ClientHello custom extension field

[guilef]

Hi, I would like to extract data from an custom extension field injected after the browser sent clienthello. The value is injected in our routers. Where is a good starting point to restore the packet integrity (HMAC, size)?

Thanks

[tomato42]

Since adding an extension will change the length of the extensions field and the length of the ClientHelllo, you need to recreate the changed ClientHello and then feed it into the HandshakeHashes object.
But at this point, why you just don't modify the the Client Hello from tlsfuzzer to include the extension in the first place?

Honestly, I'm not sure what you want to do: if you have a middle box that wants to change the CH message, then it needs to be a TLS endpoint, as that's the only way to calculate correct Finished message...

[guilef]

Since adding an extension will change the length of the extensions field and the length of the ClientHelllo, you need to recreate the changed ClientHello and then feed it into the HandshakeHashes object. But at this point, why you just don't modify the the Client Hello from tlsfuzzer to include the extension in the first place?

Honestly, I'm not sure what you want to do: if you have a middle box that wants to change the CH message, then it needs to be a TLS endpoint, as that's the only way to calculate correct Finished message...

Yes you are right, I have a middle box that append the custom CH field, adding an information that I want to extract on tlsliste-ng. The problem is that it raises a SSL_ERROR_BAD_MAC_ALERT during handshake.

Is there a way to disable MAC verification on tlslite-ng ?

[tomato42]

No, there isn't an API to do that.

[guilef]

Thanks @tomato42 for your help.

One more question, is it possible to plug an flask/uwsgi app on tlslite-ng? I'm trying to change tls.py to do it, with no success so far.

[tomato42]

no idea, never used flask or uwsgi, see into tlslite/integration for some examples of integrating tlslite-ng with other projects