Help for getting the session ticket

ayushbindlish commented 3 years ago

How to save the session ticket and renegotiate the connection with that saved session ticket after executing WorkflowTraceType.FULL_RESUMPTION

mmaehren commented 3 years ago

Hi, the received session ticket can be accessed using the getSessionTicketTLS() method of the TlsContext assigned to your State. In order to use this value in a separate handshake, you must set the tlsSessionTicket field in the Config you're using along with the cryptographic parameters such as the mastersecret and the KeySet of the first session. Depending on the WorkflowTraceType of your new handshake, you also have to manually set addSessionTicketTLSExtension in the Config.

mmaehren commented 3 years ago

I just took a look at the classes of the current public master branch. The FULL_RESUMPTION workflow trace won't be able to automatically perform a resumption due to a bug in the code. You have to replace message.setTicket(chooser.getConfig().getTlsSessionTicket()); by message.setTicket(chooser.getSessionTicketTLS()); in class SessionTicketTLSExtensionPreparator and replace the code of the adjustContext method in the NewSessionTicketHandler class with

if (tlsContext.getChooser().getSelectedProtocolVersion().isTLS13()) {
            adjustPskSets(message);
} else {
            tlsContext.setSessionTicketTLS(message.getTicket().getIdentity().getValue());
}

KazaSrikanth commented 3 years ago

I have modified the code as above, Tried the FULL_RESUMPTION. Saved sessionTicketTLS & MasterSecret from the initial handshake.

Configured the sessionTicketTLS, MasterSecret, Same Cipher in FULL_RESUMPTION.

Observed below error, Could you please help in this regard.

java.lang.NullPointerException at de.rub.nds.tlsattacker.core.config.Config.getTlsSessionTicket(Config.java:2584) at de.rub.nds.tlsattacker.core.protocol.preparator.extension.SessionTicketTLSExtensionPreparator.prepareExtensionContent(SessionTicketTLSExtensionPreparator.java:37) at de.rub.nds.tlsattacker.core.protocol.preparator.extension.ExtensionPreparator.prepare(ExtensionPreparator.java:41) at de.rub.nds.tlsattacker.core.protocol.preparator.HandshakeMessagePreparator.prepareExtensions(HandshakeMessagePreparator.java:82) at de.rub.nds.tlsattacker.core.protocol.preparator.ClientHelloPreparator.prepareHandshakeMessageContents(ClientHelloPreparator.java:61) at de.rub.nds.tlsattacker.core.protocol.preparator.HandshakeMessagePreparator.prepareProtocolMessageContents(HandshakeMessagePreparator.java:64) at de.rub.nds.tlsattacker.core.protocol.preparator.ProtocolMessagePreparator.prepare(ProtocolMessagePreparator.java:30) at de.rub.nds.tlsattacker.core.protocol.handler.ProtocolMessageHandler.prepareMessage(ProtocolMessageHandler.java:74) at de.rub.nds.tlsattacker.core.workflow.action.executor.SendMessageHelper.handleProtocolMessage(SendMessageHelper.java:194) at de.rub.nds.tlsattacker.core.workflow.action.executor.SendMessageHelper.sendMessages(SendMessageHelper.java:66) at de.rub.nds.tlsattacker.core.workflow.action.executor.SendMessageHelper.sendMessages(SendMessageHelper.java:36) at de.rub.nds.tlsattacker.core.workflow.action.SendAction.execute(SendAction.java:77) at de.rub.nds.tlsattacker.core.workflow.DefaultWorkflowExecutor.executeWorkflow(DefaultWorkflowExecutor.java:76)

mmaehren commented 3 years ago

Did you obtain a SessionTicket from the server after executing the FULL_RESUMPTION WorkflowTrace? While the line number given in the stack trace doesn't match, the NullPointerException must be caused by Arrays.copyOf(tlsSessionTicket, tlsSessionTicket.length); This indicates that you took a null value and used it as the tlsSessionTicket.

KazaSrikanth commented 3 years ago

Yes, SessionTicket is null.

I am unable to get SessionTicket with WorkflowTraceType.FULL in the first handshake. Able to get all the handshake messages properly.

Could you please help me to get the SessionTicket ?

mmaehren commented 3 years ago

Did you send a SesstionTicketExtension? Using the default config, TLS-Attacker won't add the extension to the initial ClientHello.

KazaSrikanth commented 3 years ago

Thanks Maehren. Able to do resumption, Server accepted resumption, but TLS-Attacker is unable to send correct encrypted finished message under resumption.

openssl is giving decryption failed or bad record mac error. Do I need to set any thing else in config ?

Complete openssl s_server log: <<< ??? [length 0005] 16 03 03 03 3c <<< TLS 1.3, Handshake [length 033c], ClientHello 01 00 03 38 03 03 1b a2 04 69 60 b4 20 bb 38 51 d9 d4 7a cb 93 3d be 70 39 9b f6 c9 2d a3 3a f0 1d 4f b7 70 e9 8c 00 02 8e 00 0a 00 2f 00 01 00 02 00 3c 00 3d 00 35 00 41 00 84 00 07 00 09 00 96 00 04 00 05 c0 9c c0 9d 00 9c 00 9d 00 0d 00 10 00 13 00 16 00 17 00 19 00 18 00 1a 00 1b 00 30 00 31 00 32 00 33 00 34 00 36 00 37 00 38 00 39 00 3a c0 03 c0 04 c0 05 c0 08 c0 09 c0 0a c0 0d c0 0e c0 0f c0 12 c0 13 c0 14 c0 27 c0 24 c0 28 00 a1 00 a0 00 a5 00 a6 00 a7 00 9e 00 9f 00 67 00 6b 00 6c 00 6d 00 15 c0 9e c0 9f 00 9a 00 45 00 88 00 a2 00 a3 00 66 c0 31 c0 32 c0 11 c0 2f c0 30 c0 2d c0 2e c0 2b c0 2c c0 ac c0 ad 13 01 13 02 13 03 13 04 13 05 00 8c c0 aa c0 ab c0 ab 00 8b 00 ae c0 a4 c0 a8 00 a8 00 8d 00 af c0 a5 c0 a9 00 a9 00 8a 00 8f 00 90 c0 a6 00 aa 00 91 00 b3 c0 a7 00 ab 00 8e c0 34 c0 35 c0 23 c0 36 c0 38 c0 33 00 0f 00 3f 00 43 00 48 00 49 00 4a 00 68 00 69 00 86 00 92 00 93 00 94 00 95 00 98 00 ac 00 ad 00 b2 00 b6 00 b7 00 ba 00 bc 00 be 00 c0 00 c2 00 c4 c0 02 c0 07 c0 0c c0 15 c0 1d c0 20 c0 25 c0 26 c0 29 c0 2a c0 37 c0 3c c0 3d c0 48 c0 49 c0 4a c0 4b c0 4c c0 4d c0 4e c0 4f c0 50 c0 51 c0 52 c0 53 c0 54 c0 55 c0 5c c0 5d c0 5e c0 5f c0 60 c0 61 c0 62 c0 63 c0 64 c0 65 c0 66 c0 67 c0 68 c0 69 c0 6a c0 6b c0 6c c0 6d c0 6e c0 6f c0 70 c0 71 c0 72 c0 73 c0 74 c0 75 c0 76 c0 77 c0 78 c0 79 c0 7a c0 7b c0 7c c0 7d c0 7e c0 7f c0 86 c0 87 c0 88 c0 89 c0 8a c0 8b c0 8c c0 8d c0 8e c0 8f c0 90 c0 91 c0 92 c0 93 c0 94 c0 95 c0 96 c0 97 c0 98 c0 99 c0 9a c0 9b 00 2c 00 2d 00 2e 00 3b 00 47 00 b0 00 b1 00 b4 00 b5 00 b8 00 b9 c0 01 c0 06 c0 0b c0 10 c0 39 c0 3a c0 3b 00 0c 00 12 00 3e 00 40 00 42 00 44 00 46 00 57 00 58 00 59 00 5a 00 6a 00 85 00 87 00 89 00 97 00 99 00 9b 00 a4 00 bb 00 bd 00 bf 00 c1 00 c3 00 c5 c0 16 c0 17 c0 18 c0 19 c0 3e c0 3f c0 40 c0 41 c0 42 c0 43 c0 44 c0 45 c0 46 c0 47 c0 56 c0 57 c0 58 c0 59 c0 5a c0 5b c0 80 c0 81 c0 82 c0 83 c0 84 c0 85 00 81 00 83 ff 85 ff 87 cc aa cc a9 cc a8 c0 b0 c0 b1 c0 b2 c0 b3 c0 a0 c0 a1 c0 a2 c0 a3 c0 ae c0 af cc ab cc ac cc ad cc ae cc 12 cc 13 cc 14 cc 15 cc 16 cc 17 cc 18 cc 19 00 00 01 00 00 81 00 0b 00 02 01 00 00 0a 00 3e 00 3c 00 0f 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0a 00 0b 00 0c 00 0d 00 0e 00 1d 00 1e 00 1a 00 1b 00 1c 00 0d 00 2c 00 2a 01 02 02 02 03 02 04 02 05 02 06 02 01 01 02 01 03 01 04 01 05 01 06 01 01 03 02 03 03 03 04 03 05 03 06 03 ed ed ee ee ef ef 00 23 00 00 ff 01 00 01 00

??? [length 0005] 16 03 03 00 35 TLS 1.2, Handshake [length 0035], ServerHello 02 00 00 31 03 03 a5 3a 6d 9f 14 42 5b 5f 62 a0 20 60 1a c6 5a b1 1f 50 65 be 04 e4 54 33 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 09 ff 01 00 01 00 00 23 00 00 ??? [length 0005] 16 03 03 03 ff TLS 1.2, Handshake [length 03ff], Certificate 0b 00 03 fb 00 03 f8 00 03 f5 30 82 03 f1 30 82 02 d9 a0 03 02 01 02 02 14 21 79 56 ec 21 e9 41 c9 0f 0a 9a 8c 0d 09 92 a0 35 79 2b 37 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 87 31 0b 30 09 06 03 55 04 06 13 02 49 4e 31 0b 30 09 06 03 55 04 08 0c 02 54 53 31 0c 30 0a 06 03 55 04 07 0c 03 48 59 44 31 12 30 10 06 03 55 04 0a 0c 09 50 61 72 69 6d 69 74 68 61 31 0c 30 0a 06 03 55 04 0b 0c 03 45 6e 67 31 15 30 13 06 03 55 04 03 0c 0c 70 61 72 69 6d 69 74 68 61 2e 69 6f 31 24 30 22 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 63 6f 6e 74 61 63 74 40 70 61 72 69 6d 69 74 68 61 2e 63 6f 6d 30 1e 17 0d 32 30 31 32 30 39 30 39 31 33 33 38 5a 17 0d 32 31 31 32 30 39 30 39 31 33 33 38 5a 30 81 87 31 0b 30 09 06 03 55 04 06 13 02 49 4e 31 0b 30 09 06 03 55 04 08 0c 02 54 53 31 0c 30 0a 06 03 55 04 07 0c 03 48 59 44 31 12 30 10 06 03 55 04 0a 0c 09 50 61 72 69 6d 69 74 68 61 31 0c 30 0a 06 03 55 04 0b 0c 03 45 6e 67 31 15 30 13 06 03 55 04 03 0c 0c 70 61 72 69 6d 69 74 68 61 2e 69 6f 31 24 30 22 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 63 6f 6e 74 61 63 74 40 70 61 72 69 6d 69 74 68 61 2e 63 6f 6d 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9f 4f d2 0a c8 ad e3 06 50 19 12 ae ac ad 02 d2 1d fe 63 ff 2e 25 1e 81 6b 63 9c 33 84 9b 9d e3 2f 65 22 1d d5 af 89 bc 55 a1 ed b0 13 2f ff c1 0f eb 9a f8 b2 96 de 0a de 0b b7 84 80 7d ca bb 89 54 61 ee e6 a3 3b 75 1a d5 aa a5 0b f9 2b 84 ff b5 a9 b6 be a1 5d b0 c1 64 b6 89 ef d8 7c 3c 02 78 e8 68 bb 4a a2 bc ba 75 68 8e e4 37 af 66 9a df 7d de 97 50 12 77 63 26 7a 99 97 9c 44 e4 2e b4 83 5c 98 6b e6 ce 65 ee cb 1b ab 94 f7 2c af f2 5d 15 c7 b8 fa f3 d9 5f 03 1c a1 83 f7 ed 77 c2 32 46 87 f9 3d e6 55 71 e2 3c 1c 11 d8 2a 49 79 e3 d7 44 87 92 0b 8a c7 79 bf 78 20 1e bb fd cc a6 66 c8 ca f4 90 03 62 6e 77 f5 64 c0 68 a3 6b 94 7d 80 89 18 27 4c 90 4c de 76 3d 02 ca f3 db d4 16 78 ff 92 72 fe ef 44 9a 1d 64 3a d6 25 ce e5 ff a8 46 f9 59 67 e4 f1 29 2a 7a 0f 63 02 03 01 00 01 a3 53 30 51 30 1d 06 03 55 1d 0e 04 16 04 14 9d 67 f5 60 7a be d3 70 28 66 7a 95 9a 19 d4 af 20 0e 20 15 30 1f 06 03 55 1d 23 04 18 30 16 80 14 9d 67 f5 60 7a be d3 70 28 66 7a 95 9a 19 d4 af 20 0e 20 15 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 5a a3 c2 a8 b6 89 0b af b9 9a d0 75 5c 7f ab 5c 3a 14 06 8e 06 a8 fb 35 81 cf a1 c0 d9 3f ce ff 64 d0 34 dc 32 24 41 99 d6 1c c9 8b 0f c4 0a 0d fa 08 0c 06 46 6f 9e 3d 58 93 64 12 56 3e 6e 22 c4 76 46 c9 23 d1 27 8d 1b e6 76 e1 5a a0 14 9d c3 5d f6 5d 52 6d d2 ac 8f ee 4f 7c 52 9a 07 a9 46 71 ee 8b 52 1e aa ae fb 14 9f 5f 73 44 da 8c e7 ef f9 29 3b b9 12 de c9 0f 49 95 bd 96 10 b2 fe bf 97 51 02 7d 44 4f 49 3e ce f6 b0 6d ed e6 80 ff fe ad 1b 60 91 e7 22 1e 29 e9 80 4e 34 ad be 4b 37 2b b6 72 2d 89 7a b5 eb 59 74 48 d7 44 7b 2c c4 df 96 b5 bd 65 2d af 83 85 7d e0 13 f8 b4 65 55 ce a6 65 dc ca 80 e1 df 1a c3 f4 04 74 f7 17 24 a4 b2 c7 d2 ad b3 e5 4a 3b e7 f9 2b a2 66 50 84 8a 78 86 11 0c fc 8d a0 8d f2 4e bb ee 53 20 73 12 d4 de a6 d4 5f ca 7d 20 25 c4 cf 54 ??? [length 0005] 16 03 03 00 04 TLS 1.2, Handshake [length 0004], ServerHelloDone 0e 00 00 00 <<< ??? [length 0005] 16 03 03 01 06 <<< TLS 1.2, Handshake [length 0106], ClientKeyExchange 10 00 01 02 01 00 44 a8 32 f3 7a 26 d2 fc 05 3a 65 f0 57 9f 9b 9f 24 75 7d b1 20 6b 1a 71 00 06 84 bf cb 38 d5 33 39 f9 55 38 90 26 2b 7e a8 bf 74 09 81 59 9e d8 5e c1 3c 7a 50 82 15 32 db 7a bf b8 0a 7d d1 14 1a 13 a6 fe 84 8e 83 95 39 6c f7 6c 8d 11 69 be 5e 02 ff 5a c4 20 86 85 04 90 45 f6 2d 2b e7 89 e1 ca 91 16 ae 3b c6 05 7b 5a d7 4a 1b 7b 4a 8f 73 d4 ff 60 98 e2 be 8c bf cf 26 e5 dc 1c 26 5f 0f 78 39 cd 09 56 8e 32 c9 2d 74 5d 26 c8 f7 d8 bc ea 56 67 ee 0b 9a a0 76 95 eb 97 e7 2b 3a 48 49 16 3a 71 c4 d2 f2 a4 a7 3f 03 16 70 b4 ce e4 d0 e0 6c 36 69 0a fd a9 24 28 1b 6a 30 11 6d b1 a1 77 24 3a 39 0e 7a c7 ef dd 80 fe 28 8b b8 c1 a2 86 7a 09 91 4e ce 3c 29 31 6f 44 88 3c 88 af 37 12 0f e5 47 7a 31 9e 34 47 39 4e 3c 28 29 2e f3 4d 92 39 c6 60 40 c8 83 19 b7 9d 20 11 ac 65 <<< ??? [length 0005] 14 03 03 00 01 <<< ??? [length 0005] 16 03 03 00 40 <<< TLS 1.2, Handshake [length 0010], Finished 14 00 00 0c 73 b9 dd e6 fc 5e cc eb 5d 97 b7 60 ??? [length 0005] 16 03 03 00 aa TLS 1.2, Handshake [length 00aa], NewSessionTicket 04 00 00 a6 00 00 1c 20 00 a0 27 40 ca 99 b7 85 b0 ac 1c c3 a2 07 2e a9 19 c6 97 1c 77 8d 2e 7f 6c 82 92 08 7c 4c fe 4b ce c1 4b 19 42 ef 29 ae 92 b5 59 49 d0 6a 13 19 04 f2 6f 8a e4 70 94 27 a7 8a 74 49 57 ef d6 ce 63 2b 7b 5b 65 bf 81 44 66 99 45 eb 86 97 68 81 66 6d c7 b0 49 c5 80 eb ad 7d 35 df f7 10 38 89 fb ef ac 6f 3b 0f 25 91 21 f2 65 1e 88 c2 6f 3c bb d3 a4 be 57 c8 ef 27 76 0c e0 bb a2 79 f1 5b 48 b9 a1 95 97 2e 57 5c 54 20 64 13 de 79 8f a1 90 d7 29 7e 0f 06 6c aa f3 7c 94 23 ad d5 88 e4 47 24 ??? [length 0005] 14 03 03 00 01 TLS 1.2, ChangeCipherSpec [length 0001] 01 ??? [length 0005] 16 03 03 00 40 TLS 1.2, Handshake [length 0010], Finished 14 00 00 0c 95 3f a1 1e 8a 50 c5 fc 5f 22 23 cf -----BEGIN SSL SESSION PARAMETERS----- MFUCAQECAgMDBAIALwQABDAqd95evS5frub1/zvlNTXoUeoDdm3a20n6g0gKDuHk hWews8KhiA29B8iQr3XVKCShBgIEYEicKqIEAgIcIKQGBAQBAAAA -----END SSL SESSION PARAMETERS----- Shared ciphers:AES128-SHA:AES128-SHA256:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:PSK-AES128-CBC-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-GCM-SHA256:PSK-AES256-CBC-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-GCM-SHA384:DHE-PSK-AES128-CBC-SHA:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-GCM-SHA384:ECDHE-PSK-AES128-CBC-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA:ECDHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES128-CBC-SHA:RSA-PSK-AES256-CBC-SHA:RSA-PSK-AES128-GCM-SHA256 Signature Algorithms: 0x02+0x01:DSA+SHA1:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:0x01+0x01:RSA+SHA1:RSA+SHA224:RSA+SHA256:RSA+SHA384:RSA+SHA512:0x03+0x01:ECDSA+SHA1:ECDSA+SHA224:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:gost2001+md_gost94:gost2012_256+md_gost12_256:gost2012_512+md_gost12_512 Shared Signature Algorithms: DSA+SHA1:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:RSA+SHA1:RSA+SHA224:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:ECDSA+SHA224:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512 Supported Elliptic Curve Point Formats: uncompressed Supported Elliptic Groups: secp160k1:secp160r1:secp160r2:secp192k1:P-192:secp224k1:P-224:secp256k1:P-256:P-384:P-521:K-163:sect163r1:B-163:sect193r1:sect193r2:K-233:B-233:sect239k1:K-283:B-283:K-409:B-409:K-571:B-571:X25519:X448:brainpoolP256r1:brainpoolP384r1:brainpoolP512r1 Shared Elliptic groups: P-256:P-384:P-521:X25519:X448 CIPHER is AES128-SHA Secure Renegotiation IS supported <<< ??? [length 0005] 17 03 03 00 30 Test<<< ??? [length 0005] 15 03 03 00 30 <<< TLS 1.2, Alert [length 0002], warning close_notify 01 00 DONE shutting down SSL CONNECTION CLOSED <<< ??? [length 0005] 16 03 03 03 dc <<< TLS 1.3, Handshake [length 03dc], ClientHello 01 00 03 d8 03 03 1b a2 0a 79 60 b4 20 bb 38 51 d9 d4 7a cb 93 3d be 70 39 9b f6 c9 2d a3 3a f0 1d 4f b7 70 e9 8c 00 02 8e 00 0a 00 2f 00 01 00 02 00 3c 00 3d 00 35 00 41 00 84 00 07 00 09 00 96 00 04 00 05 c0 9c c0 9d 00 9c 00 9d 00 0d 00 10 00 13 00 16 00 17 00 19 00 18 00 1a 00 1b 00 30 00 31 00 32 00 33 00 34 00 36 00 37 00 38 00 39 00 3a c0 03 c0 04 c0 05 c0 08 c0 09 c0 0a c0 0d c0 0e c0 0f c0 12 c0 13 c0 14 c0 27 c0 24 c0 28 00 a1 00 a0 00 a5 00 a6 00 a7 00 9e 00 9f 00 67 00 6b 00 6c 00 6d 00 15 c0 9e c0 9f 00 9a 00 45 00 88 00 a2 00 a3 00 66 c0 31 c0 32 c0 11 c0 2f c0 30 c0 2d c0 2e c0 2b c0 2c c0 ac c0 ad 13 01 13 02 13 03 13 04 13 05 00 8c c0 aa c0 ab c0 ab 00 8b 00 ae c0 a4 c0 a8 00 a8 00 8d 00 af c0 a5 c0 a9 00 a9 00 8a 00 8f 00 90 c0 a6 00 aa 00 91 00 b3 c0 a7 00 ab 00 8e c0 34 c0 35 c0 23 c0 36 c0 38 c0 33 00 0f 00 3f 00 43 00 48 00 49 00 4a 00 68 00 69 00 86 00 92 00 93 00 94 00 95 00 98 00 ac 00 ad 00 b2 00 b6 00 b7 00 ba 00 bc 00 be 00 c0 00 c2 00 c4 c0 02 c0 07 c0 0c c0 15 c0 1d c0 20 c0 25 c0 26 c0 29 c0 2a c0 37 c0 3c c0 3d c0 48 c0 49 c0 4a c0 4b c0 4c c0 4d c0 4e c0 4f c0 50 c0 51 c0 52 c0 53 c0 54 c0 55 c0 5c c0 5d c0 5e c0 5f c0 60 c0 61 c0 62 c0 63 c0 64 c0 65 c0 66 c0 67 c0 68 c0 69 c0 6a c0 6b c0 6c c0 6d c0 6e c0 6f c0 70 c0 71 c0 72 c0 73 c0 74 c0 75 c0 76 c0 77 c0 78 c0 79 c0 7a c0 7b c0 7c c0 7d c0 7e c0 7f c0 86 c0 87 c0 88 c0 89 c0 8a c0 8b c0 8c c0 8d c0 8e c0 8f c0 90 c0 91 c0 92 c0 93 c0 94 c0 95 c0 96 c0 97 c0 98 c0 99 c0 9a c0 9b 00 2c 00 2d 00 2e 00 3b 00 47 00 b0 00 b1 00 b4 00 b5 00 b8 00 b9 c0 01 c0 06 c0 0b c0 10 c0 39 c0 3a c0 3b 00 0c 00 12 00 3e 00 40 00 42 00 44 00 46 00 57 00 58 00 59 00 5a 00 6a 00 85 00 87 00 89 00 97 00 99 00 9b 00 a4 00 bb 00 bd 00 bf 00 c1 00 c3 00 c5 c0 16 c0 17 c0 18 c0 19 c0 3e c0 3f c0 40 c0 41 c0 42 c0 43 c0 44 c0 45 c0 46 c0 47 c0 56 c0 57 c0 58 c0 59 c0 5a c0 5b c0 80 c0 81 c0 82 c0 83 c0 84 c0 85 00 81 00 83 ff 85 ff 87 cc aa cc a9 cc a8 c0 b0 c0 b1 c0 b2 c0 b3 c0 a0 c0 a1 c0 a2 c0 a3 c0 ae c0 af cc ab cc ac cc ad cc ae cc 12 cc 13 cc 14 cc 15 cc 16 cc 17 cc 18 cc 19 00 00 01 00 01 21 00 0b 00 02 01 00 00 0a 00 3e 00 3c 00 0f 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0a 00 0b 00 0c 00 0d 00 0e 00 1d 00 1e 00 1a 00 1b 00 1c 00 0d 00 2c 00 2a 01 02 02 02 03 02 04 02 05 02 06 02 01 01 02 01 03 01 04 01 05 01 06 01 01 03 02 03 03 03 04 03 05 03 06 03 ed ed ee ee ef ef 00 23 00 a0 27 40 ca 99 b7 85 b0 ac 1c c3 a2 07 2e a9 19 c6 97 1c 77 8d 2e 7f 6c 82 92 08 7c 4c fe 4b ce c1 4b 19 42 ef 29 ae 92 b5 59 49 d0 6a 13 19 04 f2 6f 8a e4 70 94 27 a7 8a 74 49 57 ef d6 ce 63 2b 7b 5b 65 bf 81 44 66 99 45 eb 86 97 68 81 66 6d c7 b0 49 c5 80 eb ad 7d 35 df f7 10 38 89 fb ef ac 6f 3b 0f 25 91 21 f2 65 1e 88 c2 6f 3c bb d3 a4 be 57 c8 ef 27 76 0c e0 bb a2 79 f1 5b 48 b9 a1 95 97 2e 57 5c 54 20 64 13 de 79 8f a1 90 d7 29 7e 0f 06 6c aa f3 7c 94 23 ad d5 88 e4 47 24 ff 01 00 01 00 ??? [length 0005] 16 03 03 00 31 TLS 1.2, Handshake [length 0031], ServerHello 02 00 00 2d 03 03 f4 05 46 d0 8d 8f fe c2 16 6c 5c a4 6b 1b 2d ce 97 2c 46 76 d5 a9 ef 54 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 05 ff 01 00 01 00 ??? [length 0005] 14 03 03 00 01 TLS 1.2, ChangeCipherSpec [length 0001] 01 ??? [length 0005] 16 03 03 00 40 TLS 1.2, Handshake [length 0010], Finished 14 00 00 0c cb 12 5e 03 1e 74 ec 2d b6 db e7 8a <<< ??? [length 0005] 14 03 03 00 01 <<< ??? [length 0005] 16 03 03 00 10 ??? [length 0005] 15 03 03 00 30 TLS 1.2, Alert [length 0002], fatal bad_record_mac 02 14 ERROR 4468911616:error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac:ssl/record/ssl3_record.c:677: shutting down SSL CONNECTION CLOSED

mmaehren commented 3 years ago

TLS-Attacker's output is usually more helpful for us as it includes more information about the config and the session context. Could you please add -debug to your parameters and post the result?

KazaSrikanth commented 3 years ago

Ran with debug, attached the log. session_resumption_debug.log

mmaehren commented 3 years ago

I'm a little confused by your WorkflowTrace. You first perform a handshake, obtain a SessionTicket and then perform a FULL_RESUMPTION WorkflowTrace. Is this intended? The FULL_RESUMPTION WorkflowTrace, in contrast to the RESUMPTION WorkflowTrace, performs a regular handshake by itself with a subsequent resumption. This is why in lines 1750 and 1751 of your debug output TLS-Attacker is expecting a ServerHelloDone but receives a Finished, which it is not able to decrypt.

15:20:17.145 [main] DEBUG de.rub.nds.tlsattacker.core.workflow.action.ReceiveAction - Receive Expected:SERVER_HELLO, CERTIFICATE, SERVER_HELLO_DONE, 
15:20:17.145 [main] INFO  de.rub.nds.tlsattacker.core.workflow.action.ReceiveAction - Received Messages (client): SERVER_HELLO, CHANGE_CIPHER_SPEC, UNKNOWN_MESSAGE,

Please try if a FULL_RESUMPTION WorkflowTrace by itself succeeds in performing a resumption. I assume that this should be the case as a continuous TlsContext is used between the two handshakes. Since the public branch does not fully support the Session Ticket resumption mechanism, two "detached" handshakes would fail to set up the RecordCipher appropriately. If you want to add further actions / messages to the initial handshake, you can modify the created WorkflowTrace or reuse the context. This is merely a workaround as a proper implementation would require you to make some more code adjustments.

KazaSrikanth commented 3 years ago

My bad, Initially I have done FULL handshake. Then the RESUMPTION with sessionTicket & masterSecret Attached the log with resumption.

Here is my high level code snippet and attached the corresponding log. session_resumption_debug.log

    WorkflowTraceType classWorkflowTraceType = WorkflowTraceType.FULL;

    TLS12Init tls12Init = new TLS12Init(System.getProperty("host"),
            Integer.parseInt(System.getProperty("port")), classWorkflowTraceType);

    tls12Init.setSessionTicketExtension(true);
    State state = TLS12Execute.execute(tls12Init.getConf(), classWorkflowTraceType, alert);

    AssertionCheck.checkHandshakeMessages(state);
    byte[] sessionTicket = state.getTlsContext().getSessionTicketTLS();
    byte[] masterSecret = state.getTlsContext().getMasterSecret();

    WorkflowTraceType classWorkflowTraceType1 = WorkflowTraceType.RESUMPTION;

    TLS12Init tls12Init1 = new TLS12Init(System.getProperty("host"),
            Integer.parseInt(System.getProperty("port")), classWorkflowTraceType1);

    tls12Init1.setSessionTicket(sessionTicket);
    tls12Init1.setMasterSecret(masterSecret);

    State state1 = TLS12Execute.execute(tls12Init1.getConf());

mmaehren commented 3 years ago

Please check if your context contains a non-empty sessionList after performing the handshake. You can then add this sessionList to the context of your resumption handshake. This should also not require you to explicitly set the mastersecret as it is stored in the Session object. A working resumption should yield the following output (even without -debug): INFO : ServerHelloHandler - Resuming Session

tls-attacker / TLS-Attacker

Help for getting the session ticket #89