1481275 - NSS server asks for client certificate when resuming TLS 1.3 session

Status: RESOLVED FIXED

(NSS :: Test, defect)

Description

[Hubert Kario]

NSS 3.28.0

When the selfserv is configured to ask for client certificates:

selfserv -d sql:./nssdb/ -p 4433 -c :1302 -H 1 -rr -V tls1.3:tls1.3 -I P256 -u -n rsa-server

it will ask for them also during session resumption, since session resumption is implemented using PSK key exchange, and in-handshake authentication is forbidden then, this is a protocol violation.

to reproduce, run openssl to establish session:
openssl s_client -sess_out sess.pem -CAfile ca/cert.pem -key rsa-client/key.pem -cert rsa-client/cert.pem -connect localhost:4433 -keylogfile openssl_keylog.txt -ciphersuites TLS_AES_256_GCM_SHA384 -groups P-256

then to resume it:
openssl s_client -sess_in sess.pem -CAfile ca/cert.pem -connect localhost:4433 -keylogfile openssl_keylog.txt -key rsa-client/key.pem -cert rsa-client/cert.pem -ciphersuites TLS_AES_256_GCM_SHA384 -groups P-256

connection will fail with a:
140462239434560:error:141A10F4:SSL routines:ossl_statem_client_read_transition:unexpected message:ssl/statem/statem_clnt.c:395:


Side note: the selfserv complains about 
SSL received a record with an incorrect Message Authentication Code.
as the alert is sent in plaintext, but that's a separate bug.

Comment 1

[Hubert Kario]

Attachment: capture.pcap

packet capture of the session being established, and then two resumption attempts of it.

Comment 2

[Hubert Kario]

Attachment: openssl_keylog.txt

decryption keys for attachment 8997981 [details]

Comment 3

[Hubert Kario]

I did run the test with strsclnt too and it fails:

strsclnt -c 10 -P 20 -p 4433 -C :1302 -d sql:./nssdb-cl/ -n rsa-client -V tls1.3:tls1.3 localhost


strsclnt: -- SSL: Server Certificate Validated.
strsclnt: 0 cache hits; 0 cache misses, 0 cache not reusable
          0 stateless resumes
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: 7 cache hits; 0 cache misses, 0 cache not reusable
          7 stateless resumes


so it looks like the issue is in the server state machine


also: I made a typo in the the Description, I means 3.38.0, not 28

Comment 4

[Daiki Ueno [:ueno]]

Attachment: Bug 1481275, don't send certificate request when resuming with PSK

Comment 5

[Eric Rescorla (:ekr)]

Nice catch. Marking security, just to be sure.

Comment 6

[Eric Rescorla (:ekr)]

MT, I don't think there is actually a security issue here, I was just being careful. Assuming you agree, feel free to unhide.

Comment 7

[Martin Thomson [:mt:]]

I agree.  Correctness, yes.  Security, no.

Comment 8

[Martin Thomson [:mt:]]

Comment on attachment 9001308 [details]
Bug 1481275, don't send certificate request when resuming with PSK

Martin Thomson [:mt:] has approved the revision.

Comment 9

[Martin Thomson [:mt:]]

I can't clear the security flag, but that can happen any time.  Feel free to land this as you like.  Note that Kai is closing 3.39 for fixes today.

Comment 10

[Daiki Ueno [:ueno]]

Pushed as:
https://hg.mozilla.org/projects/nss/rev/bbf9ca0f57ea