Skip to content

crypto/tls: randomly generate ticket_age_add [freeze exception] #52814

@nervuri

Description

@nervuri

crypto/tls always sets newSessionTicketMsgTLS13.ageAdd to 0, which makes it so that clients resuming a session can't obfuscate the obfusacted_ticket_age. This violates the TLS 1.3 spec (RFC 8446, section 4.6.1):

ticket_age_add: A securely generated, random 32-bit value that is
used to obscure the age of the ticket that the client includes in
the "pre_shared_key" extension. The client-side ticket age is
added to this value modulo 2^32 to obtain the value that is
transmitted by the client. The server MUST generate a fresh value
for each ticket it sends.

See the sendSessionTickets() function.

How to reproduce

  • Run a simple TLS server: https://go.dev/play/p/t2moO8mDTmb (notice I set srv.SetKeepAlivesEnabled(false); we don't want connection reuse)
  • open Wireshark, listen on loopback interface and filter on tls.handshake
  • curl -k https://localhost:8443 https://localhost:8443

In Wireshark, open the second Client Hello message, look at the pre_shared_key extension and you'll see that obfuscated_ticket_age is 0 (or very close to 0).

Proposed fix

Given that you don't check the obfuscated_ticket_age, it's enough to assign ageAdd a random value each time.

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Security

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions