[AL2] Integrationv2 test_client_authentication failures

dougch commented 3 years ago

Security issue notifications

If you discover a potential security issue in s2n we ask that you notify AWS Security via our vulnerability reporting page. Please do not create a public github issue.

Problem:

~10% failure rate for the test_client_authentication:

=============================================================================================== 448 failed, 4592 passed in 2645.95s (0:44:05) ================================================================================================
ERROR: InvocationError for command /home/ec2-user/gitrepos/s2n/tests/integrationv2/.tox/py38/bin/pytest -n 2 --cache-clear -rpfsq --provider-version=openssl-1.1.1 --fips-mode=0 --no-pq=1 test_client_authentication.py (exited with code 1)
__________________________________________________________________________________________________________________ summary ___________________________________________________________________________________________________________________
ERROR:   py38: commands failed

repro steps:

start an EC2 m6g instance with amazonlinux2, checkout s2n
sudo ./codebuild/bin/install_al2_dependencies.sh
sudo ./codebuild/bin/install_default_dependencies.sh
sudo S2N_PRINT_STACKTRACE=1 INTEGV2_TEST=all TESTS=integrationv2 S2N_NO_PQ=1 S2N_NO_SSLYZE=true S2N_LIBCRYPTO=openssl-1.1.1 ./codebuild/bin/s2n_codebuild.sh

Solution:

A description of the possible solution in terms of S2N architecture. Highlight and explain any potentially controversial design decisions taken.

Does this change what S2N sends over the wire? If yes, explain.
Does this change any public APIs? If yes, explain.
Which versions of TLS will this impact?

Requirements / Acceptance Criteria:

What must a solution address in order to solve the problem? How do we know the solution is complete?

RFC links: Links to relevant RFC(s)
Related Issues: Link any relevant issues
Will the Usage Guide or other documentation need to be updated?
Testing: How will this change be tested? Call out new integration tests, functional tests, or particularly interesting/important unit tests.
- Will this change trigger SAW changes? Changes to the state machine, the s2n_handshake_io code that controls state transitions, the DRBG, or the corking/uncorking logic could trigger SAW failures.
- Should this change be fuzz tested? Will it handle untrusted input? Create a separate issue to track the fuzzing work.

Out of scope:

Is there anything the solution will intentionally NOT address?

rday commented 3 years ago

What were the commonalities in the failures? This feels like an unsupported algorithm or flag or similar.

dougch commented 3 years ago

What were the commonalities in the failures? This feels like an unsupported algorithm or flag or similar.

the theme appears to be RSA with TLS1.0, examples:

FAILED test_client_authentication.py::test_client_auth_with_s2n_server[RSA_2048_SHA256-TLS1.0-P-384-OpenSSL-ECDHE-RSA-AES256-SHA] - AssertionError: assert TimeoutException(TimeoutExpired(['s2nd', '-X', '--self-service-blinding', '--non...
FAILED test_client_authentication.py::test_client_auth_with_s2n_server[RSA_2048_SHA384-TLS1.0-P-384-OpenSSL-ECDHE-RSA-AES128-SHA] - AssertionError: assert TimeoutException(TimeoutExpired(['s2nd', '-X', '--self-service-blinding', '--non...
FAILED test_client_authentication.py::test_client_auth_with_s2n_server[RSA_2048_SHA512-TLS1.0-P-384-OpenSSL-ECDHE-RSA-AES256-SHA] - AssertionError: assert TimeoutException(TimeoutExpired(['s2nd', '-X', '--self-service-blinding', '--non...

dougch commented 3 years ago

There is a theme here... the happy_path_test is also failing:


FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-DHE-RSA-AES256-GCM-SHA384]
--
970 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-AES128-SHA]
971 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-AES256-SHA]
972 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-AES128-SHA256]
973 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-AES256-SHA256]
974 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-ECDHE-RSA-AES128-SHA]
975 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-ECDHE-RSA-AES256-SHA]
976 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-ECDHE-RSA-AES128-SHA256]
977 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-ECDHE-RSA-AES256-SHA384]
978 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-ECDHE-RSA-AES128-GCM-SHA256]
979 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-ECDHE-RSA-AES256-GCM-SHA384]

aws / s2n-tls