Closed Bug 1136095 Opened 10 years ago Closed 9 years ago

RX_MALFORMED_SERVER_KEY_EXCH with RSA_EXPORT_WITH_DES_CBC_SHA or *_RC4_56_SHA, when using 2048 server key and TLS 1.2

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.18
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: KaiE, Unassigned)

References

Details

After landing bug 1129573 our automated tests report a new failure. The following combination of parameters results in SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH reported by the NSS client: - RSA server certificate with key size 2048 - cipher RSA_EXPORT_WITH_DES_CBC_SHA (-c l) or cipher RSA_EXPORT_WITH_RC4_56_SHA (-c m) - TLS 1.2 Changing ANY (at least one) of the above parameters works: - Using server key size 1024 works (using certificate data from an older test run) - Using TLS 1.1 or older works - All other ciphers work
Either the mentioned combination of parameters should work, or, if the combination is invalid, NSS should refuse to use it, instead of sending a broken server key exchange message. I think the patch that triggered these failures shouldn't be seen as a regression, and I'd prefer to keep the patch. Rather, we should address these failures. I've temporarily disabled the affected tests: https://hg.mozilla.org/projects/nss/rev/ae0710a52477
Use the correct syntax to disable the tests (and avoid failures caused by empty lines): https://hg.mozilla.org/projects/nss/rev/807b7ed8e175
The symbolic names of those ciphers are > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ [1]. The code points are > #define TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x0062 > #define TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 0x0064 [2]. * Those cipher suites intentionally restrict the key size to 1024-bit because of the US export restriction. * Although those cipher suites have never been officially registered to IANA registry [3], TLS 1.1+ does not allow export cipher suites anymore [4]. So I don't think it is a valid combination. (I don't know why EXPORT1024 + TLS 1.1 "works".) [1] https://mxr.mozilla.org/nss/source/cmd/selfserv/selfserv.c?rev=ab3a00d03c39#119 [2] https://mxr.mozilla.org/nss/source/lib/ssl/sslproto.h?rev=970075886b70#187 [3] https://www.iana.org/assignments/tls-parameters/tls-parameters.txt "0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]" [4] https://tools.ietf.org/html/rfc4346#appendix-A.5
We also have bustage on the memleak build/test machine, I've removed ciphers m and l until we can get this bug fixed: https://hg.mozilla.org/projects/nss/rev/66b2e2f83a84
"Fixed" by removing export ciphers in bug 1252849.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.