[Bug 2019094] Re: [SRU] Focal: TLS 1.3 doesn't work on strict firewall/middlebox

Mauricio Faria de Oliveira 2019094 at bugs.launchpad.net
Fri Jun 2 15:35:53 UTC 2023 

Hi Andreas,

Yes, I tried priority strings after blocklist/disabled-version.

I verified both were correct/working with gnutls-cli, however,
neither worked for the particular application (landscape-config).

I looked into why and found that libcurl sets its own priority
string based on the CURLOPT_SSLVERSION option (CURL_SSLVERSION_*
and CURL_SSLVERSION_MAX_*) [1], after reading the gnutls config
file (which is ignored).

So, the client-side workaround (Matthew mentioned the server-side
workaround we provided) is application specific; in this case, on
the landscape client:

@ /usr/lib/python3/dist-packages/landscape/client/broker/transport.py

     def _curl(self, payload, computer_id, exchange_token, message_api):
     ...
         curl = pycurl.Curl()
+        curl.setopt(pycurl.SSLVERSION, pycurl.SSLVERSION_TLSv1_0 | pycurl.SSLVERSION_MAX_TLSv1_2)
         return (curl, fetch(self._url, post=True, data=payload,
                             headers=headers, cainfo=self._pubkey, curl=curl))

...

So, a possible path forward is (which does not fix the issue
in gnutls regarding the non-RFC/empty session ID on TLS 1.3):

To address the fact that libcurl ignores /etc/gnutls/config,
and provide an opt-in mechanism (so not to break/regress any
existing applications that may rely on that behavior) not to
use the direct assignement.

e.g., an environment variable similar to the docs in [8].

However, I wonder whether that'd be seen a 'Debug variable'
("should never be true for a library used in production"),
and thus not applicable to these support cases, with the
argument that, in production, an application should set
SSL versions properly (reasonable, but unfortunately 
requires exposure/consumption of SSL details, not ideal).

cheers,
Mauricio

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/2019094

Title:
  [SRU] Focal: TLS 1.3 doesn't work on strict firewall/middlebox

Status in gnutls28 package in Ubuntu:
  Invalid
Status in gnutls28 source package in Focal:
  In Progress

Bug description:
  [ Impact ]

   * On Focal, the TLS 1.3 handshake might fail on strict
     (or misbehaving) proprietary firewall/middlebox that
     requires a non-empty Session ID (as TLS 1.2) per RFC.

   * The RFC specifies the ClientHello should always have
     a non-empty session ID, but this _is_ empty in Focal.

   * RFC 8446, Appendix D.4. Middlebox Compatibility Mode [1]
     """
     ... a significant number of middleboxes misbehave
     when a TLS client/server pair negotiates TLS 1.3.
     ... handshake look more like a TLS 1.2 handshake:

     -  The client always provides a non-empty session ID
        in the ClientHello, ...
     """

   * Reverse build dependencies that link against the
     static libraries in libgnutls28-dev
     would need No-Change Rebuilds to pick up this fix.
     (see `reverse-depends -b -r focal libgnutls28-dev`)

     However, none were found (details in comment #8).

  [ Test Plan ]

   * Check whether TLS 1.3 handshake has `Session ID:`

     - Focal (no):
        $ gnutls-cli --priority NORMAL:-VERS-ALL:+VERS-TLS1.3 ubuntu.com </dev/null
        ...
        - Description: (TLS1.3-X.509)-...
        - Options:
        - Handshake was completed
        ...

     - Jammy (yes):
        $ gnutls-cli --priority NORMAL:-VERS-ALL:+VERS-TLS1.3 ubuntu.com </dev/null
        ...
        - Description: (TLS1.3-X.509)-...
        - Session ID: CB:7D:DF:...
        - Options:
        - Handshake was completed
        ...

   * Check tests run at build time (`Testsuite summary for GnuTLS`).

     Tests passed per the build log from PPA with test packages:

        ===================================
        Testsuite summary for GnuTLS 3.6.13
        ===================================

   * Check autopkgtests from gnutls28 against PPA/SRU [4,6].

     Tests passed against PPA with test packages:

        autopkgtest [12:40:02]: @@@@@@@@@@@@@@@@@@@@ summary
        run-upstream-testsuite PASS

   * Check autopkgtests from reverse test triggers against PPA/SRU
     (see comment #12).

        $ reverse-depends -b -r focal src:gnutls28
        Reverse-Testsuite-Triggers
        * ...

   * (Internal) Verify the original reporter's proprietary
     firewall/middlebox now works with TLS 1.3 from GnuTLS.

  There is a test package available in the following ppa:

  https://launchpad.net/~mruffell/+archive/ubuntu/sf359157-test

  If you install the test package, the session ID is set
  correctly.

  [ Regression Potential ]

   * TLS 1.3 handshake now includes non-empty Session ID
     in ClientHello, so there's a behavior change in the
     Client side-only, but it does affect how particular
     Servers handle the client, depending on Session ID.

   * Thus, theoretically, if issues were to occur, that
     likely would manifest as client connection errors
     with TLS 1.3 (failures would be realized early and
     fast), and a workaround available is using TLS 1.2.

   * Even though changes to TLS handshake understandably
     may be scary (considering the impact of regressions),
     the proposed change is specified by the RFC (and is
     there to help w/ wider compatibility) and is already
     implemented in later versions (3.7.1 in Hirsute [5]).

  [ Other Info ]

   * Bionic is not impacted (TLS 1.2 only)
   * Jammy and later already fixed (TLS 1.3 on GnuTLS 3.7+)

  The fixes required are:

  commit e0bb98e1f71f94691f600839ff748d3a9f469d3e
  Author: Norbert Pocs <npocs at redhat.com>
  Date:   Fri Oct 30 17:18:30 2020 +0100
  Subject: Fix non-empty session id (TLS13_APPENDIX_D4)
  Link: https://gitlab.com/gnutls/gnutls/-/commit/e0bb98e1f71f94691f600839ff748d3a9f469d3e

  commit 5416fdc259d8df9b797d249f3e5d58789b2e2cf9
  Author: Daiki Ueno <ueno at gnu.org>
  Date:   Wed Feb 3 15:50:08 2021 +0100
  Subject: gnutls_session_is_resumed: don't check session ID in TLS 1.3
  Link: https://gitlab.com/gnutls/gnutls/-/commit/5416fdc259d8df9b797d249f3e5d58789b2e2cf9

  commit 05ee0d49fe93d8812ef220c7b830c4b3553ac4fd
  Author: Daiki Ueno <ueno at gnu.org>
  Date:   Sun Jan 24 07:34:24 2021 +0100
  Subject: handshake: TLS 1.3: don't generate session ID in resumption mode
  Link: https://gitlab.com/gnutls/gnutls/-/commit/05ee0d49fe93d8812ef220c7b830c4b3553ac4fd

  commit 24c9a24640c137b47bb1e8cc5fee2315f57219ad
  Author: Daiki Ueno <ueno at gnu.org>
  Date: Thu, 22 Apr 2021 16:42:01 +0200
  Subject: handshake: don't regenerate legacy_session_id in second CH after HRR
  Link: https://gitlab.com/gnutls/gnutls/-/commit/24c9a24640c137b47bb1e8cc5fee2315f57219ad

  [ Links ]

  [1] https://www.rfc-editor.org/rfc/rfc8446#appendix-D.4
  [4] https://autopkgtest.ubuntu.com/packages/g/gnutls28
  [5] https://launchpad.net/ubuntu/+source/gnutls28/3.7.1-3ubuntu1
  [6] https://autopkgtest.ubuntu.com/results/autopkgtest-focal-mruffell-sf359157-test/focal/amd64/g/gnutls28/20230524_124015_b6884@/log.gz

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/2019094/+subscriptions

More information about the foundations-bugs mailing list