Closed Bug 1375837 Opened 4 years ago Closed 4 years ago

TLS 1.3 only server and SSL_REQUIRE_SAFE_NEGOTIATION

Categories

(NSS :: Libraries, defect)

3.31
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: KaiE, Assigned: mt)

Details

Attachments

(1 file)

Use a NSS server that is configured:
- to support TLS 1.3, only
- ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED
- ssl_defaults.requireSafeNegotiation = PR_TRUE

Use a TLS 1.3 enabled NSS client to connect to it.

Actual result:
- Server side fails with SSL_REQUIRE_SAFE_NEGOTIATION
- Client side fails with SSL_ERROR_NO_CYPHER_OVERLAP

Expected result:
If TLS 1.3 no longer supports renegotiation, maybe the server shouldn't fail, but use a backwards compatible behavior, that ignores the configuration?


This issue was originally reported at
  https://bugzilla.redhat.com/show_bug.cgi?id=1423401
against NSS 3.28.x


I was able to reproduce the issue with both NSS 3.28.x and NSS trunk (post 3.31), with the following configuration, using the NSS cert databases that were created by running the NSS test suite:

server side:

export NSS_SSL_REQUIRE_SAFE_NEGOTIATION=1
export NSS_SSL_ENABLE_RENEGOTIATION=1
cd tests_results/security/*/server
selfserv -v -D -p 9876 -d ../server -n localhost.localdomain -e localhost.localdomain-ecmixed -e localhost.localdomain-ec -S localhost.localdomain-dsa -w nss -r -V tls1.3:tls1.3 -H 1 -c :1301:1303

client side:

cd tests_results/security/*/client
tstclnt -p 9876 -h localhost.localdomain -f -d ../client -V tls1.3:tls1.3 -w nss -n none  < ../../../../nss/tests/ssl/sslreq.dat
Eric, what's your opinion, does the suggestion make sense?
Flags: needinfo?(ekr)
Yes, I think this is correct. Do you happen to know where it fails?
Flags: needinfo?(ekr)
https://phabricator.services.mozilla.com/D18
Assignee: ekr → martin.thomson
Target Milestone: --- → 3.33
Attachment #8904115 - Flags: review+
https://hg.mozilla.org/projects/nss/rev/65d22612db0d887fa2b8d5bc6f612e1dfc9856e6
Status: NEW → RESOLVED
Closed: 4 years ago
OS: Unspecified → All
Hardware: Unspecified → All
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.