search

h2o / picotls

TLS 1.3 implementation in C (master supports RFC8446 as well as draft-26, -27, -28)
536 stars 140 forks source link

Illegal parameter alert on second ClientHello #19

Closed ctz closed 7 years ago

ctz commented 7 years ago

Hi,

I'm testing rustls against picotls. In this case, picotls is the server, rustls is the client. picotls sends a fatal illegal_parameter alert when processing the second ClientHello. This originates from client_hello_decode_server_name: https://github.com/h2o/picotls/blob/master/lib/picotls.c#L1349

Here's a log from the client end:

$ ./target/debug/examples/tlsclient --cache sess.cache --http --verbose --cafile ~/rustls/test-ca/rsa/end.fullchain -p 8443 localhost
INFO:rustls::verify: add_pem_file processed 3 valid and 0 invalid certs
INFO:rustls::client_hs: No cached session for "localhost"
INFO:rustls::client_hs: Not resuming any session
DEBUG:rustls::client_hs: Sending ClientHello Message {
    typ: Handshake,
    version: TLSv1_2,
    payload: Handshake(
        HandshakeMessagePayload {
            typ: ClientHello,
            payload: ClientHello(
                ClientHelloPayload {
                    client_version: TLSv1_2,
                    random: Random {
                        gmt_unix_time: 713557833,
                        opaque: [
                            68,
                            195,
                            210,
                            0,
                            201,
                            146,
                            127,
                            115,
                            234,
                            229,
                            24,
                            177,
                            90,
                            20,
                            172,
                            219,
                            227,
                            185,
                            22,
                            174,
                            172,
                            139,
                            187,
                            158,
                            230,
                            242,
                            251,
                            91
                        ]
                    },
                    session_id: SessionID,
                    cipher_suites: [
                        TLS13_CHACHA20_POLY1305_SHA256,
                        TLS13_AES_256_GCM_SHA384,
                        TLS13_AES_128_GCM_SHA256,
                        TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
                        TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
                        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_EMPTY_RENEGOTIATION_INFO_SCSV
                    ],
                    compression_methods: [
                        Null
                    ],
                    extensions: [
                        SupportedVersions(
                            [
                                Unknown(
                                    32530
                                ),
                                TLSv1_2
                            ]
                        ),
                        ServerName(
                            [
                                ServerName {
                                    typ: HostName,
                                    payload: HostName(
                                        "localhost"
                                    )
                                }
                            ]
                        ),
                        ECPointFormats(
                            [
                                Uncompressed
                            ]
                        ),
                        NamedGroups(
                            [
                                X25519,
                                secp384r1,
                                secp256r1
                            ]
                        ),
                        SignatureAlgorithms(
                            [
                                ED25519,
                                ECDSA_NISTP384_SHA384,
                                ECDSA_NISTP256_SHA256,
                                RSA_PSS_SHA512,
                                RSA_PSS_SHA384,
                                RSA_PSS_SHA256,
                                RSA_PKCS1_SHA512,
                                RSA_PKCS1_SHA384,
                                RSA_PKCS1_SHA256,
                                RSA_PKCS1_SHA1
                            ]
                        ),
                        KeyShare(
                            []
                        ),
                        PresharedKeyModes(
                            [
                                DHE_KE,
                                KE
                            ]
                        )
                    ]
                }
            )
        }
    )
}
DEBUG:rustls::client_hs: Got HRR Some(HelloRetryRequest { server_version: Unknown(32530), extensions: [KeyShare(secp256r1)] })
INFO:rustls::client_hs: No cached session for "localhost"
INFO:rustls::client_hs: Not resuming any session
DEBUG:rustls::client_hs: Sending ClientHello Message {
    typ: Handshake,
    version: TLSv1_2,
    payload: Handshake(
        HandshakeMessagePayload {
            typ: ClientHello,
            payload: ClientHello(
                ClientHelloPayload {
                    client_version: TLSv1_2,
                    random: Random {
                        gmt_unix_time: 713557833,
                        opaque: [
                            68,
                            195,
                            210,
                            0,
                            201,
                            146,
                            127,
                            115,
                            234,
                            229,
                            24,
                            177,
                            90,
                            20,
                            172,
                            219,
                            227,
                            185,
                            22,
                            174,
                            172,
                            139,
                            187,
                            158,
                            230,
                            242,
                            251,
                            91
                        ]
                    },
                    session_id: SessionID,
                    cipher_suites: [
                        TLS13_CHACHA20_POLY1305_SHA256,
                        TLS13_AES_256_GCM_SHA384,
                        TLS13_AES_128_GCM_SHA256,
                        TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
                        TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
                        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_EMPTY_RENEGOTIATION_INFO_SCSV
                    ],
                    compression_methods: [
                        Null
                    ],
                    extensions: [
                        SupportedVersions(
                            [
                                Unknown(
                                    32530
                                ),
                                TLSv1_2
                            ]
                        ),
                        ServerName(
                            [
                                ServerName {
                                    typ: HostName,
                                    payload: HostName(
                                        "localhost"
                                    )
                                }
                            ]
                        ),
                        ECPointFormats(
                            [
                                Uncompressed
                            ]
                        ),
                        NamedGroups(
                            [
                                X25519,
                                secp384r1,
                                secp256r1
                            ]
                        ),
                        SignatureAlgorithms(
                            [
                                ED25519,
                                ECDSA_NISTP384_SHA384,
                                ECDSA_NISTP256_SHA256,
                                RSA_PSS_SHA512,
                                RSA_PSS_SHA384,
                                RSA_PSS_SHA256,
                                RSA_PKCS1_SHA512,
                                RSA_PKCS1_SHA384,
                                RSA_PKCS1_SHA256,
                                RSA_PKCS1_SHA1
                            ]
                        ),
                        KeyShare(
                            [
                                KeyShareEntry {
                                    group: secp256r1,
                                    payload: PayloadU16(
                                        [
                                            4,
                                            255,
                                            99,
                                            234,
                                            203,
                                            62,
                                            1,
                                            73,
                                            54,
                                            120,
                                            198,
                                            150,
                                            89,
                                            21,
                                            125,
                                            93,
                                            139,
                                            195,
                                            90,
                                            43,
                                            201,
                                            105,
                                            70,
                                            166,
                                            176,
                                            170,
                                            109,
                                            239,
                                            44,
                                            63,
                                            51,
                                            240,
                                            2,
                                            168,
                                            188,
                                            72,
                                            61,
                                            154,
                                            205,
                                            80,
                                            180,
                                            156,
                                            127,
                                            124,
                                            245,
                                            81,
                                            192,
                                            6,
                                            38,
                                            86,
                                            233,
                                            203,
                                            174,
                                            212,
                                            230,
                                            84,
                                            180,
                                            32,
                                            192,
                                            255,
                                            191,
                                            8,
                                            86
                                        ]
                                    )
                                }
                            ]
                        ),
                        PresharedKeyModes(
                            [
                                DHE_KE,
                                KE
                            ]
                        )
                    ]
                }
            )
        }
    )
}
ERROR:rustls::session: TLS alert received: Message {
    typ: Alert,
    version: TLSv1_0,
    payload: Alert(
        AlertMessagePayload {
            level: Fatal,
            description: IllegalParameter
        }
    )
}
TLS error: AlertReceived(IllegalParameter)
Connection closed

Thanks!

kazuho commented 7 years ago

Thank you for reporting the issue.

The server fails to handle HelloRetryRequest with an SNI correctly. Sending a hello without SNI (i.e. specify the server address using an IP address) could be a workaround until we fix the issue.

kazuho commented 7 years ago

fixed in 3ec8dec