1375837 - TLS 1.3 only server and SSL_REQUIRE_SAFE_NEGOTIATION

Status: RESOLVED FIXED

(NSS :: Libraries, defect)

Description

[Kai Engert [:KaiE:]]

Use a NSS server that is configured:
- to support TLS 1.3, only
- ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED
- ssl_defaults.requireSafeNegotiation = PR_TRUE

Use a TLS 1.3 enabled NSS client to connect to it.

Actual result:
- Server side fails with SSL_REQUIRE_SAFE_NEGOTIATION
- Client side fails with SSL_ERROR_NO_CYPHER_OVERLAP

Expected result:
If TLS 1.3 no longer supports renegotiation, maybe the server shouldn't fail, but use a backwards compatible behavior, that ignores the configuration?


This issue was originally reported at
  https://bugzilla.redhat.com/show_bug.cgi?id=1423401
against NSS 3.28.x


I was able to reproduce the issue with both NSS 3.28.x and NSS trunk (post 3.31), with the following configuration, using the NSS cert databases that were created by running the NSS test suite:

server side:

export NSS_SSL_REQUIRE_SAFE_NEGOTIATION=1
export NSS_SSL_ENABLE_RENEGOTIATION=1
cd tests_results/security/*/server
selfserv -v -D -p 9876 -d ../server -n localhost.localdomain -e localhost.localdomain-ecmixed -e localhost.localdomain-ec -S localhost.localdomain-dsa -w nss -r -V tls1.3:tls1.3 -H 1 -c :1301:1303

client side:

cd tests_results/security/*/client
tstclnt -p 9876 -h localhost.localdomain -f -d ../client -V tls1.3:tls1.3 -w nss -n none  < ../../../../nss/tests/ssl/sslreq.dat

Comment 1

[Kai Engert [:KaiE:]]

Eric, what's your opinion, does the suggestion make sense?

Comment 2

[Eric Rescorla (:ekr)]

Yes, I think this is correct. Do you happen to know where it fails?

Comment 3

[Martin Thomson [:mt:]]

https://phabricator.services.mozilla.com/D18

Comment 4

[Martin Thomson [:mt:]]

https://hg.mozilla.org/projects/nss/rev/65d22612db0d887fa2b8d5bc6f612e1dfc9856e6