`TLS1.3` stateless session_resumption fails with `Illegal Parameter - :stateless` on FIPS enabled OpenSSL #8489

yonashaile · 2024-05-17T19:27:54Z

Describe the bug
On OTP-26.2.5, cipher TLS_CHACHA20_POLY1305_SHA256 and curve x25519 is part of allowed crypto for TLS1.3 (ref: sufficient_crypto_support). However, those are not supported on FIPS enabled OpenSSL (ver 3.0.8).

After applying patch to remove this cipher and curve,

When client connects, The first full handshake succeeds.

When client connects and tries to resume with the SessionTicket received earlier and with a valid keyshare (i.e server accepts it and does not send KeyShareHelloRetryRequest extention), handshake succeeds.

On the other hand, when client connects and tries to resume with the SessionTicket received earlier and keyshare is not accepted (i.e server sends KeyShareHelloRetryRequest extention and client re-sends ClientHello with the chosen keyshare in key_share_entry), handshake fails with Illegal Parameter - :stateless
at validate_binder.

As you can see in the server debug log, the last ClientHello's OfferedPsks after server sent KeyShareHelloRetryRequest has PskIdentity but empty binder <<0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>>.

To Reproduce

Start TlS server with options
versions = ['tlsv1.3', 'tlsv1.2'],
ciphers =
{cipher: aes_256_gcm, key_exchange: ecdhe_ecdsa, mac: aead, prf: :sha384}, {cipher: :aes_256_gcm, key_exchange: :ecdhe_rsa, mac: :aead, prf: :sha384}, {cipher: :aes_256_gcm, key_exchange: :rsa, mac: :aead, prf: :sha384}, {cipher: :aes_128_gcm, key_exchange: :any, mac: :aead, prf: :sha256}, {cipher: :aes_256_gcm, key_exchange: :any, mac: :aead, prf: :sha384},
signature_algs: ssl:signature_algs(default, tlsv1.3)
server_session_tickets: stateless_with_cert
Start TLS client with option session_tickets, auto

Expected behavior
TLS1.3 session_resumption works with FIPS crypto

Affected versions
OTP-26.2.5

Additional context
Erlang/OTP is compiled with fips-mode
fips-mode is enabled for crypto at run-time
The TLS server is configured with session_tickets = stateless_with_cert option.
The TLS client is configured with session_tickets = auto
The server is running on FIPS enabled OpenSSL 3.0.8

openssl ciphers -s -v -tls1_3
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD

Here is the Server debug log

reading (215 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 00 d2 01 00 00  ce 03 03 a1 cd 32 2f e1    .............2/.
.....
<<< TLS 1.3 Handshake, ClientHello
[{client_version,{3,3}},
 {random,
     <<161,205,50,...>>},
 {session_id,
     <<50,253,..>>},
 {cookie,undefined},
 {cipher_suites,
     ["TLS_EMPTY_RENEGOTIATION_INFO_SCSV","TLS_AES_256_GCM_SHA384",
      "TLS_AES_128_GCM_SHA256","TLS_CHACHA20_POLY1305_SHA256",
      "TLS_AES_128_CCM_SHA256","TLS_AES_128_CCM_8_SHA256"]},
 {compression_methods,[0]},
 {extensions,
     #{cookie => undefined,
       client_hello_versions => {client_hello_versions,[{3,4}]},
       certificate_authorities => undefined,
       signature_algs =>
           {signature_algorithms,
               [eddsa_ed25519,eddsa_ed448,ecdsa_secp521r1_sha512,
                ecdsa_secp384r1_sha384,ecdsa_secp256r1_sha256,
                rsa_pss_pss_sha512,rsa_pss_pss_sha384,rsa_pss_pss_sha256,
                rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,
                rsa_pkcs1_sha512,rsa_pkcs1_sha384,rsa_pkcs1_sha256]},
       signature_algs_cert => undefined,use_srtp => undefined,
       elliptic_curves => {supported_groups,[x25519,x448,secp256r1,secp384r1]},
       pre_shared_key => undefined,
       sni => {sni,"..."},
       alpn => undefined,
       ec_point_formats => {ec_point_formats,[0]},
       psk_key_exchange_modes => undefined,
       key_share =>
           {key_share_client_hello,
               [{key_share_entry,x25519,
                    <<249,23,4,184,236,105,42,52,237,249,139,208,199,94,
                      137,175,240,113,125,241,191,112,138,116,65,135,207,
                      226,235,6,10,61>>}]}}}]
>>> TLS 1.3 Handshake, ServerHello
[{server_version,{3,3}},
 {random,<<207,33,173,116,229,154,97,17,190,29,140,2,30,101,184,145,194,162,
           17,22,122,187,140,94,7,158,9,226,200,168,51,156>>},
 {session_id,<<50,253,231,235,205,121,252,230,117,114,30,32,93,8,6,52,146,87,
               111,167,193,52,114,144,73,192,165,7,214,89,72,3>>},
 {cipher_suite,"TLS_AES_256_GCM_SHA384"},
 {compression_method,0},
 {extensions,#{cookie =>
                   {cookie,<<157,161,134,...>>},
               server_hello_selected_version =>
                   {server_hello_selected_version,{3,4}},
               key_share => {key_share_hello_retry_request,secp256r1}}}]
writing (199 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 00 c2 02 00 00  be 03 03 cf 21 ad 74 e5    ............!.t.
...
writing (6 bytes) TLS 1.2 Record Protocol, change_cipher_spec
0000 - 14 03 03 00 01 01                                   ......
reading (6 bytes) TLS 1.2 Record Protocol, change_cipher_spec
0000 - 14 03 03 00 01 01                                   ......
reading (354 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 01 5d 01 00 01  59 03 03 a1 cd 32 2f e1    ....]...Y....2/.
...
<<< TLS 1.3 Handshake, ClientHello
[{client_version,{3,3}},
 {random,
     <<161,205,50,...>>},
 {session_id,
     <<50,253,231,...>>},
 {cookie,undefined},
 {cipher_suites,
     ["TLS_EMPTY_RENEGOTIATION_INFO_SCSV","TLS_AES_256_GCM_SHA384",
      "TLS_AES_128_GCM_SHA256","TLS_CHACHA20_POLY1305_SHA256",
      "TLS_AES_128_CCM_SHA256","TLS_AES_128_CCM_8_SHA256"]},
 {compression_methods,[0]},
 {extensions,
     #{cookie =>
           {cookie,
               <<157,161,134,>>},
       client_hello_versions => {client_hello_versions,[{3,4}]},
       certificate_authorities => undefined,
       signature_algs =>
           {signature_algorithms,
               [eddsa_ed25519,eddsa_ed448,ecdsa_secp521r1_sha512,
                ecdsa_secp384r1_sha384,ecdsa_secp256r1_sha256,
                rsa_pss_pss_sha512,rsa_pss_pss_sha384,rsa_pss_pss_sha256,
                rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,
                rsa_pkcs1_sha512,rsa_pkcs1_sha384,rsa_pkcs1_sha256]},
       signature_algs_cert => undefined,use_srtp => undefined,
       elliptic_curves => {supported_groups,[x25519,x448,secp256r1,secp384r1]},
       pre_shared_key => undefined,
       sni => {sni,"..."},
       alpn => undefined,
       ec_point_formats => {ec_point_formats,[0]},
       psk_key_exchange_modes => undefined,
       key_share =>
           {key_share_client_hello,
               [{key_share_entry,secp256r1,
                    <<4,206,42,126,254,188,22,65,240,236,207,131,80,214,
                      188,176,90,52,11,246,8,70,235,213,29,70,60,227,233,
                      71,151,228,37,46,253,178,144,103,7,244,165,133,165,
                      201,234,83,50,172,15,43,164,184,162,52,218,81,250,
                      220,147,166,92,117,18,144,143>>}]}}}]
>>> TLS 1.3 Handshake, ServerHello
[{server_version,{3,3}},
 {random,
     <<70,96,171,13,209,126,70,57,124,215,129,17,138,215,78,3,100,73,190,20,
       143,255,3,189,49,76,188,180,158,171,141,133>>},
 {session_id,
     <<50,253,231,235,205,121,252,230,117,114,30,32,93,8,6,52,146,87,111,167,
       193,52,114,144,73,192,165,7,214,89,72,3>>},
 {cipher_suite,"TLS_AES_256_GCM_SHA384"},
 {compression_method,0},
 {extensions,
     #{server_hello_selected_version => {server_hello_selected_version,{3,4}},
       key_share =>
           {key_share_server_hello,
               {key_share_entry,secp256r1,
                   <<4,92,127,89,162,74,43,186,223,172,16,143,165,101,195,
                     206,253,184,71,253,215,238,40,168,219,220,59,102,25,
                     208,146,173,73,211,198,1,247,128,59,137,98,81,3,184,
                     36,208,61,175,53,48,154,182,41,197,202,225,192,98,
                     207,179,157,61,168,188,39>>}}}}]
writing (160 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 00 9b 02 00 00  97 03 03 46 60 ab 0d d1    ...........F`...
...
>>> Handshake, EncryptedExtensions
[{extensions,#{}}]
writing (28 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 00 17 64 c4 46  3e f7 92 a5 55 ad 3a aa    .....d.F>...U.:.
0010 - 8f be bb 2d 38 a6 ee e7  ab 7c e1 d9                ...-8....|..
>>> Handshake, CertificateRequest
[{certificate_request_context,<<>>},
 {extensions,
     #{certificate_authorities =>
           {certificate_authorities,
               [{rdnSequence,
                    [[{'AttributeTypeAndValue',{2,5,4,6},"..."}],
                     [{'AttributeTypeAndValue',
                          {2,5,4,8},
                          {utf8String,<<"...">>}}],
                     [{'AttributeTypeAndValue',
                          {2,5,4,7},
                          {utf8String,<<"...">>}}],
                     [{'AttributeTypeAndValue',
                          {2,5,4,10},
                          {utf8String,<<"...">>}}],
                     [{'AttributeTypeAndValue',
                          {2,5,4,3},
                          {utf8String,
                              <<"...">>}}]]}]},
       signature_algorithms =>
           {signature_algorithms,
               [rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha512,
                rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha512,
                rsa_pss_rsae_sha256,rsa_pss_rsae_sha384,rsa_pss_rsae_sha512,
                rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512,
                ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384,
                ecdsa_secp521r1_sha512,eddsa_ed448,eddsa_ed25519]}}}]
writing (191 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 00 ba 9b 1a f6  77 54 8c 66 e4 36 59 d9    ........wT.f.6Y.
...
>>> Handshake, Certificate
[{certificate_request_context,<<>>},
 {certificate_list,
     [{certificate_entry,
          <<48,130,2,124,48,130,...>>,
          #{}},
      {certificate_entry,
          <<48,130,2,131,48,130,....>>,
          #{}}]}]
writing (1327 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 05 2a 21 cd 3e  23 e7 be 7a 93 91 a8 65    ....*!.>#..z...e
...
>>> Handshake, CertificateVerify
[{algorithm,ecdsa_secp384r1_sha384},
 {signature,<<48,101,2,49,0,...>>}]
writing (133 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 00 80 10 41 93  0b 10 0f fa 0e 4f cc e4    ......A......O..
...                             ....
>>> Handshake, Finished
[{verify_data,<<117,79,67,141,...>>}]
writing (74 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 00 45 18 79 5d  19 94 a6 50 01 e4 9e 4f    ....E.y]...P...O
...
reading (965 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 03 c0 02 80 b7  dd c6 89 43 72 11 fe db    ...........Cr...
...
reading (286 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 01 19 55 36 ec  28 41 7e a4 b1 99 2c 9c    .....U6.(A~...,.
...
reading (74 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 00 45 9e ec aa  84 fb a4 73 70 0b d7 53    ....E......sp..S
...
<<< Handshake, Certificate
[{certificate_request_context,<<>>},
 {certificate_list,
     [{certificate_entry,
          <<48,130,3,...>>,
          #{}}]}]
<<< Handshake, CertificateVerify
[{algorithm,rsa_pss_rsae_sha256},
 {signature,<<97,95,195,...>>}]
<<< Handshake, Finished
[{verify_data,<<227,138,179,...>>}]
>>> Post-Handshake, NewSessionTicket
[{ticket_lifetime,36000},
 {ticket_age_add,603490081},
 {ticket_nonce,<<0,0,0,0,0,0,0,0>>},
 {ticket,<<171,199,59,247,189,239,29,64,120,201,97,9,25,237,189,23,14,66,79,
           20,28,183,239,111,66,143,113,104,140,142,239,3,210,154,56,79,111,
           22,61,146,5,27,205,44,126,202,254,28,11,153,119,106,94,9,243,238,
           72,39,27,37,161,253,205,59,213,216,105,185,149,26,28,140,204,33,90,
           111,39,254,104,99,251,214,102,7,154,201,206,250,139,187,71,173,33,
           215,53,89,33,167,143,247,121,175,110,19,69,85,213,51,181,36,192,52,
           14,216,247,181,255,47,11,177,1,137,7,54,197,245,50,18,28,16,155,
           199,48,90,219,206,186,132,66,123,9,63,122,100,194,145,89,66,106,80,
           126,86,250,166,82,237,230,92,205,124,179,4,25,186,149,254,251,148,
           140,216,58,7,194,35,227,91,252,88,25,37,222,231,73,60,126,170,35,
           209,232,247,150,69,197,18,248,114,96,195,115,66,169,69,202,121,238,
           38,93,120,36,89,59,120,96,125,119,159,151,163,246,199,196,97,119,
           226,73,198,79,126,155,114,47,115,87,225,76,255,167,180,255,146,84,
           122,218,180,27,245,82,67,27,224,248,21,204,67,223,128,89,140,174,
           47,68,196,28,13,43,219,88,213,204,133,49,123,45,225,118,230,32,203,
           150,217,75,169,12,8,9,115,204,253,208,201,166,185,247,186,180,164,
           91,90,119,74,62,172,93,219,148,138,193,241,105,235,23,246,116,250,
           221,207,17,251,113,133,48,170,247,0,226,13,204,179,133,254,199,128,
           246,44,15,67,242,211,170,186,14,225,75,254,126,236,75,116,42,84,
           252,40,160,25,221,247,171,4,207,78,207,196,115,121,216,186,249,238,
           29,179,8,170,223,171,79,45,130,217,77,117,69,28,211,242,176,25,197,
           31,241,94,34,213,107,213,138,33,172,192,42,167,86,207,13,29,222,70,
           225,125,227,47,102,244,40,219,70,60,32,159,181,10,249,161,97,61,54,
           73,231,204,156,190,47,237,123,1,92,97,230,129,168,115,19,104,43,
           197,218,137,14,224,209,121,235,131,237,72,164,25,121,178,55,176,71,
           108,184,175,211,134,20,73,119,56,96,66,19,196,19,119,74,88,86,72,
           165,234,76,94,213,11,85,208,184,214,23,159,222,230,117,64,198,187,
           243,138,87,81,232,90,159,214,206,176,207,153,104,45,51,23,226,148,
           25,98,157,82,91,76,243,225,104,251,20,49,153,87,217,236,20,11,181,
           71,139,244,85,207,3,119,63,24,246,235,115,116,137,113,64,43,248,
           209,124,251,184,12,42,43,139,219,140,253,77,199,210,93,226,84,95,
           50,101,149,45,59,153,111,110,143,133,160,181,223,221,121,244,143,
           166,205,56,104,172,216,26,53,104,233,167,4,101,135,142,78,91,132,
           41,112,240,58,216,235,16,103,3,193,143,232,6,226,233,248,143,20,
           124,184,181,162,191,253,115,5,118,178,34,72,52,226,148,255,213,9,
           88,197,170,109,193,147,209,145,169,36,107,3,232,203,61,201,201,27,
           252,91,94,222,204,194,70,48,137,27,91,92,25,238,81,227,82,246,96,
           76,45,158,98,116,176,3,230,206,118,9,99,156,235,65,237,173,234,104,
           161,228,120,3,28,247,33,15,211,191,74,140,219,211,4,2,217,0,228,99,
           108,51,95,69,197,146,19,160,187,52,152,12,102,242,237,167,80,108,
           81,24,27,34,232,252,83,92,166,174,102,236,248,163,231,163,207,88,
           73,4,56,134,136,159,2,250,192,56,137,50,88,16,107,77,63,77,51,112,
           21,62,167,113,29,175,223,238,155,186,93,254,233,220,4,238,186,87,
           44,143,16,225,99,185,62,53,6,143,25,108,28,214,132,173,115,233,193,
           2,50,89,227,209,135,179,79,35,161,105,188,193,112,126,87,8,140,201,
           149,19,239,61,15,1,106,239,197,249,229,168,87,187,226,126,175,102,
           145,222,49,55,68,165,177,44,84,72,22,209,38,42,8,128,2,153,34,0,
           173,6,164,83,91,186,96,189,32,57,47,180,152,68,12,117,40,236,45,
           228,13,233,227,55,240,135,41,12,189,41,3,8,208,9,84,83,157,14,19,
           253,64,156,89,85,11,117,153,225,161,174,72,115,26,122,237,160,3,
           137,117,102,201,32,9,158,160,98,207,119,222,39,20,35,201,53,95,1,
           197,7,153,24,103,19,116,108,250,71,108,115,173,157,117,140,60,233,
           4,1,25,205,62,154,178,46,148,143,43,10,223,149,193,134,85,101,86,
           20,56,169,31,181,237,61,150,247,21,132,107,83,180,208,27,14,75,142,
           85,81,132,142,121,201,194,96,45,113,187,141,76,34,250,10,230,14,
           250,157,71,188,15,23,188,131,38,136,243,240,50,75,75,219,53,91,198,
           18,98,254,164,57,36,0,64>>},
 {extensions,#{early_data => {early_data_indication_nst,0}}}]
writing (1100 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 04 47 30 05 59  32 a9 19 06 3c 87 1e 60    ....G0.Y2...<..`
...
writing (105 bytes) TLS 1.2 Record Protocol, application_data
0000 - 17 03 03 00 64 92 f7 4c  2c 05 a3 c9 49 3a 38 8a    ....d..L,...I:8.
...
reading (1330 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 05 2d 01 00 05  29 03 03 0a 1b 53 a4 20    ....-...)....S. 
...
writing (24 bytes) TLS 1.2 Record Protocol, application_data
...
<<< TLS 1.3 Handshake, ClientHello
[{client_version,{3,3}},
 {random,
     <<10,27,83,...>>},
 {session_id,
     <<108,228,66,64,5,0,175,245,228,61,108,174,49,29,37,50,193,158,162,9,171,
       103,134,38,234,7,146,62,161,1,252,172>>},
 {cookie,undefined},
 {cipher_suites,
     ["TLS_EMPTY_RENEGOTIATION_INFO_SCSV","TLS_AES_256_GCM_SHA384",
      "TLS_AES_128_GCM_SHA256","TLS_CHACHA20_POLY1305_SHA256",
      "TLS_AES_128_CCM_SHA256","TLS_AES_128_CCM_8_SHA256"]},
 {compression_methods,[0]},
 {extensions,
     #{cookie => undefined,
       client_hello_versions => {client_hello_versions,[{3,4}]},
       certificate_authorities => undefined,
       signature_algs =>
           {signature_algorithms,
               [eddsa_ed25519,eddsa_ed448,ecdsa_secp521r1_sha512,
                ecdsa_secp384r1_sha384,ecdsa_secp256r1_sha256,
                rsa_pss_pss_sha512,rsa_pss_pss_sha384,rsa_pss_pss_sha256,
                rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,
                rsa_pkcs1_sha512,rsa_pkcs1_sha384,rsa_pkcs1_sha256]},
       signature_algs_cert => undefined,use_srtp => undefined,
       elliptic_curves => {supported_groups,[x25519,x448,secp256r1,secp384r1]},
       pre_shared_key =>
           {pre_shared_key_client_hello,
               {offered_psks,
                   [{psk_identity,
                        <<171,199,59,247,189,239,29,64,120,201,97,9,25,237,189,
                          23,14,66,79,20,28,183,239,111,66,143,113,104,140,142,
                          239,3,210,154,56,79,111,22,61,146,5,27,205,44,126,
                          202,254,28,11,153,119,106,94,9,243,238,72,39,27,37,
                          161,253,205,59,213,216,105,185,149,26,28,140,204,33,
                          90,111,39,254,104,99,251,214,102,7,154,201,206,250,
                          139,187,71,173,33,215,53,89,33,167,143,247,121,175,
                          110,19,69,85,213,51,181,36,192,52,14,216,247,181,255,
                          47,11,177,1,137,7,54,197,245,50,18,28,16,155,199,48,
                          90,219,206,186,132,66,123,9,63,122,100,194,145,89,66,
                          106,80,126,86,250,166,82,237,230,92,205,124,179,4,25,
                          186,149,254,251,148,140,216,58,7,194,35,227,91,252,
                          88,25,37,222,231,73,60,126,170,35,209,232,247,150,69,
                          197,18,248,114,96,195,115,66,169,69,202,121,238,38,
                          93,120,36,89,59,120,96,125,119,159,151,163,246,199,
                          196,97,119,226,73,198,79,126,155,114,47,115,87,225,
                          76,255,167,180,255,146,84,122,218,180,27,245,82,67,
                          27,224,248,21,204,67,223,128,89,140,174,47,68,196,28,
                          13,43,219,88,213,204,133,49,123,45,225,118,230,32,
                          203,150,217,75,169,12,8,9,115,204,253,208,201,166,
                          185,247,186,180,164,91,90,119,74,62,172,93,219,148,
                          138,193,241,105,235,23,246,116,250,221,207,17,251,
                          113,133,48,170,247,0,226,13,204,179,133,254,199,128,
                          246,44,15,67,242,211,170,186,14,225,75,254,126,236,
                          75,116,42,84,252,40,160,25,221,247,171,4,207,78,207,
                          196,115,121,216,186,249,238,29,179,8,170,223,171,79,
                          45,130,217,77,117,69,28,211,242,176,25,197,31,241,94,
                          34,213,107,213,138,33,172,192,42,167,86,207,13,29,
                          222,70,225,125,227,47,102,244,40,219,70,60,32,159,
                          181,10,249,161,97,61,54,73,231,204,156,190,47,237,
                          123,1,92,97,230,129,168,115,19,104,43,197,218,137,14,
                          224,209,121,235,131,237,72,164,25,121,178,55,176,71,
                          108,184,175,211,134,20,73,119,56,96,66,19,196,19,119,
                          74,88,86,72,165,234,76,94,213,11,85,208,184,214,23,
                          159,222,230,117,64,198,187,243,138,87,81,232,90,159,
                          214,206,176,207,153,104,45,51,23,226,148,25,98,157,
                          82,91,76,243,225,104,251,20,49,153,87,217,236,20,11,
                          181,71,139,244,85,207,3,119,63,24,246,235,115,116,
                          137,113,64,43,248,209,124,251,184,12,42,43,139,219,
                          140,253,77,199,210,93,226,84,95,50,101,149,45,59,153,
                          111,110,143,133,160,181,223,221,121,244,143,166,205,
                          56,104,172,216,26,53,104,233,167,4,101,135,142,78,91,
                          132,41,112,240,58,216,235,16,103,3,193,143,232,6,226,
                          233,248,143,20,124,184,181,162,191,253,115,5,118,178,
                          34,72,52,226,148,255,213,9,88,197,170,109,193,147,
                          209,145,169,36,107,3,232,203,61,201,201,27,252,91,94,
                          222,204,194,70,48,137,27,91,92,25,238,81,227,82,246,
                          96,76,45,158,98,116,176,3,230,206,118,9,99,156,235,
                          65,237,173,234,104,161,228,120,3,28,247,33,15,211,
                          191,74,140,219,211,4,2,217,0,228,99,108,51,95,69,197,
                          146,19,160,187,52,152,12,102,242,237,167,80,108,81,
                          24,27,34,232,252,83,92,166,174,102,236,248,163,231,
                          163,207,88,73,4,56,134,136,159,2,250,192,56,137,50,
                          88,16,107,77,63,77,51,112,21,62,167,113,29,175,223,
                          238,155,186,93,254,233,220,4,238,186,87,44,143,16,
                          225,99,185,62,53,6,143,25,108,28,214,132,173,115,233,
                          193,2,50,89,227,209,135,179,79,35,161,105,188,193,
                          112,126,87,8,140,201,149,19,239,61,15,1,106,239,197,
                          249,229,168,87,187,226,126,175,102,145,222,49,55,68,
                          165,177,44,84,72,22,209,38,42,8,128,2,153,34,0,173,6,
                          164,83,91,186,96,189,32,57,47,180,152,68,12,117,40,
                          236,45,228,13,233,227,55,240,135,41,12,189,41,3,8,
                          208,9,84,83,157,14,19,253,64,156,89,85,11,117,153,
                          225,161,174,72,115,26,122,237,160,3,137,117,102,201,
                          32,9,158,160,98,207,119,222,39,20,35,201,53,95,1,197,
                          7,153,24,103,19,116,108,250,71,108,115,173,157,117,
                          140,60,233,4,1,25,205,62,154,178,46,148,143,43,10,
                          223,149,193,134,85,101,86,20,56,169,31,181,237,61,
                          150,247,21,132,107,83,180,208,27,14,75,142,85,81,132,
                          142,121,201,194,96,45,113,187,141,76,34,250,10,230,
                          14,250,157,71,188,15,23,188,131,38,136,243,240,50,75,
                          75,219,53,91,198,18,98,254,164,57,36,0,64>>,
                        603490317}],
                   [<<66,159,32,71,167,180,48,16,128,86,132,3,156,241,96,
                      127,196,195,56,19,161,39,22,79,8,42,66,217,191,157,
                      146,46,124,195,75,81,118,111,61,22,205,21,81,121,195,
                      36,230,109>>]}},
       sni => {sni,"..."},
       alpn => undefined,
       ec_point_formats => {ec_point_formats,[0]},
       psk_key_exchange_modes => {psk_key_exchange_modes,[psk_ke,psk_dhe_ke]},
       key_share =>
           {key_share_client_hello,
               [{key_share_entry,x25519,
                    <<108,101,134,136,31,178,4,183,28,251,183,177,120,
                      227,201,128,15,96,237,90,121,112,121,96,95,152,130,
                      214,188,144,91,73>>}]}}}]
>>> TLS 1.3 Handshake, ServerHello
[{server_version,{3,3}},
 {random,<<207,33,173,...>>},
 {session_id,<<108,228,66,64,5,0,175,245,228,61,108,174,49,29,37,50,193,158,
               162,9,171,103,134,38,234,7,146,62,161,1,252,172>>},
 {cipher_suite,"TLS_AES_256_GCM_SHA384"},
 {compression_method,0},
 {extensions,#{cookie =>
                   {cookie,<<47,66,16,...>>},
               server_hello_selected_version =>
                   {server_hello_selected_version,{3,4}},
               key_share => {key_share_hello_retry_request,secp256r1}}}]
writing (199 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 00 c2 02 00 00  be 03 03 cf 21 ad 74 e5    ............!.t.
...
writing (6 bytes) TLS 1.2 Record Protocol, change_cipher_spec
0000 - 14 03 03 00 01 01                                   ......
reading (6 bytes) TLS 1.2 Record Protocol, change_cipher_spec
0000 - 14 03 03 00 01 01                                   ......
reading (1469 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 05 b8 01 00 05  b4 03 03 0a 1b 53 a4 20    .............S. 
...
<<< TLS 1.3 Handshake, ClientHello
[{client_version,{3,3}},
 {random,
     <<10,27,83,...>>},
 {session_id,
     <<108,228,66,64,5,0,175,245,228,61,108,174,49,29,37,50,193,158,162,9,171,
       103,134,38,234,7,146,62,161,1,252,172>>},
 {cookie,undefined},
 {cipher_suites,
     ["TLS_EMPTY_RENEGOTIATION_INFO_SCSV","TLS_AES_256_GCM_SHA384",
      "TLS_AES_128_GCM_SHA256","TLS_CHACHA20_POLY1305_SHA256",
      "TLS_AES_128_CCM_SHA256","TLS_AES_128_CCM_8_SHA256"]},
 {compression_methods,[0]},
 {extensions,
     #{cookie =>
           {cookie,
               <<47,66,16,245,13,...>>},
       client_hello_versions => {client_hello_versions,[{3,4}]},
       certificate_authorities => undefined,
       signature_algs =>
           {signature_algorithms,
               [eddsa_ed25519,eddsa_ed448,ecdsa_secp521r1_sha512,
                ecdsa_secp384r1_sha384,ecdsa_secp256r1_sha256,
                rsa_pss_pss_sha512,rsa_pss_pss_sha384,rsa_pss_pss_sha256,
                rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,rsa_pss_rsae_sha256,
                rsa_pkcs1_sha512,rsa_pkcs1_sha384,rsa_pkcs1_sha256]},
       signature_algs_cert => undefined,use_srtp => undefined,
       elliptic_curves => {supported_groups,[x25519,x448,secp256r1,secp384r1]},
       pre_shared_key =>
           {pre_shared_key_client_hello,
               {offered_psks,
                   [{psk_identity,
                        <<171,199,59,247,189,239,29,64,120,201,97,9,25,237,189,
                          23,14,66,79,20,28,183,239,111,66,143,113,104,140,142,
                          239,3,210,154,56,79,111,22,61,146,5,27,205,44,126,
                          202,254,28,11,153,119,106,94,9,243,238,72,39,27,37,
                          161,253,205,59,213,216,105,185,149,26,28,140,204,33,
                          90,111,39,254,104,99,251,214,102,7,154,201,206,250,
                          139,187,71,173,33,215,53,89,33,167,143,247,121,175,
                          110,19,69,85,213,51,181,36,192,52,14,216,247,181,255,
                          47,11,177,1,137,7,54,197,245,50,18,28,16,155,199,48,
                          90,219,206,186,132,66,123,9,63,122,100,194,145,89,66,
                          106,80,126,86,250,166,82,237,230,92,205,124,179,4,25,
                          186,149,254,251,148,140,216,58,7,194,35,227,91,252,
                          88,25,37,222,231,73,60,126,170,35,209,232,247,150,69,
                          197,18,248,114,96,195,115,66,169,69,202,121,238,38,
                          93,120,36,89,59,120,96,125,119,159,151,163,246,199,
                          196,97,119,226,73,198,79,126,155,114,47,115,87,225,
                          76,255,167,180,255,146,84,122,218,180,27,245,82,67,
                          27,224,248,21,204,67,223,128,89,140,174,47,68,196,28,
                          13,43,219,88,213,204,133,49,123,45,225,118,230,32,
                          203,150,217,75,169,12,8,9,115,204,253,208,201,166,
                          185,247,186,180,164,91,90,119,74,62,172,93,219,148,
                          138,193,241,105,235,23,246,116,250,221,207,17,251,
                          113,133,48,170,247,0,226,13,204,179,133,254,199,128,
                          246,44,15,67,242,211,170,186,14,225,75,254,126,236,
                          75,116,42,84,252,40,160,25,221,247,171,4,207,78,207,
                          196,115,121,216,186,249,238,29,179,8,170,223,171,79,
                          45,130,217,77,117,69,28,211,242,176,25,197,31,241,94,
                          34,213,107,213,138,33,172,192,42,167,86,207,13,29,
                          222,70,225,125,227,47,102,244,40,219,70,60,32,159,
                          181,10,249,161,97,61,54,73,231,204,156,190,47,237,
                          123,1,92,97,230,129,168,115,19,104,43,197,218,137,14,
                          224,209,121,235,131,237,72,164,25,121,178,55,176,71,
                          108,184,175,211,134,20,73,119,56,96,66,19,196,19,119,
                          74,88,86,72,165,234,76,94,213,11,85,208,184,214,23,
                          159,222,230,117,64,198,187,243,138,87,81,232,90,159,
                          214,206,176,207,153,104,45,51,23,226,148,25,98,157,
                          82,91,76,243,225,104,251,20,49,153,87,217,236,20,11,
                          181,71,139,244,85,207,3,119,63,24,246,235,115,116,
                          137,113,64,43,248,209,124,251,184,12,42,43,139,219,
                          140,253,77,199,210,93,226,84,95,50,101,149,45,59,153,
                          111,110,143,133,160,181,223,221,121,244,143,166,205,
                          56,104,172,216,26,53,104,233,167,4,101,135,142,78,91,
                          132,41,112,240,58,216,235,16,103,3,193,143,232,6,226,
                          233,248,143,20,124,184,181,162,191,253,115,5,118,178,
                          34,72,52,226,148,255,213,9,88,197,170,109,193,147,
                          209,145,169,36,107,3,232,203,61,201,201,27,252,91,94,
                          222,204,194,70,48,137,27,91,92,25,238,81,227,82,246,
                          96,76,45,158,98,116,176,3,230,206,118,9,99,156,235,
                          65,237,173,234,104,161,228,120,3,28,247,33,15,211,
                          191,74,140,219,211,4,2,217,0,228,99,108,51,95,69,197,
                          146,19,160,187,52,152,12,102,242,237,167,80,108,81,
                          24,27,34,232,252,83,92,166,174,102,236,248,163,231,
                          163,207,88,73,4,56,134,136,159,2,250,192,56,137,50,
                          88,16,107,77,63,77,51,112,21,62,167,113,29,175,223,
                          238,155,186,93,254,233,220,4,238,186,87,44,143,16,
                          225,99,185,62,53,6,143,25,108,28,214,132,173,115,233,
                          193,2,50,89,227,209,135,179,79,35,161,105,188,193,
                          112,126,87,8,140,201,149,19,239,61,15,1,106,239,197,
                          249,229,168,87,187,226,126,175,102,145,222,49,55,68,
                          165,177,44,84,72,22,209,38,42,8,128,2,153,34,0,173,6,
                          164,83,91,186,96,189,32,57,47,180,152,68,12,117,40,
                          236,45,228,13,233,227,55,240,135,41,12,189,41,3,8,
                          208,9,84,83,157,14,19,253,64,156,89,85,11,117,153,
                          225,161,174,72,115,26,122,237,160,3,137,117,102,201,
                          32,9,158,160,98,207,119,222,39,20,35,201,53,95,1,197,
                          7,153,24,103,19,116,108,250,71,108,115,173,157,117,
                          140,60,233,4,1,25,205,62,154,178,46,148,143,43,10,
                          223,149,193,134,85,101,86,20,56,169,31,181,237,61,
                          150,247,21,132,107,83,180,208,27,14,75,142,85,81,132,
                          142,121,201,194,96,45,113,187,141,76,34,250,10,230,
                          14,250,157,71,188,15,23,188,131,38,136,243,240,50,75,
                          75,219,53,91,198,18,98,254,164,57,36,0,64>>,
                        603490323}],
                   [<<0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
                      0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>>]}},
       sni => {sni,"..."},
       alpn => undefined,
       ec_point_formats => {ec_point_formats,[0]},
       psk_key_exchange_modes => {psk_key_exchange_modes,[psk_ke,psk_dhe_ke]},
       key_share =>
           {key_share_client_hello,
               [{key_share_entry,secp256r1,
                    <<4,31,85,166,62,250,60,207,58,20,1,9,44,231,129,93,
                      163,158,233,189,187,23,158,244,25,3,111,18,116,25,
                      88,149,33,54,127,216,164,67,39,214,21,179,213,223,
                      70,74,221,121,234,28,53,221,10,101,240,52,80,8,1,9,
                      146,19,6,184,128>>}]}}}]
writing (7 bytes) TLS 1.2 Record Protocol, alert
0000 - 15 03 03 00 02 02 2f                                ....../

The text was updated successfully, but these errors were encountered:

IngelaAndin · 2024-05-20T06:21:25Z

@yonashaile Did you enable fips-mode in runtime in crypto ? see crypto:enable_fips_mode/1
https://www.erlang.org/doc/man/crypto#enable_fips_mode-1

Also did you compile Erlang/OTP with fips mode enabled?

Also note you can not select cipher suites in Erlang/OTP by configuring OpenSSL, we only use OpenSSL-cryptolib and the protocol is implemented in Erlang.

yonashaile · 2024-05-21T07:31:25Z

@IngelaAndin
fips-mode is already enabled for crypto at run-time and Erlang/OTP is compiled with fips-mode as well.

So without removing TLS_CHACHA20_POLY1305_SHA256 and curve x25519, tls1.3 application will not start since the crypto are not supported on fips enabled openssl.

After removing, application works fine, except when client tries to resume with the session ticket (as shown in the issue description)

IngelaAndin · 2024-05-21T08:15:33Z

@yonashaile Oh, I see I think I did not click your "removal patch" and misunderstood what you meant with that. I will look into it.

IngelaAndin · 2024-05-23T14:54:34Z

Have not had time to figure out the resumption thing yet, but made a patch for checking minimum requirements for TLS-1.3
#8504

IngelaAndin · 2024-05-24T12:59:35Z

@yonashaile I have a question, what do you mean that the resumption should work? A empty binder can not be valid. Do you mean that the server should fallback to a full handshake? Is this actually FIPS-related? Have you tried this without FIPS?

IngelaAndin · 2024-06-27T07:43:09Z

@yonashaile ping

yonashaile · 2024-06-27T12:44:11Z

@IngelaAndin Apologies for the delayed response.

My assumption was that with the patch applied TLS1_3 session resumption would work with OTP client and OTP server. However, it fails with

module=tls_server_session_ticket function=validate_binder/5 line=236  TLS :server: In state :start at tls_server_session_ticket.erl:236 generated SERVER ALERT: Fatal - Illegal Parameter
 - :stateless

The only way session resumption work is if the client has supported_groups configured with secp256r1, secp384r1 (without x25519)

yonashaile added the bug Issue is reported as a bug label May 17, 2024

IngelaAndin added the team:PS Assigned to OTP team PS label May 20, 2024

IngelaAndin self-assigned this May 20, 2024

IngelaAndin added the waiting waiting for changes/input from author label Jun 10, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`TLS1.3` stateless session_resumption fails with `Illegal Parameter - :stateless` on FIPS enabled OpenSSL #8489

`TLS1.3` stateless session_resumption fails with `Illegal Parameter - :stateless` on FIPS enabled OpenSSL #8489

yonashaile commented May 17, 2024 •

edited

Loading

IngelaAndin commented May 20, 2024

yonashaile commented May 21, 2024

IngelaAndin commented May 21, 2024

IngelaAndin commented May 23, 2024 •

edited

Loading

IngelaAndin commented May 24, 2024

IngelaAndin commented Jun 27, 2024

yonashaile commented Jun 27, 2024

TLS1.3 stateless session_resumption fails with Illegal Parameter - :stateless on FIPS enabled OpenSSL #8489

TLS1.3 stateless session_resumption fails with Illegal Parameter - :stateless on FIPS enabled OpenSSL #8489

Comments

yonashaile commented May 17, 2024 • edited Loading

IngelaAndin commented May 20, 2024

yonashaile commented May 21, 2024

IngelaAndin commented May 21, 2024

IngelaAndin commented May 23, 2024 • edited Loading

IngelaAndin commented May 24, 2024

IngelaAndin commented Jun 27, 2024

yonashaile commented Jun 27, 2024

`TLS1.3` stateless session_resumption fails with `Illegal Parameter - :stateless` on FIPS enabled OpenSSL #8489

`TLS1.3` stateless session_resumption fails with `Illegal Parameter - :stateless` on FIPS enabled OpenSSL #8489

yonashaile commented May 17, 2024 •

edited

Loading

IngelaAndin commented May 23, 2024 •

edited

Loading