search

mirleft / ocaml-tls

TLS in pure OCaml
BSD 2-Clause "Simplified" License
304 stars 68 forks source link

TLS `Illegal_parameter` on macOS #478

Closed patricoferris closed 1 year ago

patricoferris commented 1 year ago

Hello! Thank you for the great library.

On the OCaml discord someone mentioned having issues with tls-eio and making a GET request with cohttp-eio (see the #webdev channel). They linked this example https://gist.github.com/specialblend/90c074fa7c5ebc24a29239c4ccbc983a. I tried it and also got the same error. Trying it on a linux machine however did not reproduce the error. I tried the example using the Lwt stack and saw the same thing. A smaller repro is:

let main () =
  let open Lwt.Infix in
  Cohttp_lwt_unix.Client.get Uri.(of_string "https://www.example.org/") >>= fun (_, body) ->
  Cohttp_lwt.Body.to_string body >|= fun s ->
  print_endline s

let () = Lwt_main.run (main ())
Debug log output 
  
dune exec -- ./main.exe 
main.exe: [DEBUG] client with ciphers: AEAD AES128 GCM, AEAD AES256 GCM, AEAD CHACHA20 POLY1305, AEAD AES128 CCM, FFDHE RSA AEAD AES256 GCM, FFDHE RSA AEAD AES128 GCM, FFDHE RSA AEAD AES256 CCM, FFDHE RSA AEAD AES128 CCM, FFDHE RSA AEAD CHACHA20 POLY1305, ECDHE RSA AEAD AES128 GCM, ECDHE RSA AEAD AES256 GCM, ECDHE RSA AEAD CHACHA20 POLY1305, ECDHE ECDSA AEAD AES128 GCM, ECDHE ECDSA AEAD AES256 GCM, ECDHE ECDSA AEAD CHACHA20 POLY1305
 minimal protocol version: TLS 1.2
 maximum protocol version: TLS 1.3
 signature algorithms: ECDSA SECP256R1 SHA256, ECDSA SECP384R1 SHA384, ECDSA SECP521R1 SHA512, ED25519, RSA-PSS SHA256, RSA-PSS SHA384, RSA-PSS SHA512, RSA-PKCS1 SHA256, RSA-PKCS1 SHA384, RSA-PKCS1 SHA512, RSA-PKCS1 SHA224, ECDSA SECP256R1 SHA1, RSA-PKCS1 SHA1, RSA-PKCS1 MD5
 renegotiation enabled false
 peer name: none provided
 own certificate: NONE
 acceptable CAs: 
 alpn protocols: 
 groups: X25519, P384, P256, P521, FFDHE2048, FFDHE3072, FFDHE4096, FFDHE6144, FFDHE8192
 IP: none provided

main.exe: [DEBUG] handshake-out ClientHello
main.exe: [DEBUG] frame-out handshake (512 bytes data)
main.exe: [DEBUG] record-out handshake (512 bytes data)
main.exe: [DEBUG] wire-out
16 03 03 02 00 01 00 01  fc 03 03 3d c6 a7 bd 03
5e 00 f7 09 d7 38 66 ab  e1 80 a0 d6 d4 c2 a3 7e
31 95 92 05 09 10 a4 b5  f8 e6 35 00 00 1e 13 01
13 02 13 03 13 04 00 9f  00 9e c0 9f c0 9e cc aa
c0 2f c0 30 cc a8 c0 2b  c0 2c cc a9 01 00 01 b5
00 17 00 00 00 00 00 14  00 12 00 00 0f 77 77 77
2e 65 78 61 6d 70 6c 65  2e 6f 72 67 00 0b 00 02
01 00 00 0d 00 1e 00 1c  04 03 05 03 06 03 08 07
08 04 08 05 08 06 04 01  05 01 06 01 03 01 02 03
02 01 01 01 00 0a 00 14  00 12 00 1d 00 18 00 17
00 19 01 00 01 01 01 02  01 03 01 04 00 33 00 8b
00 89 00 1d 00 20 ce df  fa bc 08 1e 42 8d 93 fc
d7 de 1f d9 80 0e 25 b4  8d e1 95 94 e6 d5 cf 44
e4 aa 00 c8 5d 12 00 18  00 61 04 46 53 7c 4a 1a
04 69 cc 3f de 13 f5 52  9d 4a 02 41 47 f3 fd 7a
ae 10 ad 0f 2f 83 43 3f  cd 41 c3 17 13 e2 73 51
70 a2 13 5a 03 01 25 51  a6 61 d2 48 7b a1 20 8b
6f 47 98 3d 4f ec 3a e8  05 8a 13 bc d9 43 a7 e1
49 a9 54 4e e6 2a a0 67  90 60 9e 1d 1b 68 01 c6
c1 92 ca b5 14 f9 81 88  ea 17 7c 00 2b 00 05 04
03 04 03 03 ff 01 00 01  00 00 15 00 b8 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00
main.exe: [DEBUG] wire-in
16 03 03 00 38 02 00 00  34 03 03 cf 21 ad 74 e5
9a 61 11 be 1d 8c 02 1e  65 b8 91 c2 a2 11 16 7a
bb 8c 5e 07 9e 09 e2 c8  a8 33 9c 00 13 02 00 00
0c 00 2b 00 02 03 04 00  33 00 02 00 17 14 03 03
00 01 01
main.exe: [DEBUG] record-in content type: handshake version: TLS 1.2 (56 bytes data)
main.exe: [DEBUG] frame-in handshake (56 bytes data)
main.exe: [DEBUG] handshake-in HelloRetryRequest
main.exe: [DEBUG] handshake-out ClientHello
main.exe: [DEBUG] frame-out handshake (512 bytes data)
main.exe: [DEBUG] record-out handshake (512 bytes data)
main.exe: [DEBUG] record-in content type: change cipher spec version: TLS 1.2 (1 bytes data)
main.exe: [DEBUG] frame-in change cipher spec (1 bytes data)
main.exe: [DEBUG] wire-out
16 03 03 02 00 01 00 01  fc 03 03 3d c6 a7 bd 03
5e 00 f7 09 d7 38 66 ab  e1 80 a0 d6 d4 c2 a3 7e
31 95 92 05 09 10 a4 b5  f8 e6 35 00 00 1e 13 01
13 02 13 03 13 04 00 9f  00 9e c0 9f c0 9e cc aa
c0 2f c0 30 cc a8 c0 2b  c0 2c cc a9 01 00 01 b5
00 33 00 47 00 45 00 17  00 41 04 5a 20 95 5a 46
b4 4e 9c fa 2b b3 cd 5e  4d 52 d8 b0 ac 4c fe b2
ca 27 bc 7a 7a 10 c8 ff  7f 78 33 e4 f9 b6 b4 d5
bb 6b e4 f4 24 6c 1d 5b  2e b4 d5 07 27 e0 13 bc
e8 73 64 33 d6 62 ff 18  b8 76 12 00 17 00 00 00
00 00 14 00 12 00 00 0f  77 77 77 2e 65 78 61 6d
70 6c 65 2e 6f 72 67 00  0b 00 02 01 00 00 0d 00
1e 00 1c 04 03 05 03 06  03 08 07 08 04 08 05 08
06 04 01 05 01 06 01 03  01 02 03 02 01 01 01 00
0a 00 14 00 12 00 1d 00  18 00 17 00 19 01 00 01
01 01 02 01 03 01 04 00  2b 00 05 04 03 04 03 03
ff 01 00 01 00 00 15 00  fc 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00
main.exe: [DEBUG] wire-in
15 03 03 00 02 02 2f
main.exe: [DEBUG] record-in content type: alert version: TLS 1.2 (2 bytes data)
main.exe: [DEBUG] frame-in alert (2 bytes data)
main.exe: [DEBUG] alert-in ALERT fatal illegal parameter
main.exe: [DEBUG] alert-out ALERT warning close notify
main.exe: [DEBUG] frame-out alert (2 bytes data)
main.exe: [DEBUG] record-out alert (2 bytes data)
main.exe: [DEBUG] wire-out
15 03 03 00 02 01 00
main.exe: [DEBUG] ok-alert-out illegal parameter
Fatal error: exception TLS alert from peer: illegal parameter

On Linux the debug log shows more or less the same thing but it continues past this point.

Package Versions

Hopefully I'm just doing something wrong, do let me know if I can help in any way.

hannesm commented 1 year ago

Doe the mirage-crypto-ec test suite run fine on your machine? Would be great if you could test the same version of mirage-crypto as you're using when compiling tls. My feat is that this is another occurence of https://github.com/mit-plv/fiat-crypto/issues/1606#issuecomment-1560122239 -- i.e. a bad C compiler (14.0.3) on macOS that does bad optimizations on arm64.

I'm slightly confused that you mention "cohttp-lwt-eio" in your inital message, but the samepl code and package versions include only cohttp-lwt-unix. But that shouldn't make any difference.

patricoferris commented 1 year ago

Doe the mirage-crypto-ec test suite run fine on your machine? Would be great if you could test the same version of mirage-crypto as you're using when compiling tls. My feat is that this is another occurence of https://github.com/mit-plv/fiat-crypto/issues/1606#issuecomment-1560122239 -- i.e. a bad C compiler (14.0.3) on macOS that does bad optimizations on arm64.

Tried the EC tests and they fail on my machine, so I think your inclination is correct :(

I'm slightly confused that you mention "cohttp-lwt-eio" in your inital message, but the samepl code and package versions include only cohttp-lwt-unix. But that shouldn't make any difference.

It was only mentioned because the original gist used cohttp-eio but I wanted to remove Eio as a variable as it is much newer and less tested.

hannesm commented 1 year ago

please try mirage-crypto-ec at 0.11.2, as PRed to opam-repository https://github.com/ocaml/opam-repository/pull/24461