-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS 1.3 middlebox incompatibilities #6772
Comments
Hum ... you might be right that the current implementation could be too strict, we will look into it. The change was not viewed as behavior change as the change_cipher_spec is not expected unless middlebox_comp_mode is indicated by the client. |
I don't disagree that the server side change could be argued either way if it is a "bug" or not. |
I do not think we need to send |
…ange-cipher-spec/GH-6772/OTP-18433 ssl: Maximize compatibility
' * ingela/ssl/master/always-ignore-change-cipher-spec/GH-6772: ssl: Maximize compatibility ssl: Mitigate memory usage from large certificate chains
Always disregard one change_cipher_spec during handshake, even though middlebox mode is not used, to maximize compatibility. Closes #6772
…-18433' into maint-25 * ingela/ssl/always-ignore-change-cipher-spec/GH-6772/OTP-18433: ssl: Maximize compatibility
Thanks a lot @dotsimon and @IngelaAndin As you mentioned in the ticket:
Exactly! and I still can see the problem with OTP-24.3.4.4 clients. From Ingela's explanation I understood that the bug is in client, but not everybody can change/upgrade the client (product that uses 24.3.4.4 client is already released). In our case in order to upgrade we need to establish a TLS connection. And that is a big, big, big problem. Basically new erlang is still incompatible with previous version of erlang. Could you please suggest a workaround that can be implemented on the server to make it possible to accept connections from 24.3.4.4 clients? Setting server TLS version to 1.2 is not an option for us because we need support TLS 1.3. Setting TLS version to 1.3 only on the server does not help. Setting middlebox_comp_mode to false on the server doesn't help either. |
@timofey-barmin If you want to work around the bug you need to be able configure the clients, even if you can not upgrade them. I can see two thing that the clients can do that could help. You could make the clients not try to reuse TLS-1.2 sessions or make the clients support only one of the versions TLS-1.2 or TLS-1.3. As you said you can not disable middlebox_comp_mode on the server as it is the client behavior that mandates the middlebox compatible mode and the server has to adhere. |
@IngelaAndin
If you are absolutely sure you don't want to fix it in mainstream, could you please suggest a change for server that we can apply on our fork only? I guess this should be a pretty small change but still it would be a huge help. |
@timofey-barmin since the spec clearly states the client MUST ignore The code was something like this: diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl
index 176d659..32435e9 100644
--- a/lib/ssl/src/tls_handshake_1_3.erl
+++ b/lib/ssl/src/tls_handshake_1_3.erl
@@ -1204,7 +1204,8 @@ maybe_append_change_cipher_spec(#state{
session = #session{session_id = Id},
handshake_env =
#handshake_env{
- change_cipher_spec_sent = false} = HSEnv} = State, Bin) when Id =/= ?EMPTY_ID ->
+ change_cipher_spec_sent = false} = HSEnv} = State, Bin)
+ when Id =/= ?EMPTY_ID orelse (State#state.static_env)#static_env.role == server ->
CCSBin = create_change_cipher_spec(State),
{State#state{handshake_env =
HSEnv#handshake_env{change_cipher_spec_sent = true}}, My interpretation of the change in OTP (25.2 & 24.3.4.8) was that it did not improve security or conformance |
@dotsimon |
See erlang#6772 for more info
@dotsimon : just a word of thanks for your extremely valuable help with this issue. It is very much appreciated. |
@timofey-barmin We will think about adding the server workaround option suggested by @dotsimon as it seems it can cause such awkward interop issues once we finished some pressing OTP-26 work. |
See erlang#6772 for more info
See erlang#6772 for more info
See erlang#6772 for more info
See erlang#6772 for more info
There are two related bugs - one server side, one client side.
Describe the server bug
OTP 25.? changes the SSL server behaviour in deciding if/when to send
change_cipher_spec
The simplistic explanation of that being a client problem given in #6374 ignores the real world.
Although RFC 8446 D.4 describes a method for "partially negotiated" middlebox compatibility, it also states:
Furthermore, section 5 states an implementation receiving
change_cipher_spec
For this reason many servers send
change_cipher_spec
regardless - OTP 24 is an example, as is www.google.comThe bug is being too pedantic in interpreting D.4, introducing a breaking change for cases where the clients can't (easily) be changed.
Describe the client bug
OTP 25.2 and also 24.3.4.8 have the change introduced for #6241
The problem is that this change violates the handling of
change_cipher_spec
stated in section 5.A TLS 1.3 client MUST drop
change_cipher_spec
To Reproduce
Connect to an OTP 24 server or, you know, the internet in general
Expected behavior
middlebox_comp_mode
the client MUST ignorechange_cipher_spec
change_cipher_spec
whenmiddlebox_comp_mode := true
for greater compatibility.In any case the behavioural change should have been clearly documented.
Affected versions
OTP 25.2 and OTP 24.4.3.8
The text was updated successfully, but these errors were encountered: