`TLS1.3` stateless session_resumption fails with `Illegal Parameter - :stateless` on FIPS enabled OpenSSL

[yonashaile]

Describe the bug On OTP-26.2.5, cipher TLS_CHACHA20_POLY1305_SHA256 and curve x25519 is part of allowed crypto for TLS1.3 (ref: sufficient_crypto_support). However, those are not supported on FIPS enabled OpenSSL (ver 3.0.8).

After applying patch to remove this cipher and curve,

When client connects, The first full handshake succeeds.

When client connects and tries to resume with the SessionTicket received earlier and with a valid keyshare (i.e server accepts it and does not send KeyShareHelloRetryRequest extention), handshake succeeds.

On the other hand, when client connects and tries to resume with the SessionTicket received earlier and keyshare is not accepted (i.e server sends KeyShareHelloRetryRequest extention and client re-sends ClientHello with the chosen keyshare in key_share_entry), handshake fails with Illegal Parameter - :stateless at validate_binder.

As you can see in the server debug log, the last ClientHello's OfferedPsks after server sent KeyShareHelloRetryRequest has PskIdentity but empty binder <<0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>>.

To Reproduce

• Start TlS server with options versions = ['tlsv1.3', 'tlsv1.2'], ciphers = {cipher: aes_256_gcm, key_exchange: ecdhe_ecdsa, mac: aead, prf: :sha384}, {cipher: :aes_256_gcm, key_exchange: :ecdhe_rsa, mac: :aead, prf: :sha384}, {cipher: :aes_256_gcm, key_exchange: :rsa, mac: :aead, prf: :sha384}, {cipher: :aes_128_gcm, key_exchange: :any, mac: :aead, prf: :sha256}, {cipher: :aes_256_gcm, key_exchange: :any, mac: :aead, prf: :sha384}, signature_algs: ssl:signature_algs(default, tlsv1.3) server_session_tickets: stateless_with_cert

• Start TLS client with option session_tickets, auto

Expected behavior TLS1.3 session_resumption works with FIPS crypto

Affected versions OTP-26.2.5

Additional context Erlang/OTP is compiled with fips-mode fips-mode is enabled for crypto at run-time The TLS server is configured with session_tickets = stateless_with_cert option. The TLS client is configured with session_tickets = auto The server is running on FIPS enabled OpenSSL 3.0.8

openssl ciphers -s -v -tls1_3 TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD

Here is the Server debug log

reading (215 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 00 d2 01 00 00  ce 03 03 a1 cd 32 2f e1    .............2/.
.....
<<< TLS 1.3 Handshake, ClientHello
[{client_version,{3,3}},
 {random,
     <<161,205,50,...>>},
 {session_id,
     <<50,253,..>>},
 {cookie,undefined},
 {cipher_suites,
     ["TLS_EMPTY_RENEGOTIATION_INFO_SCSV","TLS_AES_256_GCM_SHA384",
      "TLS_AES_128_GCM_SHA256","TLS_CHACHA20_POLY1305_SHA256",
      "TLS_AES_128_CCM_SHA256","TLS_AES_128_CCM_8_SHA256"]},
 {compression_methods,[0]},
 {extensions,
     #{cookie => undefined,
       client_hello_versions => {client_hello_versions,[{3,4}]},
       certificate_authorities => undefined,
       signature_algs =>
           {signature_algorithms,
               [eddsa_ed25519,eddsa_ed448,ecdsa_secp521r1_sha512,
                ecdsa_secp384r1_sha384,ecdsa_secp256r1_sha256,
                rsa_pss_pss_sha512,rsa_pss_pss_sha384,rsa_pss_pss_sha256,
                rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,
                rsa_pkcs1_sha512,rsa_pkcs1_sha384,rsa_pkcs1_sha256]},
       signature_algs_cert => undefined,use_srtp => undefined,
       elliptic_curves => {supported_groups,[x25519,x448,secp256r1,secp384r1]},
       pre_shared_key => undefined,
       sni => {sni,"..."},
       alpn => undefined,
       ec_point_formats => {ec_point_formats,[0]},
       psk_key_exchange_modes => undefined,
       key_share =>
           {key_share_client_hello,
               [{key_share_entry,x25519,
                    <<249,23,4,184,236,105,42,52,237,249,139,208,199,94,
                      137,175,240,113,125,241,191,112,138,116,65,135,207,
                      226,235,6,10,61>>}]}}}]
>>> TLS 1.3 Handshake, ServerHello
[{server_version,{3,3}},
 {random,<<207,33,173,116,229,154,97,17,190,29,140,2,30,101,184,145,194,162,
           17,22,122,187,140,94,7,158,9,226,200,168,51,156>>},
 {session_id,<<50,253,231,235,205,121,252,230,117,114,30,32,93,8,6,52,146,87,
               111,167,193,52,114,144,73,192,165,7,214,89,72,3>>},
 {cipher_suite,"TLS_AES_256_GCM_SHA384"},
 {compression_method,0},
 {extensions,#{cookie =>
                   {cookie,<<157,161,134,...>>},
               server_hello_selected_version =>
                   {server_hello_selected_version,{3,4}},
               key_share => {key_share_hello_retry_request,secp256r1}}}]
writing (199 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 00 c2 02 00 00  be 03 03 cf 21 ad 74 e5    ............!.t.
...
writing (6 bytes) TLS 1.2 Record Protocol, change_cipher_spec
0000 - 14 03 03 00 01 01                                   ......
reading (6 bytes) TLS 1.2 Record Protocol, change_cipher_spec
0000 - 14 03 03 00 01 01                                   ......
reading (354 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 01 5d 01 00 01  59 03 03 a1 cd 32 2f e1    ....]...Y....2/.
...
<<< TLS 1.3 Handshake, ClientHello
[{client_version,{3,3}},
 {random,
     <<161,205,50,...>>},
 {session_id,
     <<50,253,231,...>>},
 {cookie,undefined},
 {cipher_suites,
     ["TLS_EMPTY_RENEGOTIATION_INFO_SCSV","TLS_AES_256_GCM_SHA384",
      "TLS_AES_128_GCM_SHA256","TLS_CHACHA20_POLY1305_SHA256",
      "TLS_AES_128_CCM_SHA256","TLS_AES_128_CCM_8_SHA256"]},
 {compression_methods,[0]},
 {extensions,
     #{cookie =>
           {cookie,
               <<157,161,134,>>},
       client_hello_versions => {client_hello_versions,[{3,4}]},
       certificate_authorities => undefined,
       signature_algs =>
           {signature_algorithms,
               [eddsa_ed25519,eddsa_ed448,ecdsa_secp521r1_sha512,
                ecdsa_secp384r1_sha384,ecdsa_secp256r1_sha256,
                rsa_pss_pss_sha512,rsa_pss_pss_sha384,rsa_pss_pss_sha256,
                rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,
                rsa_pkcs1_sha512,rsa_pkcs1_sha384,rsa_pkcs1_sha256]},
       signature_algs_cert => undefined,use_srtp => undefined,
       elliptic_curves => {supported_groups,[x25519,x448,secp256r1,secp384r1]},
       pre_shared_key => undefined,
       sni => {sni,"..."},
       alpn => undefined,
       ec_point_formats => {ec_point_formats,[0]},
       psk_key_exchange_modes => undefined,
       key_share =>
           {key_share_client_hello,
               [{key_share_entry,secp256r1,
                    <<4,206,42,126,254,188,22,65,240,236,207,131,80,214,
                      188,176,90,52,11,246,8,70,235,213,29,70,60,227,233,
                      71,151,228,37,46,253,178,144,103,7,244,165,133,165,
                      201,234,83,50,172,15,43,164,184,162,52,218,81,250,
                      220,147,166,92,117,18,144,143>>}]}}}]
>>> TLS 1.3 Handshake, ServerHello
[{server_version,{3,3}},
 {random,
     <<70,96,171,13,209,126,70,57,124,215,129,17,138,215,78,3,100,73,190,20,
       143,255,3,189,49,76,188,180,158,171,141,133>>},
 {session_id,
     <<50,253,231,235,205,121,252,230,117,114,30,32,93,8,6,52,146,87,111,167,
       193,52,114,144,73,192,165,7,214,89,72,3>>},
 {cipher_suite,"TLS_AES_256_GCM_SHA384"},
 {compression_method,0},
 {extensions,
     #{server_hello_selected_version => {server_hello_selected_version,{3,4}},
       key_share =>
           {key_share_server_hello,
               {key_share_entry,secp256r1,
                   <<4,92,127,89,162,74,43,186,223,172,16,143,165,101,195,
                     206,253,184,71,253,215,238,40,168,219,220,59,102,25,
                     208,146,173,73,211,198,1,247,128,59,137,98,81,3,184,
                     36,208,61,175,53,48,154,182,41,197,202,225,192,98,
                     207,179,157,61,168,188,39>>}}}}]
writing (160 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 00 9b 02 00 00  97 03 03 46 60 ab 0d d1    ...........F`...
...
>>> Handshake, EncryptedExtensions
[{extensions,#{}}]
writing (28 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 00 17 64 c4 46  3e f7 92 a5 55 ad 3a aa    .....d.F>...U.:.
0010 - 8f be bb 2d 38 a6 ee e7  ab 7c e1 d9                ...-8....|..
>>> Handshake, CertificateRequest
[{certificate_request_context,<<>>},
 {extensions,
     #{certificate_authorities =>
           {certificate_authorities,
               [{rdnSequence,
                    [[{'AttributeTypeAndValue',{2,5,4,6},"..."}],
                     [{'AttributeTypeAndValue',
                          {2,5,4,8},
                          {utf8String,<<"...">>}}],
                     [{'AttributeTypeAndValue',
                          {2,5,4,7},
                          {utf8String,<<"...">>}}],
                     [{'AttributeTypeAndValue',
                          {2,5,4,10},
                          {utf8String,<<"...">>}}],
                     [{'AttributeTypeAndValue',
                          {2,5,4,3},
                          {utf8String,
                              <<"...">>}}]]}]},
       signature_algorithms =>
           {signature_algorithms,
               [rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha512,
                rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha512,
                rsa_pss_rsae_sha256,rsa_pss_rsae_sha384,rsa_pss_rsae_sha512,
                rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512,
                ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384,
                ecdsa_secp521r1_sha512,eddsa_ed448,eddsa_ed25519]}}}]
writing (191 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 00 ba 9b 1a f6  77 54 8c 66 e4 36 59 d9    ........wT.f.6Y.
...
>>> Handshake, Certificate
[{certificate_request_context,<<>>},
 {certificate_list,
     [{certificate_entry,
          <<48,130,2,124,48,130,...>>,
          #{}},
      {certificate_entry,
          <<48,130,2,131,48,130,....>>,
          #{}}]}]
writing (1327 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 05 2a 21 cd 3e  23 e7 be 7a 93 91 a8 65    ....*!.>#..z...e
...
>>> Handshake, CertificateVerify
[{algorithm,ecdsa_secp384r1_sha384},
 {signature,<<48,101,2,49,0,...>>}]
writing (133 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 00 80 10 41 93  0b 10 0f fa 0e 4f cc e4    ......A......O..
...                             ....
>>> Handshake, Finished
[{verify_data,<<117,79,67,141,...>>}]
writing (74 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 00 45 18 79 5d  19 94 a6 50 01 e4 9e 4f    ....E.y]...P...O
...
reading (965 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 03 c0 02 80 b7  dd c6 89 43 72 11 fe db    ...........Cr...
...
reading (286 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 01 19 55 36 ec  28 41 7e a4 b1 99 2c 9c    .....U6.(A~...,.
...
reading (74 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 00 45 9e ec aa  84 fb a4 73 70 0b d7 53    ....E......sp..S
...
<<< Handshake, Certificate
[{certificate_request_context,<<>>},
 {certificate_list,
     [{certificate_entry,
          <<48,130,3,...>>,
          #{}}]}]
<<< Handshake, CertificateVerify
[{algorithm,rsa_pss_rsae_sha256},
 {signature,<<97,95,195,...>>}]
<<< Handshake, Finished
[{verify_data,<<227,138,179,...>>}]
>>> Post-Handshake, NewSessionTicket
[{ticket_lifetime,36000},
 {ticket_age_add,603490081},
 {ticket_nonce,<<0,0,0,0,0,0,0,0>>},
 {ticket,<<171,199,59,247,189,239,29,64,120,201,97,9,25,237,189,23,14,66,79,
           20,28,183,239,111,66,143,113,104,140,142,239,3,210,154,56,79,111,
           22,61,146,5,27,205,44,126,202,254,28,11,153,119,106,94,9,243,238,
           72,39,27,37,161,253,205,59,213,216,105,185,149,26,28,140,204,33,90,
           111,39,254,104,99,251,214,102,7,154,201,206,250,139,187,71,173,33,
           215,53,89,33,167,143,247,121,175,110,19,69,85,213,51,181,36,192,52,
           14,216,247,181,255,47,11,177,1,137,7,54,197,245,50,18,28,16,155,
           199,48,90,219,206,186,132,66,123,9,63,122,100,194,145,89,66,106,80,
           126,86,250,166,82,237,230,92,205,124,179,4,25,186,149,254,251,148,
           140,216,58,7,194,35,227,91,252,88,25,37,222,231,73,60,126,170,35,
           209,232,247,150,69,197,18,248,114,96,195,115,66,169,69,202,121,238,
           38,93,120,36,89,59,120,96,125,119,159,151,163,246,199,196,97,119,
           226,73,198,79,126,155,114,47,115,87,225,76,255,167,180,255,146,84,
           122,218,180,27,245,82,67,27,224,248,21,204,67,223,128,89,140,174,
           47,68,196,28,13,43,219,88,213,204,133,49,123,45,225,118,230,32,203,
           150,217,75,169,12,8,9,115,204,253,208,201,166,185,247,186,180,164,
           91,90,119,74,62,172,93,219,148,138,193,241,105,235,23,246,116,250,
           221,207,17,251,113,133,48,170,247,0,226,13,204,179,133,254,199,128,
           246,44,15,67,242,211,170,186,14,225,75,254,126,236,75,116,42,84,
           252,40,160,25,221,247,171,4,207,78,207,196,115,121,216,186,249,238,
           29,179,8,170,223,171,79,45,130,217,77,117,69,28,211,242,176,25,197,
           31,241,94,34,213,107,213,138,33,172,192,42,167,86,207,13,29,222,70,
           225,125,227,47,102,244,40,219,70,60,32,159,181,10,249,161,97,61,54,
           73,231,204,156,190,47,237,123,1,92,97,230,129,168,115,19,104,43,
           197,218,137,14,224,209,121,235,131,237,72,164,25,121,178,55,176,71,
           108,184,175,211,134,20,73,119,56,96,66,19,196,19,119,74,88,86,72,
           165,234,76,94,213,11,85,208,184,214,23,159,222,230,117,64,198,187,
           243,138,87,81,232,90,159,214,206,176,207,153,104,45,51,23,226,148,
           25,98,157,82,91,76,243,225,104,251,20,49,153,87,217,236,20,11,181,
           71,139,244,85,207,3,119,63,24,246,235,115,116,137,113,64,43,248,
           209,124,251,184,12,42,43,139,219,140,253,77,199,210,93,226,84,95,
           50,101,149,45,59,153,111,110,143,133,160,181,223,221,121,244,143,
           166,205,56,104,172,216,26,53,104,233,167,4,101,135,142,78,91,132,
           41,112,240,58,216,235,16,103,3,193,143,232,6,226,233,248,143,20,
           124,184,181,162,191,253,115,5,118,178,34,72,52,226,148,255,213,9,
           88,197,170,109,193,147,209,145,169,36,107,3,232,203,61,201,201,27,
           252,91,94,222,204,194,70,48,137,27,91,92,25,238,81,227,82,246,96,
           76,45,158,98,116,176,3,230,206,118,9,99,156,235,65,237,173,234,104,
           161,228,120,3,28,247,33,15,211,191,74,140,219,211,4,2,217,0,228,99,
           108,51,95,69,197,146,19,160,187,52,152,12,102,242,237,167,80,108,
           81,24,27,34,232,252,83,92,166,174,102,236,248,163,231,163,207,88,
           73,4,56,134,136,159,2,250,192,56,137,50,88,16,107,77,63,77,51,112,
           21,62,167,113,29,175,223,238,155,186,93,254,233,220,4,238,186,87,
           44,143,16,225,99,185,62,53,6,143,25,108,28,214,132,173,115,233,193,
           2,50,89,227,209,135,179,79,35,161,105,188,193,112,126,87,8,140,201,
           149,19,239,61,15,1,106,239,197,249,229,168,87,187,226,126,175,102,
           145,222,49,55,68,165,177,44,84,72,22,209,38,42,8,128,2,153,34,0,
           173,6,164,83,91,186,96,189,32,57,47,180,152,68,12,117,40,236,45,
           228,13,233,227,55,240,135,41,12,189,41,3,8,208,9,84,83,157,14,19,
           253,64,156,89,85,11,117,153,225,161,174,72,115,26,122,237,160,3,
           137,117,102,201,32,9,158,160,98,207,119,222,39,20,35,201,53,95,1,
           197,7,153,24,103,19,116,108,250,71,108,115,173,157,117,140,60,233,
           4,1,25,205,62,154,178,46,148,143,43,10,223,149,193,134,85,101,86,
           20,56,169,31,181,237,61,150,247,21,132,107,83,180,208,27,14,75,142,
           85,81,132,142,121,201,194,96,45,113,187,141,76,34,250,10,230,14,
           250,157,71,188,15,23,188,131,38,136,243,240,50,75,75,219,53,91,198,
           18,98,254,164,57,36,0,64>>},
 {extensions,#{early_data => {early_data_indication_nst,0}}}]
writing (1100 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 04 47 30 05 59  32 a9 19 06 3c 87 1e 60    ....G0.Y2...<..`
...
writing (105 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 00 64 92 f7 4c  2c 05 a3 c9 49 3a 38 8a    ....d..L,...I:8.
...
reading (1330 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 05 2d 01 00 05  29 03 03 0a 1b 53 a4 20    ....-...)....S. 
...
writing (24 bytes) TLS 1.2 Record Protocol, application_data
...
<<< TLS 1.3 Handshake, ClientHello
[{client_version,{3,3}},
 {random,
     <<10,27,83,...>>},
 {session_id,
     <<108,228,66,64,5,0,175,245,228,61,108,174,49,29,37,50,193,158,162,9,171,
       103,134,38,234,7,146,62,161,1,252,172>>},
 {cookie,undefined},
 {cipher_suites,
     ["TLS_EMPTY_RENEGOTIATION_INFO_SCSV","TLS_AES_256_GCM_SHA384",
      "TLS_AES_128_GCM_SHA256","TLS_CHACHA20_POLY1305_SHA256",
      "TLS_AES_128_CCM_SHA256","TLS_AES_128_CCM_8_SHA256"]},
 {compression_methods,[0]},
 {extensions,
     #{cookie => undefined,
       client_hello_versions => {client_hello_versions,[{3,4}]},
       certificate_authorities => undefined,
       signature_algs =>
           {signature_algorithms,
               [eddsa_ed25519,eddsa_ed448,ecdsa_secp521r1_sha512,
                ecdsa_secp384r1_sha384,ecdsa_secp256r1_sha256,
                rsa_pss_pss_sha512,rsa_pss_pss_sha384,rsa_pss_pss_sha256,
                rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,
                rsa_pkcs1_sha512,rsa_pkcs1_sha384,rsa_pkcs1_sha256]},
       signature_algs_cert => undefined,use_srtp => undefined,
       elliptic_curves => {supported_groups,[x25519,x448,secp256r1,secp384r1]},
       pre_shared_key =>
           {pre_shared_key_client_hello,
               {offered_psks,
                   [{psk_identity,
                        <<171,199,59,247,189,239,29,64,120,201,97,9,25,237,189,
                          23,14,66,79,20,28,183,239,111,66,143,113,104,140,142,
                          239,3,210,154,56,79,111,22,61,146,5,27,205,44,126,
                          202,254,28,11,153,119,106,94,9,243,238,72,39,27,37,
                          161,253,205,59,213,216,105,185,149,26,28,140,204,33,
                          90,111,39,254,104,99,251,214,102,7,154,201,206,250,
                          139,187,71,173,33,215,53,89,33,167,143,247,121,175,
                          110,19,69,85,213,51,181,36,192,52,14,216,247,181,255,
                          47,11,177,1,137,7,54,197,245,50,18,28,16,155,199,48,
                          90,219,206,186,132,66,123,9,63,122,100,194,145,89,66,
                          106,80,126,86,250,166,82,237,230,92,205,124,179,4,25,
                          186,149,254,251,148,140,216,58,7,194,35,227,91,252,
                          88,25,37,222,231,73,60,126,170,35,209,232,247,150,69,
                          197,18,248,114,96,195,115,66,169,69,202,121,238,38,
                          93,120,36,89,59,120,96,125,119,159,151,163,246,199,
                          196,97,119,226,73,198,79,126,155,114,47,115,87,225,
                          76,255,167,180,255,146,84,122,218,180,27,245,82,67,
                          27,224,248,21,204,67,223,128,89,140,174,47,68,196,28,
                          13,43,219,88,213,204,133,49,123,45,225,118,230,32,
                          203,150,217,75,169,12,8,9,115,204,253,208,201,166,
                          185,247,186,180,164,91,90,119,74,62,172,93,219,148,
                          138,193,241,105,235,23,246,116,250,221,207,17,251,
                          113,133,48,170,247,0,226,13,204,179,133,254,199,128,
                          246,44,15,67,242,211,170,186,14,225,75,254,126,236,
                          75,116,42,84,252,40,160,25,221,247,171,4,207,78,207,
                          196,115,121,216,186,249,238,29,179,8,170,223,171,79,
                          45,130,217,77,117,69,28,211,242,176,25,197,31,241,94,
                          34,213,107,213,138,33,172,192,42,167,86,207,13,29,
                          222,70,225,125,227,47,102,244,40,219,70,60,32,159,
                          181,10,249,161,97,61,54,73,231,204,156,190,47,237,
                          123,1,92,97,230,129,168,115,19,104,43,197,218,137,14,
                          224,209,121,235,131,237,72,164,25,121,178,55,176,71,
                          108,184,175,211,134,20,73,119,56,96,66,19,196,19,119,
                          74,88,86,72,165,234,76,94,213,11,85,208,184,214,23,
                          159,222,230,117,64,198,187,243,138,87,81,232,90,159,
                          214,206,176,207,153,104,45,51,23,226,148,25,98,157,
                          82,91,76,243,225,104,251,20,49,153,87,217,236,20,11,
                          181,71,139,244,85,207,3,119,63,24,246,235,115,116,
                          137,113,64,43,248,209,124,251,184,12,42,43,139,219,
                          140,253,77,199,210,93,226,84,95,50,101,149,45,59,153,
                          111,110,143,133,160,181,223,221,121,244,143,166,205,
                          56,104,172,216,26,53,104,233,167,4,101,135,142,78,91,
                          132,41,112,240,58,216,235,16,103,3,193,143,232,6,226,
                          233,248,143,20,124,184,181,162,191,253,115,5,118,178,
                          34,72,52,226,148,255,213,9,88,197,170,109,193,147,
                          209,145,169,36,107,3,232,203,61,201,201,27,252,91,94,
                          222,204,194,70,48,137,27,91,92,25,238,81,227,82,246,
                          96,76,45,158,98,116,176,3,230,206,118,9,99,156,235,
                          65,237,173,234,104,161,228,120,3,28,247,33,15,211,
                          191,74,140,219,211,4,2,217,0,228,99,108,51,95,69,197,
                          146,19,160,187,52,152,12,102,242,237,167,80,108,81,
                          24,27,34,232,252,83,92,166,174,102,236,248,163,231,
                          163,207,88,73,4,56,134,136,159,2,250,192,56,137,50,
                          88,16,107,77,63,77,51,112,21,62,167,113,29,175,223,
                          238,155,186,93,254,233,220,4,238,186,87,44,143,16,
                          225,99,185,62,53,6,143,25,108,28,214,132,173,115,233,
                          193,2,50,89,227,209,135,179,79,35,161,105,188,193,
                          112,126,87,8,140,201,149,19,239,61,15,1,106,239,197,
                          249,229,168,87,187,226,126,175,102,145,222,49,55,68,
                          165,177,44,84,72,22,209,38,42,8,128,2,153,34,0,173,6,
                          164,83,91,186,96,189,32,57,47,180,152,68,12,117,40,
                          236,45,228,13,233,227,55,240,135,41,12,189,41,3,8,
                          208,9,84,83,157,14,19,253,64,156,89,85,11,117,153,
                          225,161,174,72,115,26,122,237,160,3,137,117,102,201,
                          32,9,158,160,98,207,119,222,39,20,35,201,53,95,1,197,
                          7,153,24,103,19,116,108,250,71,108,115,173,157,117,
                          140,60,233,4,1,25,205,62,154,178,46,148,143,43,10,
                          223,149,193,134,85,101,86,20,56,169,31,181,237,61,
                          150,247,21,132,107,83,180,208,27,14,75,142,85,81,132,
                          142,121,201,194,96,45,113,187,141,76,34,250,10,230,
                          14,250,157,71,188,15,23,188,131,38,136,243,240,50,75,
                          75,219,53,91,198,18,98,254,164,57,36,0,64>>,
                        603490317}],
                   [<<66,159,32,71,167,180,48,16,128,86,132,3,156,241,96,
                      127,196,195,56,19,161,39,22,79,8,42,66,217,191,157,
                      146,46,124,195,75,81,118,111,61,22,205,21,81,121,195,
                      36,230,109>>]}},
       sni => {sni,"..."},
       alpn => undefined,
       ec_point_formats => {ec_point_formats,[0]},
       psk_key_exchange_modes => {psk_key_exchange_modes,[psk_ke,psk_dhe_ke]},
       key_share =>
           {key_share_client_hello,
               [{key_share_entry,x25519,
                    <<108,101,134,136,31,178,4,183,28,251,183,177,120,
                      227,201,128,15,96,237,90,121,112,121,96,95,152,130,
                      214,188,144,91,73>>}]}}}]
>>> TLS 1.3 Handshake, ServerHello
[{server_version,{3,3}},
 {random,<<207,33,173,...>>},
 {session_id,<<108,228,66,64,5,0,175,245,228,61,108,174,49,29,37,50,193,158,
               162,9,171,103,134,38,234,7,146,62,161,1,252,172>>},
 {cipher_suite,"TLS_AES_256_GCM_SHA384"},
 {compression_method,0},
 {extensions,#{cookie =>
                   {cookie,<<47,66,16,...>>},
               server_hello_selected_version =>
                   {server_hello_selected_version,{3,4}},
               key_share => {key_share_hello_retry_request,secp256r1}}}]
writing (199 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 00 c2 02 00 00  be 03 03 cf 21 ad 74 e5    ............!.t.
...
writing (6 bytes) TLS 1.2 Record Protocol, change_cipher_spec
0000 - 14 03 03 00 01 01                                   ......
reading (6 bytes) TLS 1.2 Record Protocol, change_cipher_spec
0000 - 14 03 03 00 01 01                                   ......
reading (1469 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 05 b8 01 00 05  b4 03 03 0a 1b 53 a4 20    .............S. 
...
<<< TLS 1.3 Handshake, ClientHello
[{client_version,{3,3}},
 {random,
     <<10,27,83,...>>},
 {session_id,
     <<108,228,66,64,5,0,175,245,228,61,108,174,49,29,37,50,193,158,162,9,171,
       103,134,38,234,7,146,62,161,1,252,172>>},
 {cookie,undefined},
 {cipher_suites,
     ["TLS_EMPTY_RENEGOTIATION_INFO_SCSV","TLS_AES_256_GCM_SHA384",
      "TLS_AES_128_GCM_SHA256","TLS_CHACHA20_POLY1305_SHA256",
      "TLS_AES_128_CCM_SHA256","TLS_AES_128_CCM_8_SHA256"]},
 {compression_methods,[0]},
 {extensions,
     #{cookie =>
           {cookie,
               <<47,66,16,245,13,...>>},
       client_hello_versions => {client_hello_versions,[{3,4}]},
       certificate_authorities => undefined,
       signature_algs =>
           {signature_algorithms,
               [eddsa_ed25519,eddsa_ed448,ecdsa_secp521r1_sha512,
                ecdsa_secp384r1_sha384,ecdsa_secp256r1_sha256,
                rsa_pss_pss_sha512,rsa_pss_pss_sha384,rsa_pss_pss_sha256,
                rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,
                rsa_pkcs1_sha512,rsa_pkcs1_sha384,rsa_pkcs1_sha256]},
       signature_algs_cert => undefined,use_srtp => undefined,
       elliptic_curves => {supported_groups,[x25519,x448,secp256r1,secp384r1]},
       pre_shared_key =>
           {pre_shared_key_client_hello,
               {offered_psks,
                   [{psk_identity,
                        <<171,199,59,247,189,239,29,64,120,201,97,9,25,237,189,
                          23,14,66,79,20,28,183,239,111,66,143,113,104,140,142,
                          239,3,210,154,56,79,111,22,61,146,5,27,205,44,126,
                          202,254,28,11,153,119,106,94,9,243,238,72,39,27,37,
                          161,253,205,59,213,216,105,185,149,26,28,140,204,33,
                          90,111,39,254,104,99,251,214,102,7,154,201,206,250,
                          139,187,71,173,33,215,53,89,33,167,143,247,121,175,
                          110,19,69,85,213,51,181,36,192,52,14,216,247,181,255,
                          47,11,177,1,137,7,54,197,245,50,18,28,16,155,199,48,
                          90,219,206,186,132,66,123,9,63,122,100,194,145,89,66,
                          106,80,126,86,250,166,82,237,230,92,205,124,179,4,25,
                          186,149,254,251,148,140,216,58,7,194,35,227,91,252,
                          88,25,37,222,231,73,60,126,170,35,209,232,247,150,69,
                          197,18,248,114,96,195,115,66,169,69,202,121,238,38,
                          93,120,36,89,59,120,96,125,119,159,151,163,246,199,
                          196,97,119,226,73,198,79,126,155,114,47,115,87,225,
                          76,255,167,180,255,146,84,122,218,180,27,245,82,67,
                          27,224,248,21,204,67,223,128,89,140,174,47,68,196,28,
                          13,43,219,88,213,204,133,49,123,45,225,118,230,32,
                          203,150,217,75,169,12,8,9,115,204,253,208,201,166,
                          185,247,186,180,164,91,90,119,74,62,172,93,219,148,
                          138,193,241,105,235,23,246,116,250,221,207,17,251,
                          113,133,48,170,247,0,226,13,204,179,133,254,199,128,
                          246,44,15,67,242,211,170,186,14,225,75,254,126,236,
                          75,116,42,84,252,40,160,25,221,247,171,4,207,78,207,
                          196,115,121,216,186,249,238,29,179,8,170,223,171,79,
                          45,130,217,77,117,69,28,211,242,176,25,197,31,241,94,
                          34,213,107,213,138,33,172,192,42,167,86,207,13,29,
                          222,70,225,125,227,47,102,244,40,219,70,60,32,159,
                          181,10,249,161,97,61,54,73,231,204,156,190,47,237,
                          123,1,92,97,230,129,168,115,19,104,43,197,218,137,14,
                          224,209,121,235,131,237,72,164,25,121,178,55,176,71,
                          108,184,175,211,134,20,73,119,56,96,66,19,196,19,119,
                          74,88,86,72,165,234,76,94,213,11,85,208,184,214,23,
                          159,222,230,117,64,198,187,243,138,87,81,232,90,159,
                          214,206,176,207,153,104,45,51,23,226,148,25,98,157,
                          82,91,76,243,225,104,251,20,49,153,87,217,236,20,11,
                          181,71,139,244,85,207,3,119,63,24,246,235,115,116,
                          137,113,64,43,248,209,124,251,184,12,42,43,139,219,
                          140,253,77,199,210,93,226,84,95,50,101,149,45,59,153,
                          111,110,143,133,160,181,223,221,121,244,143,166,205,
                          56,104,172,216,26,53,104,233,167,4,101,135,142,78,91,
                          132,41,112,240,58,216,235,16,103,3,193,143,232,6,226,
                          233,248,143,20,124,184,181,162,191,253,115,5,118,178,
                          34,72,52,226,148,255,213,9,88,197,170,109,193,147,
                          209,145,169,36,107,3,232,203,61,201,201,27,252,91,94,
                          222,204,194,70,48,137,27,91,92,25,238,81,227,82,246,
                          96,76,45,158,98,116,176,3,230,206,118,9,99,156,235,
                          65,237,173,234,104,161,228,120,3,28,247,33,15,211,
                          191,74,140,219,211,4,2,217,0,228,99,108,51,95,69,197,
                          146,19,160,187,52,152,12,102,242,237,167,80,108,81,
                          24,27,34,232,252,83,92,166,174,102,236,248,163,231,
                          163,207,88,73,4,56,134,136,159,2,250,192,56,137,50,
                          88,16,107,77,63,77,51,112,21,62,167,113,29,175,223,
                          238,155,186,93,254,233,220,4,238,186,87,44,143,16,
                          225,99,185,62,53,6,143,25,108,28,214,132,173,115,233,
                          193,2,50,89,227,209,135,179,79,35,161,105,188,193,
                          112,126,87,8,140,201,149,19,239,61,15,1,106,239,197,
                          249,229,168,87,187,226,126,175,102,145,222,49,55,68,
                          165,177,44,84,72,22,209,38,42,8,128,2,153,34,0,173,6,
                          164,83,91,186,96,189,32,57,47,180,152,68,12,117,40,
                          236,45,228,13,233,227,55,240,135,41,12,189,41,3,8,
                          208,9,84,83,157,14,19,253,64,156,89,85,11,117,153,
                          225,161,174,72,115,26,122,237,160,3,137,117,102,201,
                          32,9,158,160,98,207,119,222,39,20,35,201,53,95,1,197,
                          7,153,24,103,19,116,108,250,71,108,115,173,157,117,
                          140,60,233,4,1,25,205,62,154,178,46,148,143,43,10,
                          223,149,193,134,85,101,86,20,56,169,31,181,237,61,
                          150,247,21,132,107,83,180,208,27,14,75,142,85,81,132,
                          142,121,201,194,96,45,113,187,141,76,34,250,10,230,
                          14,250,157,71,188,15,23,188,131,38,136,243,240,50,75,
                          75,219,53,91,198,18,98,254,164,57,36,0,64>>,
                        603490323}],
                   [<<0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
                      0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>>]}},
       sni => {sni,"..."},
       alpn => undefined,
       ec_point_formats => {ec_point_formats,[0]},
       psk_key_exchange_modes => {psk_key_exchange_modes,[psk_ke,psk_dhe_ke]},
       key_share =>
           {key_share_client_hello,
               [{key_share_entry,secp256r1,
                    <<4,31,85,166,62,250,60,207,58,20,1,9,44,231,129,93,
                      163,158,233,189,187,23,158,244,25,3,111,18,116,25,
                      88,149,33,54,127,216,164,67,39,214,21,179,213,223,
                      70,74,221,121,234,28,53,221,10,101,240,52,80,8,1,9,
                      146,19,6,184,128>>}]}}}]
writing (7 bytes) TLS 1.2 Record Protocol, alert
0000 - 15 03 03 00 02 02 2f                                ....../

[IngelaAndin]

@yonashaile Did you enable fips-mode in runtime in crypto ? see crypto:enable_fips_mode/1 https://www.erlang.org/doc/man/crypto#enable_fips_mode-1

Also did you compile Erlang/OTP with fips mode enabled?

Also note you can not select cipher suites in Erlang/OTP by configuring OpenSSL, we only use OpenSSL-cryptolib and the protocol is implemented in Erlang.

[yonashaile]

@IngelaAndin fips-mode is already enabled for crypto at run-time and Erlang/OTP is compiled with fips-mode as well.

So without removing TLS_CHACHA20_POLY1305_SHA256 and curve x25519, tls1.3 application will not start since the crypto are not supported on fips enabled openssl.

After removing, application works fine, except when client tries to resume with the session ticket (as shown in the issue description)

[IngelaAndin]

@yonashaile Oh, I see I think I did not click your "removal patch" and misunderstood what you meant with that. I will look into it.

[IngelaAndin]

Have not had time to figure out the resumption thing yet, but made a patch for checking minimum requirements for TLS-1.3

8504

[IngelaAndin]

@yonashaile I have a question, what do you mean that the resumption should work? A empty binder can not be valid. Do you mean that the server should fallback to a full handshake? Is this actually FIPS-related? Have you tried this without FIPS?

[IngelaAndin]

@yonashaile ping

[yonashaile]

@IngelaAndin Apologies for the delayed response.

My assumption was that with the patch applied TLS1_3 session resumption would work with OTP client and OTP server. However, it fails with

module=tls_server_session_ticket function=validate_binder/5 line=236  TLS :server: In state :start at tls_server_session_ticket.erl:236 generated SERVER ALERT: Fatal - Illegal Parameter
 - :stateless

The only way session resumption work is if the client has supported_groups configured with secp256r1, secp384r1 (without x25519)