Open mmaehren opened 3 years ago
I had checked the RFC quotes above.
Thank you, we will try to be more specific with the RFC chapters in the future.
On Thu, Jun 03, 2021 at 11:30:38PM -0700, mmaehren wrote:
Hi, we @.*** @ic0ns @mmaehren @XoMEX @Kavakuo) are performing an analysis of the RFC-compliance of open-source TLS implementations. Below we list our findings for this implementation. We admit that some are rather nit-picky, but we added them for the sake of completeness. We tried to keep the descriptions brief and didn’t want to spam the issues section so feel free to split up the list into individual issues as you see fit. If you disagree with our interpretation of certain RFC statements, please leave feedback as we’re interested in your view.
Thanks for the detailed report!
We are aware of a few of the issues you raised, in particular a number of the issues with closing the connection without sending an alert are known. Most others seem outright bugs - at least none of them stands out as obviously incorrect reading of the RFCs after a first glance.
A detailed assessment will need a bit of time.
Since you asked: we do not support the padding extension (we also don't support the GREASE, MaximumFragmentLength, or encrypt-then-MAC extensions - this is related to the missing abort when these are sent unexpectedly).
How did you test all this? I assume that your group developed a certain test suite. Would it be possible to have access to that so we can avoid redoing the work that was already done by you (for reproducing, testing and regression testing)?
Our results apply to the default configuration of version 3.2.3. We used the example implementations for client and server.
Did you test 3.2.3 or 3.3.3? If it was 3.2.3, this would be a bit unfortunate, this is about 8 months old with only a small security fix from 6 months ago. There has been quite a bit of development since - although it's unlikely that many of these issues would be addressed.
What does "we used the example implementations for the client and server" mean?
Yes, we developed an automated tool for this which we plan to release in the coming months. By 'example implementations' we meant the s_client and s_server equivalent of libressl.
Hey, based on the feedback we received from other developers, we split up the reports to separate cases where the RFC imposes restrictions on a sender but does not require the receiver to enforce these restrictions. You find these at the bottom of the comment. We removed reports of missing alerts in TLS 1.3 as sending alerts is explicitly stated as optional in RFC 8446. We didn't edit the initial report to avoid confusion.
[S] LibreSSL can't process a SignatureAlgorithms extension if it contains more than 32 algorithms and sends a 'decode error' alert
[C+S] LibreSSL by default offers and negotiates RC4 cipher suites which are deprecated by RFC 7465
[C] LibreSSL sends both a fatal alert ('bad record mac') and a warning alert ('close notify') upon
Upon transmission or receipt of a fatal alert message, both parties MUST immediately close the connection.
[C] LibreSSL does not verify if the cipher suite selected in a HelloRetryRequest is the same as in the subsequent ServerHello
Upon receiving the ServerHello, clients MUST check that the cipher suite supplied in the ServerHello is the same as that in the HelloRetryRequest and otherwise abort the handshake with an "illegal_parameter" alert.
[C] LibreSSL does not ignore the legacy version field in a ServerHello that negotiates TLS 1.3 and aborts the handshake for invalid values like 0x0304 or 0x0505
If this extension is present, clients MUST ignore the ServerHello.legacy_version value and MUST use only the "supported_versions" extension to determine the selected version.
[S] upon receiving a ChangeCipherSpec message after a completed TLS 1.2 handshake
[C] upon receiving a ServerHello that contains an extension that was not offered by the client
If a client receives an extension type in ServerHello that it did not request in the associated ClientHello, it MUST abort the handshake with an unsupported_extension fatal alert.
[C] upon receiving an EncryptedExtensions message with a forbidden extension in it
The client MUST check EncryptedExtensions for the presence of any forbidden extensions and if any are found MUST abort the handshake with an "illegal_parameter" alert.
[C+S] upon a parsing error due to an invalid lengthfield. Our tests reduce the lengthfield by one, which results in an incomplete message with an unprocessed trailing byte. An alert was not sent for specific cases:
[C] upon receiving a finite field DH share that is out of bounds
[...] the client MUST verify that dh_Ys is in the range 1 < dh_Ys < dh_p - 1. If dh_Ys is not in this range, the client MUST terminate the connection with a fatal handshake_failure(40) alert.
[C] upon receiving a ServerKeyExchange message when no Certificate message has been received
[C+S] upon receiving a 'close notify' alert during the handshake
[S] upon receiving an SSL2 Hello message
If the client sends the extension and the extension does not contain the uncompressed point format, and the client has used the Supported Groups extension to indicate support for any of the curves defined in this specification, then the server MUST abort the handshake and return an illegal_parameter alert.
In the following cases, the receiver is not explicitly required to terminate the connection upon detecting a misbehavior of the peer.
[C] upon receiving interleaved handshake messages.
[C+S] upon receiving an emtpy ChangeCipherSpec record before the actual ChangeCipherSpec message
Implementations MUST NOT send zero-length fragments of Handshake, Alert, or ChangeCipherSpec content types.
[S] upon receiving a Padding extension that contains bytes other than 0x00
The client MUST fill the padding extension completely with zero bytes, although the padding extension_data field may be empty.
Based on the feedback we received from @tomato42, we removed the reported issue where a client sends an elliptic curve extension but does not offer an elliptic curve cipher suite as terminating the connection may cause interoperability issues.
Hi, we (@jurajsomorovsky @ic0ns @mmaehren @XoMEX @Kavakuo) are performing an analysis of the RFC-compliance of open-source TLS implementations. Below we list our findings for this implementation. We admit that some are rather nit-picky, but we added them for the sake of completeness. We tried to keep the descriptions brief and didn’t want to spam the issues section so feel free to split up the list into individual issues as you see fit. If you disagree with our interpretation of certain RFC statements, please leave feedback as we’re interested in your view.
Our results apply to the default configuration of version 3.2.3. We used the example implementations for client and server.
[S] = Applies to server [C] = Applies to client [C+S] = Applies to both
Misc
[S] LibreSSL can't process a SignatureAlgorithms extension if it contains more than 32 algorithms and sends a 'decode error' alert
[C+S] LibreSSL by default offers and negotiates RC4 cipher suites which are deprecated by RFC 7465
[C] LibreSSL sends both a fatal alert ('bad record mac') and a warning alert ('close notify') upon
[C] LibreSSL does not verify if the cipher suite selected in a HelloRetryRequest is the same as in the subsequent ServerHello
[C] LibreSSL does not ignore the legacy version field in a ServerHello that negotiates TLS 1.3 and aborts the handshake for invalid values like 0x0304 or 0x0505
Session not aborted
[S] upon receiving a ChangeCipherSpec message after a completed TLS 1.2 handshake
[C] upon receiving a ServerHello that contains an extension that was not offered by the client
[C] upon receiving an EncryptedExtensions message with a forbidden extension in it
[C] upon receiving interleaved handshake messages.
[C+S] upon receiving an emtpy ChangeCipherSpec record before the actual ChangeCipherSpec message
[S] upon receiving a ClientHello that contains elliptic curve extensions but no ECC cipher suite
[S] upon receiving a Padding extension that contains bytes other than 0x00
Only session closed but no alert sent
Different alert sent than defined by the RFC