Closed Bug 1690583 Opened 4 years ago Closed 4 years ago

Regression in TLS ClientHello Padding in FIrefox 85.0 (vs 84.0.2)

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jefferson, Assigned: kjacobs)

Details

Attachments

(1 file)

Bug 1690583 - Fix CH padding extension size calculation.
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0

Steps to reproduce:

Access specific website(s) over https.

Actual results:

The page times out with Firefox 85.
Looking at a packet capture Firefox 85 is sending a TLS Client Hello that's 508 bytes long. There is a known issue with older version of F5 and TLS ClientHellos with lengths between 256 and 511 bytes (inclusive). The
ssl_CalculatePaddingExtLen function in https://searchfox.org/mozilla-central/source/security/nss/lib/ssl/ssl3ext.c has a section (currently lines 852-858) that says it's supposed to be padding the client hello to at least 512 bytes to work around this issue, but that doesn't seem to be working properly with Firefox 85.

See the following pages for reference:

Expected results:

The page should have loaded. Rolling back to Firefox 84.0.2 the ClientHello that is generated is padded to 512 bytes long. At that point it's long enough to work around the F5 bug and things work as expected.

Packet captures can be supplied if needed.

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core
Assignee: nobody → nobody
Component: Security: PSM → Libraries
Product: Core → NSS
Version: Firefox 85 → other

Thanks for the report, I can confirm. The comment on ssl_CalculatePaddingExtLen indicates that it takes the CH length "less the record header" when it actually expects the CH length less the record AND handshake header.

That said: there has been discussion and a suggestion that we no longer send this extension at all, under the belief that no affected F5 devices exist on the public internet anymore. Is this a publically-accessible website?

Flags: needinfo?(jefferson)

This is a publicly-accessible website. I'm just a user of the site, not an administrator. As a result, I don't know there's a broken F5 in front of it. However, the symptoms seem to fit.

Flags: needinfo?(jefferson)

https://hg.mozilla.org/projects/nss/rev/fc3a4c142c1628b9b6f76696d7bc04c47e1b0405

Assignee: nobody → kjacobs.bugzilla
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.62
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: