search

PeterMosmans / openssl

'Extra featured' OpenSSL with ChaCha20 and Poly1305 support
https://onwebsecurity.com/pages/openssl.html
Other
92 stars 18 forks source link

ticket hints fail with ECDHE-RSA-AES256-SHA384 #13

Closed jvehent closed 9 years ago

jvehent commented 9 years ago

I noticed a strange behavior in cipherscan's output: ticket hints always fail with cipher ECDHE-RSA-AES256-SHA384 since I upgraded the openssl binary last week. It may be an error in the build options I used, or a bug in upstream openssl. I figured I'd file here first for verification before escalating to openssl.

Custom build with AES128-SHA: ticket lifetime found

$ ./openssl s_client -connect google.com:443 -cipher 'AES128-SHA' 2>&1 <<<Q|grep 'ticket lifetime'
    TLS session ticket lifetime hint: 100800 (seconds)

Custom build with ECDHE-RSA-AES256-SHA384: no ticket lifetime found

$ ./openssl s_client -connect google.com:443 -cipher 'ECDHE-RSA-AES256-SHA384' 2>&1 <<<Q|grep 'ticket lifetime'

Stock Fedora21 build with ECDHE-RSA-AES256-SHA384: ticket lifetime found

$ openssl s_client -connect google.com:443 -cipher 'ECDHE-RSA-AES256-SHA384' 2>&1 <<<Q|grep 'ticket lifetime'    TLS session ticket lifetime hint: 100800 (seconds)

Custom build version & options:

$ ./openssl version -a
OpenSSL 1.0.2-chacha (1.0.2b-dev)
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/ssl"

Stock fedora 21 build version & options:

$ openssl version -a
OpenSSL 1.0.1k-fips 8 Jan 2015
built on: Fri Jan  9 10:39:16 2015
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches  -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic
jvehent commented 9 years ago

I tried to rebuild openssl with ./config && make depend && make and the same problem occur. I'm going to try with upstream openssl next.

jvehent commented 9 years ago

Upstream openssl doesn't have the issue. Testing with both the latest from master and the latest from 1.0.2.

$ ./openssl s_client -connect google.com:443 -cipher 'ECDHE-RSA-AES256-SHA384' 2>&1 <<<Q|grep 'ticket lifetime'
    TLS session ticket lifetime hint: 100800 (seconds)

$ ./openssl version -a
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
OpenSSL 1.1.0-dev xx XXX xxxx
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -Wall -O3 -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/ssl"

$ ./openssl s_client -connect google.com:443 -cipher 'ECDHE-RSA-AES256-SHA384' 2>&1 <<<Q|grep 'ticket lifetime'
    TLS session ticket lifetime hint: 100800 (seconds)

$ ./openssl version -a
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
OpenSSL 1.0.2b-dev xx XXX xxxx
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/ssl"
PeterMosmans commented 9 years ago

@jvehent , thanks for reporting this issue. I'm going to look into it.

PeterMosmans commented 9 years ago

Bug confirmed - it has to do with non-standard AEAD code. I'm in the process of removing those parts, as they are difficult and error-prone to maintain. This will take some while. Currently I'm testing a workaround for the issue

PeterMosmans commented 9 years ago

@jvehent , could you test the latest build (0611a8416a2dfd04dc343e0d3754ff6e89bdccb3 ) ? Sorry for the inconvenience. Later on I will remove all non-standard AEAD code.