[Bug 2019094] Re: [SRU] Focal: TLS 1.3 doesn't work on strict firewall/middlebox

Andreas Hasenack 2019094 at bugs.launchpad.net
Fri Jun 16 13:14:16 UTC 2023 

I just tried in focal.

Without /etc/gnutls/config, TLSv1.3 was negotiated:
$ openssl s_server -cert f.pem -key f.key                                                                                                            
Using default temp DH parameters                                               
ACCEPT                          
-----BEGIN SSL SESSION PARAMETERS-----
MH4CAQECAgMEBAITAgQgaefSlOuB20zQ0znU6Apt+yCpaVSmhkTbJA4RPVR+kIUE
MEEJK0OsBIrMg1NRwGT/PoNxqdiUn+Cv228d6GH5NvRevwwngagGQiestyjZBOop
EaEGAgRkjF+eogQCAhwgpAYEBAEAAACuBwIFAOmSWqE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128
-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA:AES128-GCM-SHA256:AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA
Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
Supported Elliptic Groups: P-256:P-384:P-521:X25519:X448:0x0100:0x0101:0x0102:0x0103:0x0104
Shared Elliptic groups: P-256:P-384:P-521:X25519:X448           
CIPHER is TLS_AES_256_GCM_SHA384                                               
Secure Renegotiation IS NOT supported
DONE                                                                                                                                                           
shutting down SSL                                                                                                                                              
CONNECTION CLOSED                                     

This used a TLSv1.3 cipher (TLS_AES_256_GCM_SHA384).

With /etc/gnutls/config like this, however:

$ cat /etc/gnutls/config
[overrides]
disabled-version = tls1.3

I got:
$ openssl s_server -cert f.pem -key f.key
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MHoCAQECAgMDBALAMAQgbpdAE3AXwEoMlvIIZStGqExsZ5TX4Q0/Xo9ivpq0cckE
MN1Bk61ZpD1IJymXrAyKsdMJj8YzyFjKoVtZ+CCGqK+GEF8YWuSF44AATT11r8Sn
FqEGAgRkjF/MogQCAhwgpAYEBAEAAACtAwIBAQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA:AES128-GCM-SHA256:AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA
Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
Supported Elliptic Curve Point Formats: uncompressed
Supported Elliptic Groups: P-256:P-384:P-521:X25519:X448:0x0100:0x0101:0x0102:0x0103:0x0104
Shared Elliptic groups: P-256:P-384:P-521:X25519:X448
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
DONE
shutting down SSL
CONNECTION CLOSED


Which is a TLSv1.2 cipher.

Can you confirm this behavior?

** Changed in: gnutls28 (Ubuntu Focal)
       Status: In Progress => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/2019094

Title:
  [SRU] Focal: TLS 1.3 doesn't work on strict firewall/middlebox

Status in gnutls28 package in Ubuntu:
  Invalid
Status in gnutls28 source package in Focal:
  Incomplete

Bug description:
  [ Impact ]

   * On Focal, the TLS 1.3 handshake might fail on strict
     (or misbehaving) proprietary firewall/middlebox that
     requires a non-empty Session ID (as TLS 1.2) per RFC.

   * The RFC specifies the ClientHello should always have
     a non-empty session ID, but this _is_ empty in Focal.

   * RFC 8446, Appendix D.4. Middlebox Compatibility Mode [1]
     """
     ... a significant number of middleboxes misbehave
     when a TLS client/server pair negotiates TLS 1.3.
     ... handshake look more like a TLS 1.2 handshake:

     -  The client always provides a non-empty session ID
        in the ClientHello, ...
     """

   * Reverse build dependencies that link against the
     static libraries in libgnutls28-dev
     would need No-Change Rebuilds to pick up this fix.
     (see `reverse-depends -b -r focal libgnutls28-dev`)

     However, none were found (details in comment #8).

  [ Test Plan ]

   * Check whether TLS 1.3 handshake has `Session ID:`

     - Focal (no):
        $ gnutls-cli --priority NORMAL:-VERS-ALL:+VERS-TLS1.3 ubuntu.com </dev/null
        ...
        - Description: (TLS1.3-X.509)-...
        - Options:
        - Handshake was completed
        ...

     - Jammy (yes):
        $ gnutls-cli --priority NORMAL:-VERS-ALL:+VERS-TLS1.3 ubuntu.com </dev/null
        ...
        - Description: (TLS1.3-X.509)-...
        - Session ID: CB:7D:DF:...
        - Options:
        - Handshake was completed
        ...

   * Check tests run at build time (`Testsuite summary for GnuTLS`).

     Tests passed per the build log from PPA with test packages:

        ===================================
        Testsuite summary for GnuTLS 3.6.13
        ===================================

   * Check autopkgtests from gnutls28 against PPA/SRU [4,6].

     Tests passed against PPA with test packages:

        autopkgtest [12:40:02]: @@@@@@@@@@@@@@@@@@@@ summary
        run-upstream-testsuite PASS

   * Check autopkgtests from reverse test triggers against PPA/SRU
     (see comment #12).

        $ reverse-depends -b -r focal src:gnutls28
        Reverse-Testsuite-Triggers
        * ...

   * (Internal) Verify the original reporter's proprietary
     firewall/middlebox now works with TLS 1.3 from GnuTLS.

  There is a test package available in the following ppa:

  https://launchpad.net/~mruffell/+archive/ubuntu/sf359157-test

  If you install the test package, the session ID is set
  correctly.

  [ Regression Potential ]

   * TLS 1.3 handshake now includes non-empty Session ID
     in ClientHello, so there's a behavior change in the
     Client side-only, but it does affect how particular
     Servers handle the client, depending on Session ID.

   * Thus, theoretically, if issues were to occur, that
     likely would manifest as client connection errors
     with TLS 1.3 (failures would be realized early and
     fast), and a workaround available is using TLS 1.2.

   * Even though changes to TLS handshake understandably
     may be scary (considering the impact of regressions),
     the proposed change is specified by the RFC (and is
     there to help w/ wider compatibility) and is already
     implemented in later versions (3.7.1 in Hirsute [5]).

  [ Other Info ]

   * Bionic is not impacted (TLS 1.2 only)
   * Jammy and later already fixed (TLS 1.3 on GnuTLS 3.7+)

  The fixes required are:

  commit e0bb98e1f71f94691f600839ff748d3a9f469d3e
  Author: Norbert Pocs <npocs at redhat.com>
  Date:   Fri Oct 30 17:18:30 2020 +0100
  Subject: Fix non-empty session id (TLS13_APPENDIX_D4)
  Link: https://gitlab.com/gnutls/gnutls/-/commit/e0bb98e1f71f94691f600839ff748d3a9f469d3e

  commit 5416fdc259d8df9b797d249f3e5d58789b2e2cf9
  Author: Daiki Ueno <ueno at gnu.org>
  Date:   Wed Feb 3 15:50:08 2021 +0100
  Subject: gnutls_session_is_resumed: don't check session ID in TLS 1.3
  Link: https://gitlab.com/gnutls/gnutls/-/commit/5416fdc259d8df9b797d249f3e5d58789b2e2cf9

  commit 05ee0d49fe93d8812ef220c7b830c4b3553ac4fd
  Author: Daiki Ueno <ueno at gnu.org>
  Date:   Sun Jan 24 07:34:24 2021 +0100
  Subject: handshake: TLS 1.3: don't generate session ID in resumption mode
  Link: https://gitlab.com/gnutls/gnutls/-/commit/05ee0d49fe93d8812ef220c7b830c4b3553ac4fd

  commit 24c9a24640c137b47bb1e8cc5fee2315f57219ad
  Author: Daiki Ueno <ueno at gnu.org>
  Date: Thu, 22 Apr 2021 16:42:01 +0200
  Subject: handshake: don't regenerate legacy_session_id in second CH after HRR
  Link: https://gitlab.com/gnutls/gnutls/-/commit/24c9a24640c137b47bb1e8cc5fee2315f57219ad

  [ Links ]

  [1] https://www.rfc-editor.org/rfc/rfc8446#appendix-D.4
  [4] https://autopkgtest.ubuntu.com/packages/g/gnutls28
  [5] https://launchpad.net/ubuntu/+source/gnutls28/3.7.1-3ubuntu1
  [6] https://autopkgtest.ubuntu.com/results/autopkgtest-focal-mruffell-sf359157-test/focal/amd64/g/gnutls28/20230524_124015_b6884@/log.gz

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/2019094/+subscriptions

More information about the foundations-bugs mailing list