search

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
https://www.trustedfirmware.org/projects/mbed-tls/
Other
5.51k stars 2.6k forks source link

programs/ssl/ssl_server2 bug #8654

Closed hey3e closed 7 months ago

hey3e commented 10 months ago

Summary

programs/ssl/ssl_server2 refuses following tls1.3 connections from a peer if that peer used to establish tls1.2 connections with the server previously.

System information

Mbed TLS version (number or commit id): 3.4.0 f1c032adb Operating system and version: Ubuntu 22.04.2 LTS Configuration (if not default, please attach mbedtls_config.h): #define MBEDTLS_SSL_PROTO_TLS1_3 Compiler and options (if you used a pre-built binary, please indicate how you obtained it): default Additional environment information: no

Expected behavior

programs/ssl/ssl_server2 allows following tls1.3 connections from a peer if that peer used to establish tls1.2 connections with the server previously.

Actual behavior

programs/ssl/ssl_server2 refuses following tls1.3 connections from a peer if that peer used to establish tls1.2 connections with the server previously.

Steps to reproduce

server: ./programs/ssl/ssl_server2 client: ./programs/ssl/ssl_client2 force_version=tls12 server shows Successful connection

Then, ctrl+c to close client, keep server running, restart client with ./programs/ssl/ssl_client2 force_version=tls13 server shows Last error was: -0x7780 - SSL - A fatal alert message was received from our peer

Additional information

Did not see this behavior in other tls implementations.

yanesca commented 10 months ago

Form include/mbedtls/mbedtls_config.h:

* \def MBEDTLS_SSL_PROTO_TLS1_3
 *
 * Enable support for TLS 1.3.
 *
 * \note The support for TLS 1.3 is not comprehensive yet, in particular
 *       pre-shared keys are not supported.
 *       See docs/architecture/tls13-support.md for a description of the TLS
 *       1.3 support that this option enables.

From docs/architecture/tls13-support.md:

  • Supported versions:
  • TLS 1.2 and TLS 1.3 with version negotiation on the client side, not server side.

In summary, the server side doesn't have version negotiation yet. This is a documented limitation of TLS 1.3 in the library, which is a feature still in development.

ronald-cron-arm commented 10 months ago

Thanks for the report. I have checked and this is still relevant in 3.5 where we support version negotiation on server side. When a connection is closed, ssl_server2 uses mbedtls_ssl_session_reset() to reset the SSL context to prepare for the following connection. In mbedtls_ssl_session_reset() the TLS maximum negotiable version is not reset properly: if the last connection negotiated TLS 1.2 that's the new maximum.

tom-cosgrove-arm commented 7 months ago

Fixed released in Mbed TLS v3.6 by

commit ad736991bb59211118a29fe115367c24495300c2
Merge: 2f387e98a c522255e3
Author: Janos Follath <janos.follath@arm.com>
Date:   Fri Feb 9 16:04:59 2024 +0000

    Merge pull request #1177 from ronald-cron-arm/tls-max-version-reset

    Reset properly the TLS maximum negotiable version