Closed Bug 1452549 Opened 2 years ago Closed 2 years ago

application_data before handshake completes terminates DTLS

Categories

(NSS :: Libraries, enhancement)

enhancement
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: mt, Assigned: mt)

References

Details

Attachments

(1 file)

This manifests as an annoying intermittent error, such as:
https://queue.taskcluster.net/v1/task/fKr3A92TSUq8Tgb-3ATosw/runs/0/artifacts/public/logs/live_backing.log

Why it doesn't cause errors more often is that the length field that is being read is actually ciphertext, and most times that produces a value that exceeds the amount of data available, so we (correctly) identify it as junk and throw it away.  Only when the length is small enough do we see an error.  In the real world, failure rates would increase in proportion to the certificate size, up to the MTU.

What happens here is that if the application data arrives early, then the connection explodes.
I realize that I wasn't very clear here.  TLS 1.3 handshake messages appear to use the application_data content type, so if those handshake messages arrive too early, then NSS might think that they are valid application_data messages and process them with the NULL cipher, which tends to work.  That then triggers the explosion.
Duplicate of this bug: 1452868
Comment on attachment 8966118 [details]
Bug 1452549 - Discard application data that arrives before DTLS handshake completes, r?ekr

Eric Rescorla (:ekr) has approved the revision.

https://phabricator.services.mozilla.com/D879
Attachment #8966118 - Flags: review+
https://hg.mozilla.org/projects/nss/rev/350b7210e90758de454feb4339379ef7f6b9b470
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.38
Duplicate of this bug: 1459889
Duplicate of this bug: 1467065
You need to log in before you can comment on or make changes to this bug.