testssl/testssl.sh

[Feature request] Add QUIC / HTTP/3 handshake

Closed this issue · 1 comments

drwetter commented

Which version are you referring to
3.3 dev

Please check this repo whether this is a known feature request
nope

Describe your feature request (if it's a technical feature)
see subject

If your feature request otherwise is related to a usage problem, please describe it
-

Describe the solution you'd like
Roughly: A clientHello, probably implemented as bash socket, and proper parsing the serverHello and displaying the results.

See https://datatracker.ietf.org/doc/html/rfc9000, https://datatracker.ietf.org/doc/html/rfc9001 .

drwetter commented

We could start with an openssl implementation as since OpenSSL >=3.2.0 s_client supports that.

 ~  openssl s_client -quic -alpn h3 -connect google.com:443 </dev/null | strings
Connecting to 172.217.16.78
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WR2
verify return:1
depth=0 CN=*.google.com
verify return:1
DONE
CONNECTED(00000005)
Certificate chain
 0 s:CN=*.google.com
   i:C=US, O=Google Trust Services, CN=WR2
   a:PKEY: EC, (prime256v1); sigalg: sha256WithRSAEncryption
   v:NotBefore: May 12 08:42:58 2025 GMT; NotAfter: Aug  4 08:42:57 2025 GMT
 1 s:C=US, O=Google Trust Services, CN=WR2
   i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
   a:PKEY: RSA, 4096 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
Server certificate
-----BEGIN CERTIFICATE-----
MIIOLTCCDRWgAwIBAgIQZobwfnDX38IJTLhaNNbj2DANBgkqhkiG9w0BAQsFADA7
[..]
slelj2bECE+BZwgnXkqOK2WQCtRw4zRWuW9OQ088W4kF
-----END CERTIFICATE-----
subject=CN=*.google.com
issuer=C=US, O=Google Trust Services, CN=WR2
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
SSL handshake has read 0 bytes and written 0 bytes
Verification: OK
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: QUICv1
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
ALPN protocol: h3
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID:
    Session-ID-ctx:
    Resumption PSK:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1749199876
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
ܪ��
�+V�
 ~ 