use branch master and feature/tlsv1.3 to scan the same ip+port, the results of secure_renegotiation and scts are different

[chushuai]

Use branch master and feature/tlsv1.3 to scan the same ip+port, The results of secure_renegotiation and scts are different

func TestTls(t *testing.T){
	tests := []string{ "138.201.124.182:10250"}
	for _, test := range tests {
		conn, err := Dial("tcp", test, &Config{
			InsecureSkipVerify: true,
		})
		data, _ := json.Marshal(conn.GetHandshakeLog())
		fmt.Println(string(data))
		if err != nil {
			fmt.Println("failed to connect: " + err.Error())
		}
	}

}

[mzpqnxow]

The tls1.3 branch includes tls1.3 support and also includes other enhancements- anything added to the upstream golang tls code since the (very old) tls implementation was lifted from upstream- at least 5 years ago

This includes (at least) early renegotiation handling. I'm not certain but I believe the portable ciphers profile is also exclusive to the tls1.3 branch for no particular reason aside from the fact that those interested in "better" tls support were using that branch

You can see part of this if you track the zcrypto portion of zmap/zgrab2#334

tl; dr; this is expected behavior as far as I know

[mzpqnxow]

Is this still an issue or can it be resolved?

I admit that only a year later, I've forgotten most of the details and I'm not sure I even understand my own response..

I do know that TLS1.3 has been satisfactory for me since zgrab2 started using it in master, so maybe there's nothing to do here?

🤞