-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS1.3 handshake fails for some SSL clients #5950
Comments
Could you use the option {log_level, debug} on your server and connect with a client that has the problem and share what the client hello looks like. |
Thanks! I had misunderstood the interactions between
|
It looks like a version mismatch of some kind. The TLS-1.3 state machine seems to be handling TLS-1.2 decode data! Could you try the latest maint branch where one version mismatch problem has been solved, just to make sure? Your problem is not "total" match, but I would like to rule it out before trying to dig deeper. |
Ok - I'll give FYI, the only config I'm using is here: https://github.com/mk270/blizanci/blob/master/apps/blizanci/src/blizanci_config.erl#L28; those values are being passed through to ranch here: https://github.com/mk270/blizanci/blob/master/apps/blizanci/src/blizanci_app.erl#L26 ; other than this, I don't think I'm doing anything special/unusual/ill-advised. |
I tried
but I got "Error mirroring remote git repository"; what am I doing wrong? |
You can now try OTP-24.3.4 if that is easier for you! |
I noticed you have configured your server to run only TLS-1.3 but the client seems to be wanting to run TLS-1.2. I see that we have fixed an issue in a newer version than yours that is described: "Corrected error handling to correctly generate an It matches your crash fairly well, although I would have expected a protocol version alert. Did you have any luck testing with the latest released version? I could perhaps try out your client later but I do not have time for that at the moment. |
ok, well, now under 24.3.4 the server doesn't crash. I can't tell what, if anything, is happening as I can't seem to reconfigure the logger to see what's going on, server-side. The clients still can't establish a connection, but that may be their own fault. Thanks |
You could try starting a simple Erlang/TLS server in the Erlang shell and then connecting to it, skipping all the Lager/Logger interactions. By default you should then get notice level logs an the erlang server should log its generated TLS ALERT. And you could also add {log_level, debug} to the ssl options list to the server and you should be able to see the clients hello message. Good luck! |
I'm very happy to keep investigating, not least as it could be that a bug remains! |
Bingo: After doing:
I get:
|
|
It looks like the client doesn't support TLS 1.3 ; I'm surprised neither the client nor OTP's |
Yes, the client does not support TLS-1.3 as it is sending a TLS-1.2 hello message. I am also surprised that our code did not send a protocol version alert instead of an illegal parameter alert. This means that the code somehow missed the protocol version check and later concludes that the hello message does not match a TLS-1.3 hello message. The end result in your case will be sort of the same, that these clients will not be able to connect to the server. However, I think we should fix it so that you will get a protocol version alert instead. The client does not really know that it was the protocol version that was the problem as all it knows is what alert the server responded with. |
Well, thank you again for your help. Glad we persisted in tracking this down. It doesn't seem easy to exploit this behaviour from the client-side, but it's probably best (as you imply) to fix it. |
Change implementation use gen_statem postpone for hello message when users want to pause handshake instead of legacy "reimplementation" of postpone Closes erlang#5950
Change implementation use gen_statem postpone for hello message when users want to pause handshake instead of legacy "reimplementation" of postpone Closes erlang#5950
Change implementation use gen_statem postpone for hello message when users want to pause handshake instead of legacy "reimplementation" of postpone Closes erlang#5950
…into maint * ingela/ssl/protocol-version-TLS-1.3/GH-5950/OTP-18129: ssl: Reject unsupported previous version with protocol alert
…into maint-24 * ingela/ssl/protocol-version-TLS-1.3/GH-5950/OTP-18129: ssl: Reject unsupported previous version with protocol alert
…into maint-25 * ingela/ssl/protocol-version-TLS-1.3/GH-5950/OTP-18129: ssl: Reject unsupported previous version with protocol alert # Conflicts: # lib/ssl/src/ssl_gen_statem.erl
Describe the bug
When a client attempts to use BearSSL (and possibly other TLS implementations) to access my service, my service crashes; the service is based on OTP's
ssl
library, that is, the server is running on OTP and using it to provide a TLS-wrapped listener that it wants to accept connections on. The bug only happens with a subset of the TLS client implemenations that are available, and I can only easily reproduce it with BearSSL, but I believe there exist several other client implementations which expose the same problem. Many client implementations work fine and consistently fail to expose the bug.As I understand it, a client ought not to be able to crash OTP's TLS server at all, no matter what it transmits.
The crashes all look like this:
To Reproduce
The error seems to occur during the response to the initial SSL handshake.
Specifically,
blizanci
server, which is an Erlang/OTP process that listens on a TCP port in the usual waygmni
, which uses BearSSL under the hood.Expected behavior
A normal SSL handshake would occur, without crashing the Erlang process and terminating the connection.
Affected versions
and
Additional context
Not a lot here. The thing reliably occurs whenever accepting a TLS/1.3 connection (but not other versions), and appears to implicate the handling of elliptic curve -based ciphers.
The text was updated successfully, but these errors were encountered: