crypto/tls: using TLS 1.3 renders incorrect behavior for IMAP

[dobegor]

What version of Go are you using (go version)?

$ go version
go version go1.13.5 darwin/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/dobegor/Library/Caches/go-build"
GOENV="/Users/dobegor/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/dobegor/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/9h/8ghw84gx02l6__ryvxp4yzwh0000gn/T/go-build681607661=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Playground go run main.go

What did you expect to see?

* OK [CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN AUTH=XOAUTH2 AUTH=OAUTHBEARER ID MOVE NAMESPACE XYMHIGHESTMODSEQ UIDPLUS LITERAL+ CHILDREN X-MSG-EXT OBJECTID] IMAP4rev1 Hello

What did you see instead?

The aforementioned string repeated twice. This problem does not occur using openssl client:

$ openssl s_client -tls1_3 -connect imap.mail.yahoo.com:993
CONNECTED(00000006)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = California, L = Sunnyvale, O = Oath Inc, CN = *.imap.mail.yahoo.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Sunnyvale, O = Oath Inc, CN = *.imap.mail.yahoo.com
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGcTCCBVmgAwIBAgIQArWhretx7e5aWJOBGGgO2jANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xOTA5MDQwMDAwMDBaFw0yMDAzMDIxMjAwMDBa
MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlT
dW5ueXZhbGUxETAPBgNVBAoTCE9hdGggSW5jMR4wHAYDVQQDDBUqLmltYXAubWFp
bC55YWhvby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkNNlL
eOX+OjwT0IoW3yxJnfMeG59Ca4WhgpYoHcdWRvVBbgY8AtbEutpAZnbCv+0VZoHU
aYarZMOMQxkj85ctSJwd0o2jWImSzD60rXEP3gBWSNwqrspEKXECfO2Hor/V1B4x
tvxGTaUqM5Sx+MbxK3wRbxQ94DlGzO7601/P63HxNj3ZLJcwyzjXxHzcUddbXrBv
/4cBbLiFSt2b9g+651bbXT/1N7vy0ioY4P6IqlxbENVi01CAGMKXXjDXOKwd5rby
44e3IDpc7Zyeuyjuzw3/+KRTc1qJel+8meXpvQ4+6r4R5aEytIC2NZIH21x6BrnL
GcpmbrUmvgw0pg2FAgMBAAGjggMMMIIDCDAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM
2WVkYqISuFlyOzAdBgNVHQ4EFgQU43meravjcr0dEvw0di2raJ8FAE0wNQYDVR0R
BC4wLIIVKi5pbWFwLm1haWwueWFob28uY29tghNpbWFwLm1haWwueWFob28uY29t
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
dQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTIt
aGEtc2VydmVyLWc2LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L3NoYTItaGEtc2VydmVyLWc2LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAq
MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeB
DAECAjCBgwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5k
aWdpY2VydC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0
LmNvbS9EaWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1Ud
EwEB/wQCMAAwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwC72d+8H4pxtZOUI5eq
kntHOFeVCqtS6BqQlmQ2jh7RhQAAAWz9MEmXAAAEAwBIMEYCIQC5rnbFRD4/bLRc
DNpJuW/R7d+tdoADAj67eTc+vL764gIhAJwPetvPwUN9TjqCBQsFO1Z5RCTSOdhu
3KdMNzO89R64AHYAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFs
/TBKLQAABAMARzBFAiEAzZC0ZftrLgXK6f36htcLNPmQy0tVY4NCXZgTu6wcGtQC
ICn1Z4jKxtKHyQCZ/hsTRPL2BWh2bqD6I9ltEGDdzGO1MA0GCSqGSIb3DQEBCwUA
A4IBAQAZAkmD3dCsQruIokYaomS2IG2Md3WgJDyLoWyiwptv5Ix7XQ9FxdIRvu2+
H7zf5tKla1QZsLRGUhadleP0KCNsqG3xLR6lLsfIRYD1FKAUGF1DpSbha8IqM2A8
r3nj0Tb2cTzIF93lTawGOWMDPEXumQEwe/XsiCBLCFhOfND6qLvDPwSKDV7KGisg
DRqg6HlLdBrzFHBx9VUh9GSB+Kfm5FJlUyR3aOdgGzQgsQwnG273DBVNPXmZP2L1
GgtSke1E+Iv9UJSTf+6RVZ0KbjpMPINI/fTAuFyspRZXh7Jo8cYhWOfYd8bhfXji
VszJKFBPCtVYA2RlMPS/5jJl9Qma
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Sunnyvale, O = Oath Inc, CN = *.imap.mail.yahoo.com
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3470 bytes and written 353 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 4CA4B10E59B920287331D731700F956440546EBCED6ECDEE75104A76D90AA540
    Session-ID-ctx:
    Resumption PSK: B67BC1696B76C34FB167391D81BB816BF2E3FE90694BDED547AE1C322547F973452508277947C2E646DA1C50BB423A18
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 60 (seconds)
    TLS session ticket:
    0000 - c7 32 a7 3e d6 be d2 74-a9 03 b2 1e be 32 f6 c2   .2.>...t.....2..
    0010 - 30 28 5d c5 3a 76 9b 0e-26 58 ff 1a e7 83 cf bf   0(].:v..&X......
    Start Time: 1576857012
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 5D7B86E4B5A1C0B76404A12696A049DB8CA528338BA2AD7A70236642DF017D11
    Session-ID-ctx:
    Resumption PSK: F72E8CCD6C76E66C04BBA37E502CF589410FD43D5FAD9E435C28C8E5B3C2E7A1115B6E0B2034A6B1729686D49C63C582
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 60 (seconds)
    TLS session ticket:
    0000 - f0 3c f6 a3 6b 9b 29 7b-e7 14 80 29 3e db 72 71   .<..k.){...)>.rq
    0010 - 64 4e 5d fd 4b 9f be 4e-52 8e 8c 94 16 d8 c9 1a   dN].K..NR.......
    Start Time: 1576857012
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
* OK [CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN AUTH=XOAUTH2 AUTH=OAUTHBEARER ID MOVE NAMESPACE XYMHIGHESTMODSEQ UIDPLUS LITERAL+ CHILDREN X-MSG-EXT OBJECTID] IMAP4rev1 Hello

If I disable TLS 1.3, the problem does not occur:

$ env GODEBUG=tls13=0 go run main.go
* OK [CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN AUTH=XOAUTH2 AUTH=OAUTHBEARER ID MOVE NAMESPACE XYMHIGHESTMODSEQ UIDPLUS LITERAL+ CHILDREN X-MSG-EXT OBJECTID] IMAP4rev1 Hello
^Csignal: interrupt
$ go run main.go
* OK [CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN AUTH=XOAUTH2 AUTH=OAUTHBEARER ID MOVE NAMESPACE XYMHIGHESTMODSEQ UIDPLUS LITERAL+ CHILDREN X-MSG-EXT OBJECTID] IMAP4rev1 Hello
* OK [CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN AUTH=XOAUTH2 AUTH=OAUTHBEARER ID MOVE NAMESPACE XYMHIGHESTMODSEQ UIDPLUS LITERAL+ CHILDREN X-MSG-EXT OBJECTID] IMAP4rev1 Hello
^Csignal: interrupt

[dmitshur]

/cc @FiloSottile @katiehockman

[bigshahan]

+1 We are able to reproduce. Appears to be specific to Verizon Mail servers though, such as Yahoo.

[bigshahan]

Can confirm that it is specific to Yahoo IMAP server and other Verizon Mail servers. Cannot reproduce on other providers, such as Gmail.

[seankhliao]

given the lack of other reports, I assume this was an issue on said provider.