https://bz.apache.org/bugzilla/show_bug.cgi?id=67938
--- Comment #4 from Stephen Higgs <shi...@redhat.com> ---
Reproducer Steps
================
This reproducer creates an artificially large ClientHello that causes Tomcat to
respond with an SSL alert on TLS 1.3 session resumption. In this test case, a
certificate extension with a very long string value is added to the server's
certificate. Wireshark analysis shows the ClientHello preshared key identity
can become very large with a large certificate. Mutual authentication also
increases the size of the identity.
In the following test, the first openssl call will succeed while the second one
will fail.
STEP 1 - generate a large certificate
-------------------------------------
$ cat openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C = NA
ST = NA
L = NA
O = NA
OU = NA
CN = localhost
[req_ext]
subjectAltName = @alternate_names
[alternate_names]
DNS.1 = localhost
DNS.2 = *.localhost
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
subjectAltName = @alternate_names
keyUsage = digitalSignature, keyEncipherment
2.999 = ASN1:UTF8String:LONGSTRING
$ sed "s/LONGSTRING/$(printf '%.0sx' {0..16000})/g" ./openssl.cnf >
openssl-long.cnf
$ cat create-cert.sh
#!/bin/bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days
7 -nodes -config ./openssl-long.cnf -extensions v3_ca
openssl pkcs12 -inkey key.pem -in cert.pem -export -out keystore.p12 -password
pass:changeit -name my
keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks
-srcstoretype PKCS12 -deststoretype jks -deststorepass changeit -srcstorepass
changeit
$ ./create-cert.sh
Step 2 - install cert and start Tomcat
--------------------------------------
$ grep --after-context 8 "<Connector.*8443" conf/server.xml
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000"
>
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig protocols="all" >
<Certificate certificateKeystoreFile="conf/keystore.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
$ cp $CERT_DIR/keystore.jks conf/keystore.jks
$ bin/catalina.sh run
Step 3 - test
-------------
$ cat test.sh
#!/bin/bash
echo -en "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" |
openssl s_client -connect localhost:8443 -sess_out session -tls1_3 -quiet
-CAfile=cert.pem
echo -en "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" |
openssl s_client -connect localhost:8443 -sess_in session -tls1_3 -quiet
-CAfile=cert.pem
$ ./test.sh
...
003E54FCFD7E0000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert
internal error:ssl/record/rec_layer_s3.c:1586:SSL alert number 80
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
