Hi,
I think I found a regression in 1.1.0-pre4's ALPN code.
I'm currently porting Python's ssl module to OpenSSL 1.1.0-pre4. One of
Python's unit tests for ALPN is failing. In the test case both client
and server advertise ALPN but have no overlapping protocols. In OpenSSL
1.1.0-pre3 and all earlier versions of OpenSSL, the client was still
able to establish a connection. With pre4, the server terminates the
connection during handshake:
140348419344128:error:1417A0E2:SSL
routines:tls_post_process_client_hello:clienthello
tlsext:ssl/statem/statem_srvr.c:1520:
I tried all four possible combinations of client and server with 1.0.2g
and 1.1.0-pre4. Test cases with 1.1.0-pre4 on the server side always
fail. A 1.0.2g server works like expected. The problem can be reproduced
easily. I have attached output of the commands, too.
1st screen:
$ curl -o server.pem
https://raw.githubusercontent.com/python/cpython/master/Lib/test/keycert.pem
$ openssl s_server -alpn egg
2nd screen:
$ openssl s_client -connect localhost:4433 -alpn foo,bar
The regression was most likely introduced in
817cd0d52f0462039d1fe60462150be7f59d2002. It looks like
tls1_alpn_handle_client_hello_late() doesn't handle SSL_TLSEXT_ERR_NOACK
as success.
Christian
$ ../openssl/1.1.0-pre4/bin/openssl s_server -alpn egg
Using default temp DH parameters
ACCEPT
ALPN protocols advertised by the client: foo, bar
ERROR
140080267302656:error:1417A0E2:SSL
routines:tls_post_process_client_hello:clienthello
tlsext:ssl/statem/statem_srvr.c:1520:
shutting down SSL
CONNECTION CLOSED
ACCEPT
$ ../openssl/1.1.0-pre4/bin/openssl s_client -connect localhost:4433 -alpn
foo,bar
CONNECTED(00000003)
139674129954560:error:14094460:SSL
routines:ssl3_read_bytes:reason(1120):ssl/record/rec_layer_s3.c:1481:SSL alert
number 120
---
no peer certificate available
---
No client certificate CA names sent
---
SCTs present (0)
Warning: CT validation is disabled, so not all SCTs may be displayed. Re-run
with "-requestct".
---
SSL handshake has read 7 bytes and written 0 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1458207817
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
----------------------------------------------------------------
$ openssl s_server -alpn egg
Using default temp DH parameters
ACCEPT
ALPN protocols advertised by the client: foo, bar
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDDf9sxOUQCanqlzesEMnCHaJGwQgo5fpYghA8O5rA8Z
cFvuL7xFeZ+dvDI72xvEqb6hBgIEVup74aIEAgIBLKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared
ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA
Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats:
uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: P-256:P-521:P-384:secp256k1
Shared Elliptic curves: P-256:P-521:P-384:secp256k1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
$ openssl s_client -connect localhost:4433 -alpn foo,bar
CONNECTED(00000003)
depth=0 C = XY, L = Castle Anthrax, O = Python Software Foundation, CN =
localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XY, L = Castle Anthrax, O = Python Software Foundation, CN =
localhost
verify return:1
---
Certificate chain
0 s:/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost
i:/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICVDCCAb2gAwIBAgIJANfHOBkZr8JOMA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNV
BAYTAlhZMRcwFQYDVQQHEw5DYXN0bGUgQW50aHJheDEjMCEGA1UEChMaUHl0aG9u
IFNvZnR3YXJlIEZvdW5kYXRpb24xEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xMDEw
MDgyMzAxNTZaFw0yMDEwMDUyMzAxNTZaMF8xCzAJBgNVBAYTAlhZMRcwFQYDVQQH
Ew5DYXN0bGUgQW50aHJheDEjMCEGA1UEChMaUHl0aG9uIFNvZnR3YXJlIEZvdW5k
YXRpb24xEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA21vT5isq7F68amYuuNpSFlKDPrMUCa4YWYqZRt2OZ+/3NKaZ2xAiSwr7
6MrQF70t5nLbSPpqE5+5VrS58SY+g/sXLiFd6AplH1wJZwh78DofbFYXUggktFMt
pTyiX8jtP66bkcPkDADA089RI1TQR6Ca+n7HFa7c1fabVV6i3zkCAwEAAaMYMBYw
FAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBBQUAA4GBAHPctQBEQ4wd
BJ6+JcpIraopLn8BGhbjNWj40mmRqWB/NAWF6M5ne7KpGAu7tLeG4hb1zLaldK8G
lxy2GPSRF6LFS48dpEj2HbMv2nvv6xxalDMJ9+DicWgAKTQ6bcX2j3GUkCR0g/T1
CRlNBAAlvhKzO7Clpf9l0YKBEfraJByX
-----END CERTIFICATE-----
subject=/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost
issuer=/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1131 bytes and written 341 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5E7C2E42414AA123E2EC1F703033F4C84D4C00DC90BE5AD61358E687F556A7BE
Session-ID-ctx:
Master-Key:
DFF6CC4E51009A9EA9737AC10C9C21DA246C10828E5FA5882103C3B9AC0F19705BEE2FBC45799F9DBC323BDB1BC4A9BE
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - ca ef 0a c5 71 44 90 a6-3b ee 68 7f db 9d 3c 8d ....qD..;.h...<.
0010 - 2f 9f 42 0f cf b7 5e c0-48 11 6b 54 19 f4 1a 9f /.B...^.H.kT....
0020 - 02 a1 42 83 03 ed e2 1f-00 cd 7c b0 ef c5 f5 b6 ..B.......|.....
0030 - a4 87 f6 98 af 06 d9 67-39 4d 8e 1f ad e8 53 6a .......g9M....Sj
0040 - c5 18 91 07 ff 01 33 96-a4 0f f9 99 0f 4d 72 23 ......3......Mr#
0050 - cd 32 3f 48 e8 9b cb dc-6c 4a 6a 2f 04 c7 95 78 .2?H....lJj/...x
0060 - 6f fb 85 26 32 a2 b5 b5-4d 56 6b 05 b5 77 0c 29 o..&2...MVk..w.)
0070 - e1 32 30 fa 19 ee 50 e6-7a d6 57 92 07 51 1a 52 .20...P.z.W..Q.R
0080 - d9 2f a8 44 59 7f 99 01-e9 eb bc 6d 71 17 11 07 ./.DY......mq...
0090 - 01 74 7f 74 08 58 16 c1-2f b9 af 10 16 50 bf 32 .t.t.X../....P.2
Start Time: 1458207713
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
