-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS1.3
stateless session_resumption fails with Illegal Parameter - :stateless
on FIPS enabled OpenSSL
#8489
Comments
@yonashaile Did you enable fips-mode in runtime in crypto ? see crypto:enable_fips_mode/1 Also did you compile Erlang/OTP with fips mode enabled? Also note you can not select cipher suites in Erlang/OTP by configuring OpenSSL, we only use OpenSSL-cryptolib and the protocol is implemented in Erlang. |
@IngelaAndin So without removing TLS_CHACHA20_POLY1305_SHA256 and curve x25519, tls1.3 application will not start since the crypto are not supported on fips enabled openssl. After removing, application works fine, except when client tries to resume with the session ticket (as shown in the issue description) |
@yonashaile Oh, I see I think I did not click your "removal patch" and misunderstood what you meant with that. I will look into it. |
Have not had time to figure out the resumption thing yet, but made a patch for checking minimum requirements for TLS-1.3 |
@yonashaile I have a question, what do you mean that the resumption should work? A empty binder can not be valid. Do you mean that the server should fallback to a full handshake? Is this actually FIPS-related? Have you tried this without FIPS? |
@yonashaile ping |
@IngelaAndin Apologies for the delayed response. My assumption was that with the patch applied TLS1_3 session resumption would work with OTP client and OTP server. However, it fails with
The only way session resumption work is if the client has |
…bcrypto support Closes erlang#8489
@yonashaile Ah, the code was calling the wrong function for the default value so the filtering mechanism for cryptolib support was not called, my PR #8646 should fix that. |
@yonashaile , sorry was too quick there the correct functions is called so it must be something else. |
@yonashaile could PR #8590 be relevant ? |
@yonashaile could you perhaps check if you can reproduce on OTP-27.0.1 to eliminate possible error sources? |
@IngelaAndin I run the same test with 27.0.1, and observed similar issue. I will soon create and share a small app to help reproduce the issue. |
ping |
Describe the bug
On OTP-26.2.5, cipher
TLS_CHACHA20_POLY1305_SHA256
and curvex25519
is part of allowed crypto for TLS1.3 (ref:sufficient_crypto_support
). However, those are not supported on FIPS enabled OpenSSL (ver 3.0.8).After applying patch to remove this cipher and curve,
When client connects, The first full handshake succeeds.
When client connects and tries to resume with the SessionTicket received earlier and with a valid keyshare (i.e server accepts it and does not send
KeyShareHelloRetryRequest
extention), handshake succeeds.On the other hand, when client connects and tries to resume with the SessionTicket received earlier and keyshare is not accepted (i.e server sends
KeyShareHelloRetryRequest
extention and client re-sends ClientHello with the chosen keyshare in key_share_entry), handshake fails withIllegal Parameter - :stateless
at validate_binder.
As you can see in the server debug log, the last ClientHello's OfferedPsks after server sent
KeyShareHelloRetryRequest
has PskIdentity but empty binder <<0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>>.To Reproduce
Start TlS server with options
versions =
['tlsv1.3', 'tlsv1.2']
,ciphers =
{cipher: aes_256_gcm, key_exchange: ecdhe_ecdsa, mac: aead, prf: :sha384}, {cipher: :aes_256_gcm, key_exchange: :ecdhe_rsa, mac: :aead, prf: :sha384}, {cipher: :aes_256_gcm, key_exchange: :rsa, mac: :aead, prf: :sha384}, {cipher: :aes_128_gcm, key_exchange: :any, mac: :aead, prf: :sha256}, {cipher: :aes_256_gcm, key_exchange: :any, mac: :aead, prf: :sha384},
signature_algs:
ssl:signature_algs(default, tlsv1.3)
server_session_tickets:
stateless_with_cert
Start TLS client with option
session_tickets, auto
Expected behavior
TLS1.3 session_resumption works with FIPS crypto
Affected versions
OTP-26.2.5
Additional context
Erlang/OTP is compiled with fips-mode
fips-mode is enabled for crypto at run-time
The TLS server is configured with
session_tickets = stateless_with_cert
option.The TLS client is configured with
session_tickets = auto
The server is running on FIPS enabled OpenSSL 3.0.8
Here is the Server debug log
The text was updated successfully, but these errors were encountered: