does that give you a TLS 1.3 session? Is that a good default?

    That depends on your openssl version and if the remote binkps server supports it. You can test it if you omit the -quiet parameter, like

    $ openssl s_client -alpn binkp -connect trmb.ca:24553

    (just use it on the command line)

    The -quiet parameter is needed in the binkd config.

    ---
    * Origin: REPLY (21:1/151)
  • From Al@21:4/106 to Oli on Tue Mar 3 01:59:32 2020
    Hello Oli,

    Me and my fidonet uplink are using binkps with TLS 1.3 for
    quite some time now. Beat that! :-P

    We're working on it.. :)

    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    [...]

    It seems your TLS reverse proxy and/or your openssl version doesn't support TLS 1.3. What software are you using / which Linux distro?

    Hmm.. This tls stuff is happening on my BBS linode running Debian 10.

    There is also the -tls1_3 parameter, that enforces TLS 1.3 (if it is
    not available, the handshake fails)

    $ openssl s_client -alpn binkp -tls1_3 -connect trmb.ca:24553

    CONNECTED(00000003)
    1996050448:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol
    version:../ssl/record/rec_layer_s3.c:1544:SSL alert number 70
    [...]

    I suspect that it is failing at nginx. It might be that I can add options to nginx's config. What I have in there is likely a bare minimum.

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Oli@21:1/151 to Al on Tue Mar 3 11:44:22 2020
    On Tue, 3 Mar 2020 01:59:32 -0800
    "Al -> Oli" <0@106.4.21> wrote:

    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    [...]

    It seems your TLS reverse proxy and/or your openssl version
    doesn't support TLS 1.3. What software are you using / which
    Linux distro?

    Hmm.. This tls stuff is happening on my BBS linode running Debian 10.

    Interesting, I'm running Raspbian 10 and openssl (same version as in Debian 10)
    does support TLS 1.3 out of the box. I'm not using nginx for TLS, but I can test it later.

    There is also the -tls1_3 parameter, that enforces TLS 1.3 (if
    it is not available, the handshake fails)

    $ openssl s_client -alpn binkp -tls1_3 -connect trmb.ca:24553

    CONNECTED(00000003)
    1996050448:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1
    alert protocol
    version:../ssl/record/rec_layer_s3.c:1544:SSL alert number 70
    [...]

    I suspect that it is failing at nginx. It might be that I can add
    options to nginx's config. What I have in there is likely a bare
    minimum.

    Oh, I thought you were using something else. Maybe the config in nginx or it is
    related to the cert (or both).

    https://ma.ttias.be/enable-tls-1-3-nginx/

    ---
    * Origin: 🊠(21:1/151)