If TLS server has no signature algorithm overlap with the client hello list, the NSS server sends an incorrect TLS alert

RESOLVED FIXED in 3.36

Status

defect
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: hkario, Assigned: kaie)

Tracking

(Blocks 1 bug)

3.33
3.36
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

When the signature_algorithms extension in Client Hello includes only unrecognised values to NSS, the NSS server responds with decode_error alert instead of handshake_failure alert.


RFC 5246:
   decode_error
      A message could not be decoded because some field was out of the
      specified range or the length of the message was incorrect.  This
      message is always fatal and should never be observed in
      communication between proper implementations (except when messages
      were corrupted in the network).


   handshake_failure
      Reception of a handshake_failure alert message indicates that the
      sender was unable to negotiate an acceptable set of security
      parameters given the options available.  This is a fatal error.



Reproducer:

Reproducer:
git clone https://github.com/tomato42/tlsfuzzer.git
pushd tlsfuzzer
git clone https://github.com/warner/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/ecdsa ecdsa
git clone https://github.com/tomato42/tlslite-ng.git .tlslite-ng
pushd .tlslite-ng
popd
ln -s .tlslite-ng/tlslite tlslite
popd
openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -nodes -batch -subj /CN=localhost
openssl pkcs12 -export -passout pass:  -out localhost.p12 -inkey localhost.key -in localhost.crt
mkdir nssdb
certutil -N -d sql:nssdb --empty-password
pk12util -i localhost.p12 -d sql:nssdb -W ''
selfserv -n localhost -p 4433 -d sql:./nssdb -V tls1.0: -H 1 -U 0 -G

# in another terminal, same directory
PYTHONPATH=tlsfuzzer python tlsfuzzer/scripts/test-sig-algs.py 'only undefined sigalgs'


Result:

...
    raise AssertionError(problem_desc)
AssertionError: Expected alert description "handshake_failure" does not match received "decode_error"

Additional info:

This is a regression compared to 3.28.
Assignee: nobody → kaie
Target Milestone: --- → 3.36
Comment on attachment 8942888 [details]
Summary: RFC violation in handling Signature Algorithms extension

Martin Thomson [:mt:] has approved the revision.

https://phabricator.services.mozilla.com/D397#9749
Attachment #8942888 - Flags: review+
Summary: RFC violation in handling Signature Algorithms extension → If TLS server has no signature algorithm overlap with the client hello list, the NSS server sends an incorrect TLS alert
https://hg.mozilla.org/projects/nss/rev/010767c7c339
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Blocks: 1431387
You need to log in before you can comment on or make changes to this bug.