Closed Bug 1481275 Opened 2 years ago Closed 2 years ago

NSS server asks for client certificate when resuming TLS 1.3 session

Categories

(NSS :: Test, defect)

3.38
defect
Not set
major

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: hkario, Assigned: ueno)

Details

Attachments

(3 files)

NSS 3.28.0

When the selfserv is configured to ask for client certificates:

selfserv -d sql:./nssdb/ -p 4433 -c :1302 -H 1 -rr -V tls1.3:tls1.3 -I P256 -u -n rsa-server

it will ask for them also during session resumption, since session resumption is implemented using PSK key exchange, and in-handshake authentication is forbidden then, this is a protocol violation.

to reproduce, run openssl to establish session:
openssl s_client -sess_out sess.pem -CAfile ca/cert.pem -key rsa-client/key.pem -cert rsa-client/cert.pem -connect localhost:4433 -keylogfile openssl_keylog.txt -ciphersuites TLS_AES_256_GCM_SHA384 -groups P-256

then to resume it:
openssl s_client -sess_in sess.pem -CAfile ca/cert.pem -connect localhost:4433 -keylogfile openssl_keylog.txt -key rsa-client/key.pem -cert rsa-client/cert.pem -ciphersuites TLS_AES_256_GCM_SHA384 -groups P-256

connection will fail with a:
140462239434560:error:141A10F4:SSL routines:ossl_statem_client_read_transition:unexpected message:ssl/statem/statem_clnt.c:395:


Side note: the selfserv complains about 
SSL received a record with an incorrect Message Authentication Code.
as the alert is sent in plaintext, but that's a separate bug.
Attached file capture.pcap
packet capture of the session being established, and then two resumption attempts of it.
Attached file openssl_keylog.txt
decryption keys for attachment 8997981 [details]
I did run the test with strsclnt too and it fails:

strsclnt -c 10 -P 20 -p 4433 -C :1302 -d sql:./nssdb-cl/ -n rsa-client -V tls1.3:tls1.3 localhost


strsclnt: -- SSL: Server Certificate Validated.
strsclnt: 0 cache hits; 0 cache misses, 0 cache not reusable
          0 stateless resumes
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: PR_Send returned error -12242, OS error 0: SSL received an unexpected Certificate Request handshake message.
strsclnt: 7 cache hits; 0 cache misses, 0 cache not reusable
          7 stateless resumes


so it looks like the issue is in the server state machine


also: I made a typo in the the Description, I means 3.38.0, not 28
Nice catch. Marking security, just to be sure.
Group: crypto-core-security
MT, I don't think there is actually a security issue here, I was just being careful. Assuming you agree, feel free to unhide.
I agree.  Correctness, yes.  Security, no.
Comment on attachment 9001308 [details]
Bug 1481275, don't send certificate request when resuming with PSK

Martin Thomson [:mt:] has approved the revision.
Attachment #9001308 - Flags: review+
I can't clear the security flag, but that can happen any time.  Feel free to land this as you like.  Note that Kai is closing 3.39 for fixes today.
Assignee: nobody → dueno
Target Milestone: --- → 3.39
Group: crypto-core-security
Pushed as:
https://hg.mozilla.org/projects/nss/rev/bbf9ca0f57ea
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.