Open zea408 opened 1 week ago
Thanks for the report! We've just released Mbed TLS 3.6.1, which fixes several bugs and limitation in TLS 1.3 support. Can you please try version 3.6.1? I don't think we've fixed this, but it might have happened as part of another fix.
If you can still reproduce the problem with 3.6.1, would you mind sharing the client code to reproduce the problem?
After switching to 3.6.1, the issue still persist. I can't share my client code due to company policy, however, I do able to use the ssl_client1 example to duplicate the issue as long the server reply HelloRetryRequest with a cookie extension.
All right, thanks! Hopefully that'll be enough for us to reproduce the issue.
A couple more things: could you share what server and server settings cause a server to send a cookie extension? I'm not personally familiar with the TLS 1.3 ecosystem. Is this a common thing?
(In 3.5.1, ssl_client1
works against a plain openssl s_server
, but we're not testing more sophisticated things.)
Also, is the behavior of ssl_client2
different? Maybe with an extra command line option (sorry, I don't know what that option would be).
I've had a quick look and my understanding is that we have a bug in mbedtls_ssl_tls13_check_received_extension()
when hs_msg_type == MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST
and received_extension_type == MBEDTLS_SSL_EXT_ID_COOKIE
. In that particular case we should not check that we have sent the extension in our previous client hello: switch line 1637.
We does not seem to have some test for the echoing of the server HRR cookie in the second client hello. When we added the echoing we decided to postpone the testing of it (but fail to do so): see https://github.com/Mbed-TLS/mbedtls/pull/5369#pullrequestreview-877146112. I guess it is because it is not easy to do. Our TLS 1.3 server implementation does not support sending a cookie extension in the HRR. Looking at OpenSSL s_server it seems that the option --stateless is related to that. I've tried it with our ssl-opt.sh HRR test: "TLS 1.3 m->O: HRR secp256r1 -> secp384r1" but it does not seem to work.
This is the first time I summit a bug report, please let me know if anything is missing or wrong.
Summary
Receiving HelloRetryRequest(to change key share) with cookie extension result with a response of Alert (Fatal, Unsupported Extension).
System information
MBed TLS V3.6.0
Expected behavior
According to RFC 8446 Section 4.2, Implementations MUST NOT send extension responses if the remote endpoint did not send the corresponding extension requests, with the exception of the "cookie" extension in the HelloRetryRequest. Upon receiving such an extension, an endpoint MUST abort the handshake with an "unsupported_extension" alert. Client should respond with Client Hello with the "cookie" extension from the HRR with the new key share.
Actual behavior
Client respond with Alert(Fatal, Unsupported Extension).
Steps to reproduce
Temporary Fix
Add in exception for cookie extension on message type HRR in mbedtls_ssl_tls13_check_received_extension in ssl_tls13_generic.c.
Additional information