[Bug 2019094] Re: [SRU] Focal: TLS 1.3 doesn't work on strict firewall/middlebox

Matthew Ruffell 2019094 at bugs.launchpad.net
Fri Jun 30 05:52:05 UTC 2023 

Hi Andreas,

I think we are getting a bit off track with discussing these
workarounds, and forgetting the real issue, which is that gnutls on
Focal is not RFC complaint for TLS 1.3, because it sends an empty
SessionID in ClientHello packets.

Workarounds are fine, up to a point. The user driving this change has
800 VMs that a configuration change to /etc/gnutls/config could resolve,
but they still have to make the change on 800 VMs, do their work on
landscape, and eventually when they move to a gnutls version that isn't
broken, remove the configuration change, if they even remember it is
still there.

In the several years between disabling TLS 1.3 and re-enabling TLS 1.3,
they are stuck on TLS 1.2, an older, more insecure protocol, when they
could be on TLS 1.3 instead.

For the moment this user just disabled TLS 1.3 in their apache site
config for landscape, and they are back to normal.

I know this is quite a niche bug, since it requires gnutls users to be
behind an aggressive middlebox that doesn't like empty SessionIDs in
ClientHello packets, so it limits the users that would be exposed to the
problem quite considerably, and comes with quite a high regression risk
if anything were to go wrong.

I think we should look at the technical problem at hand, and decide if
this is appropriate for SRU or if the risk of regression is too high and
reject it.

Thanks,
Matthew

** Changed in: gnutls28 (Ubuntu Focal)
     Assignee: gerald.yang (gerald-yang-tw) => Matthew Ruffell (mruffell)

** Changed in: gnutls28 (Ubuntu Focal)
       Status: Incomplete => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/2019094

Title:
  [SRU] Focal: TLS 1.3 doesn't work on strict firewall/middlebox

Status in gnutls28 package in Ubuntu:
  Invalid
Status in gnutls28 source package in Focal:
  In Progress

Bug description:
  [ Impact ]

   * On Focal, the TLS 1.3 handshake might fail on strict
     (or misbehaving) proprietary firewall/middlebox that
     requires a non-empty Session ID (as TLS 1.2) per RFC.

   * The RFC specifies the ClientHello should always have
     a non-empty session ID, but this _is_ empty in Focal.

   * RFC 8446, Appendix D.4. Middlebox Compatibility Mode [1]
     """
     ... a significant number of middleboxes misbehave
     when a TLS client/server pair negotiates TLS 1.3.
     ... handshake look more like a TLS 1.2 handshake:

     -  The client always provides a non-empty session ID
        in the ClientHello, ...
     """

   * Reverse build dependencies that link against the
     static libraries in libgnutls28-dev
     would need No-Change Rebuilds to pick up this fix.
     (see `reverse-depends -b -r focal libgnutls28-dev`)

     However, none were found (details in comment #8).

  [ Test Plan ]

   * Check whether TLS 1.3 handshake has `Session ID:`

     - Focal (no):
        $ gnutls-cli --priority NORMAL:-VERS-ALL:+VERS-TLS1.3 ubuntu.com </dev/null
        ...
        - Description: (TLS1.3-X.509)-...
        - Options:
        - Handshake was completed
        ...

     - Jammy (yes):
        $ gnutls-cli --priority NORMAL:-VERS-ALL:+VERS-TLS1.3 ubuntu.com </dev/null
        ...
        - Description: (TLS1.3-X.509)-...
        - Session ID: CB:7D:DF:...
        - Options:
        - Handshake was completed
        ...

   * Check tests run at build time (`Testsuite summary for GnuTLS`).

     Tests passed per the build log from PPA with test packages:

        ===================================
        Testsuite summary for GnuTLS 3.6.13
        ===================================

   * Check autopkgtests from gnutls28 against PPA/SRU [4,6].

     Tests passed against PPA with test packages:

        autopkgtest [12:40:02]: @@@@@@@@@@@@@@@@@@@@ summary
        run-upstream-testsuite PASS

   * Check autopkgtests from reverse test triggers against PPA/SRU
     (see comment #12).

        $ reverse-depends -b -r focal src:gnutls28
        Reverse-Testsuite-Triggers
        * ...

   * (Internal) Verify the original reporter's proprietary
     firewall/middlebox now works with TLS 1.3 from GnuTLS.

  There is a test package available in the following ppa:

  https://launchpad.net/~mruffell/+archive/ubuntu/sf359157-test

  If you install the test package, the session ID is set
  correctly.

  [ Regression Potential ]

   * TLS 1.3 handshake now includes non-empty Session ID
     in ClientHello, so there's a behavior change in the
     Client side-only, but it does affect how particular
     Servers handle the client, depending on Session ID.

   * Thus, theoretically, if issues were to occur, that
     likely would manifest as client connection errors
     with TLS 1.3 (failures would be realized early and
     fast), and a workaround available is using TLS 1.2.

   * Even though changes to TLS handshake understandably
     may be scary (considering the impact of regressions),
     the proposed change is specified by the RFC (and is
     there to help w/ wider compatibility) and is already
     implemented in later versions (3.7.1 in Hirsute [5]).

  [ Other Info ]

   * Bionic is not impacted (TLS 1.2 only)
   * Jammy and later already fixed (TLS 1.3 on GnuTLS 3.7+)

  The fixes required are:

  commit e0bb98e1f71f94691f600839ff748d3a9f469d3e
  Author: Norbert Pocs <npocs at redhat.com>
  Date:   Fri Oct 30 17:18:30 2020 +0100
  Subject: Fix non-empty session id (TLS13_APPENDIX_D4)
  Link: https://gitlab.com/gnutls/gnutls/-/commit/e0bb98e1f71f94691f600839ff748d3a9f469d3e

  commit 5416fdc259d8df9b797d249f3e5d58789b2e2cf9
  Author: Daiki Ueno <ueno at gnu.org>
  Date:   Wed Feb 3 15:50:08 2021 +0100
  Subject: gnutls_session_is_resumed: don't check session ID in TLS 1.3
  Link: https://gitlab.com/gnutls/gnutls/-/commit/5416fdc259d8df9b797d249f3e5d58789b2e2cf9

  commit 05ee0d49fe93d8812ef220c7b830c4b3553ac4fd
  Author: Daiki Ueno <ueno at gnu.org>
  Date:   Sun Jan 24 07:34:24 2021 +0100
  Subject: handshake: TLS 1.3: don't generate session ID in resumption mode
  Link: https://gitlab.com/gnutls/gnutls/-/commit/05ee0d49fe93d8812ef220c7b830c4b3553ac4fd

  commit 24c9a24640c137b47bb1e8cc5fee2315f57219ad
  Author: Daiki Ueno <ueno at gnu.org>
  Date: Thu, 22 Apr 2021 16:42:01 +0200
  Subject: handshake: don't regenerate legacy_session_id in second CH after HRR
  Link: https://gitlab.com/gnutls/gnutls/-/commit/24c9a24640c137b47bb1e8cc5fee2315f57219ad

  [ Links ]

  [1] https://www.rfc-editor.org/rfc/rfc8446#appendix-D.4
  [4] https://autopkgtest.ubuntu.com/packages/g/gnutls28
  [5] https://launchpad.net/ubuntu/+source/gnutls28/3.7.1-3ubuntu1
  [6] https://autopkgtest.ubuntu.com/results/autopkgtest-focal-mruffell-sf359157-test/focal/amd64/g/gnutls28/20230524_124015_b6884@/log.gz

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/2019094/+subscriptions

More information about the foundations-bugs mailing list