Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using SSL_CTX_use_serverinfo_file() with multiple certs can lead to unexpected handshake failure #719

Closed
Castaglia opened this issue Feb 21, 2016 · 1 comment
Closed

Using SSL_CTX_use_serverinfo_file() with multiple certs can lead to unexpected handshake failure #719

Castaglia opened this issue Feb 21, 2016 · 1 comment

Comments

@Castaglia
Copy link
Contributor

When SSL_CTX_use_serverinfo_file() is used to configure custom TLS extension data for an SSL_CTX, e.g. SCT data, and that SSL_CTX has been configured with multiple certificates via SSL_CTX_use_certificate(), strange things can happen.

To illustrate, assume a SSL_CTX which has been configured with a serverinfo file for TLS extension type 18, and two server certificates: first an RSA certificate, then an EC certificate. With such a server setup, using openssl s_client to request the configured TLS extension might work:

$ openssl s_client -connect 127.0.0.1:8443 -cipher ECDSA -serverinfo 18
CONNECTED(00000003)
-----BEGIN SERVERINFO FOR EXTENSION 18-----
...

or it might not:

$ openssl s_client -connect 127.0.0.1:8443 -cipher RSA -serverinfo 18
CONNECTED(00000003)
140735089771344:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:

It turns out that by requesting the TLS extension type 18 in the handshake, the handshake fails for the first configured server certificate, but succeeds for the last configured server certificate.

Once this bug is fixed, another unexpected behavior surfaces: the TLS extension data is only returned when the last configured server certificate is used. It looks like this happens because SSL_CTX_use_serverinfo_file(), meant to configure the TLS extension data for the entire SSL_CTX, only copies that data into the currently configured cert (i.e. ctx->cert->key->serverinfo). But when TLS extension data is retrieved, it's done using the cert->pkeys array. Adding another server certificate adds another entry to the cert->pkeys array and changes ctx->cert->key, but does not copy/preserve any configured serverinfo data.

This behavior was noticed as part of diagnosing this StackOverflow issue: http://serverfault.com/q/758482/253490
This was referenced Feb 21, 2016
Closed
Closed
levitte pushed a commit that referenced this issue May 2, 2016
@Castaglia
Issue #719:
8769314 
If no serverinfo extension is found in some cases, do not abort the handshake,
but simply omit/skip that extension.

Check for already-registered serverinfo callbacks during serverinfo
registration.

Update SSL_CTX_use_serverinfo() documentation to mention the need to reload the
same serverinfo per certificate, for servers with multiple server certificates.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
levitte pushed a commit that referenced this issue May 2, 2016
@Castaglia
Issue #719:
5f18bc5 
If no serverinfo extension is found in some cases, do not abort the handshake,
but simply omit/skip that extension.

Check for already-registered serverinfo callbacks during serverinfo
registration.

Update SSL_CTX_use_serverinfo() documentation to mention the need to reload the
same serverinfo per certificate, for servers with multiple server certificates.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
@mattcaswell
Copy link
Member

This should be fixed now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Castaglia @mattcaswell