-
Notifications
You must be signed in to change notification settings - Fork 18.3k
Description
crypto/tls always sets newSessionTicketMsgTLS13.ageAdd
to 0, which makes it so that clients resuming a session can't obfuscate the obfusacted_ticket_age
. This violates the TLS 1.3 spec (RFC 8446, section 4.6.1):
ticket_age_add: A securely generated, random 32-bit value that is
used to obscure the age of the ticket that the client includes in
the "pre_shared_key" extension. The client-side ticket age is
added to this value modulo 2^32 to obtain the value that is
transmitted by the client. The server MUST generate a fresh value
for each ticket it sends.
See the sendSessionTickets() function.
How to reproduce
- Run a simple TLS server: https://go.dev/play/p/t2moO8mDTmb (notice I set
srv.SetKeepAlivesEnabled(false)
; we don't want connection reuse) - open Wireshark, listen on loopback interface and filter on
tls.handshake
curl -k https://localhost:8443 https://localhost:8443
In Wireshark, open the second Client Hello message, look at the pre_shared_key
extension and you'll see that obfuscated_ticket_age
is 0 (or very close to 0).
Proposed fix
Given that you don't check the obfuscated_ticket_age, it's enough to assign ageAdd
a random value each time.