tlsfuzzer / tlslite-ng

TLS implementation in pure python, focused on interoperability testing
Other
236 stars 81 forks source link

TLS-RFC compliance #469

Open mmaehren opened 3 years ago

mmaehren commented 3 years ago

Hi, we (@jurajsomorovsky @ic0ns @mmaehren @XoMEX @Kavakuo) are performing an analysis of the RFC-compliance of open-source TLS implementations. Below we list our findings for this implementation. We admit that some are rather nit-picky, but we added them for the sake of completeness. We tried to keep the descriptions brief and didn’t want to spam the issues section so feel free to split up the list into individual issues as you see fit. If you disagree with our interpretation of certain RFC statements, please leave feedback as we’re interested in your view.

Our results apply to the default configuration of version 0.8.0-alpha39. We used the example implementations for client and server.

[S] = Applies to server [C] = Applies to client [C+S] = Applies to both

Misc

Session not aborted

Only session closed but no alert sent

Different alert sent than defined by the RFC

tomato42 commented 3 years ago

Thanks for the report! I'll go through them one by one later, two items caught my eye though:

when there are no overlapping parameters. tlslite-ng sends an 'illegal parameter' alert

Could you explain in what situation it happens? In majority of cases it should send the correct handshake_failure or insufficient_security.

upon receiving a ClientHello that contains elliptic curve extensions but no ECC cipher suite

I don't think enforcing that is useful; the extension may have been included because of an ECC ciphersuite that's unknown to the server, and even if all the ciphersuites are known, that's rather brittle code that does not increase interoperability or security.

mmaehren commented 3 years ago

Thank you for the feedback. We agree that enforcing this ECC cipher suite check may cause problems - that's a good point! I think the alert description for the lack of overlapping parameters may be caused by deprecated groups we include in the ClientHello we send in the test.

tomato42 commented 3 years ago

I think the alert description for the lack of overlapping parameters may be caused by deprecated groups we include in the ClientHello we send in the test.

RFC 8446 says that deprecated groups "MUST NOT be offered or negotiated by TLS 1.3 implementations."; so that's what causing the rejection: if the ClientHello is recognised as a TLS 1.3 CH, and includes those obsolete curves then technically the message is malformed, so illegal_parameter is appropriate here. If you send them in TLS 1.2 you should see the expected handshake_failure, similar behaviour should be observed when using the unassigned curves (like from GREASE range).

mmaehren commented 3 years ago

Yes, it's a false positive on our end - sorry if my last comment didn't convey this.