I am trying to determine whether TLS_1_2 is supported version on a website or not i.e (portal.threatpulse.com,443)
from scapy_ssl_tls.ssl_tls import *
target = (portal.threatpulse.com,443)
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(target)
pkt = TLSRecord(version = 'TLS_1_2')/TLSHandshake()
/TLSClientHello(version = 'TLS_1_2')
sock.sendall(str(pkt))
resp_pkt = sock.recv(8192)
resp = SSL(resp_pkt)
resp.show()
It is giving me handshake failure even though this version is supported. this code is running correctly other than this
Since today's certificates usually have a SHA-256 signature the server requires that the client supports RSA/SHA-256 as signature/hash algorithms. But this combination is not included in the default set of the SignatureAndHashAlgorithm
TLS extension which is new with TLS 1.2. This default set includes only (SHA-1 with RSA, DSA or ECDSA. If a TLS 1.2 client supports more or different algorithms than the default it is required to include the SignatureAndHashAlgorithm
extension and explicitly announce support for this signature/hash pair. With the following code this specific site works for me, but for other sites you might need to extend this to include ECDSA too.
pkt = TLSRecord(version = 'TLS_1_2') / \
TLSHandshake() / \
TLSClientHello(
version = 'TLS_1_2',
extensions=[ TLSExtension() / \
TLSExtSignatureAndHashAlgorithm( algorithms = [
TLSSignatureHashAlgorithm(
hash_algorithm = TLSHashAlgorithm.SHA256,
signature_algorithm = TLSSignatureAlgorithm.RSA
)
])
]
)