Issue 418553003: Implement TLS_FALLBACK_SCSV for SSLClientSocketOpenSSL.

Issue 418553003: Implement TLS_FALLBACK_SCSV for SSLClientSocketOpenSSL. (Closed)

Created:
6 years, 5 months ago by davidben

Modified:
6 years, 5 months ago

Reviewers:
agl

CC:
chromium-reviews, cbentzel+watch_chromium.org

Base URL:
svn://svn.chromium.org/chrome/trunk/src

Project:
chromium

Visibility:
Public.

More Reviews

Description

Implement TLS_FALLBACK_SCSV for SSLClientSocketOpenSSL. In doing so, fix a bug in tlslite's TLS_FALLBACK_SCSV support; the fallback alert should be sent with the client's version. Otherwise OpenSSL reports SSL_R_UNSUPPORTED_PROTOCOL and doesn't report the alert. This behavior is probably not wrong as, if the server responds with a TLS version higher than what is supported, we can't really be sure of the parse. BUG=388425 Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=285764

Patch Set 1 #

Patch Set 2 : rebase #

Created: 6 years, 5 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+8 lines, -9 lines)			Patch
M	net/socket/openssl_ssl_util.cc	View		1 chunk	+2 lines, -0 lines	0 comments	Download
M	net/socket/ssl_client_socket_openssl.cc	View	1	1 chunk	+3 lines, -0 lines	0 comments	Download
M	net/url_request/url_request_unittest.cc	View		2 chunks	+0 lines, -8 lines	0 comments	Download
M	third_party/tlslite/patches/fallback_scsv.patch	View		1 chunk	+2 lines, -1 line	0 comments	Download
M	third_party/tlslite/tlslite/tlsconnection.py	View		1 chunk	+1 line, -0 lines	0 comments	Download

Messages

Total messages: 12 (0 generated)

Expand Messages | Collapse Messages

agl

I'm concerned about the OpenSSL client behaviour here. What version is tlslite returning that's causing ...

6 years, 5 months ago (2014-07-24 19:27:14 UTC) #2

davidben

On 2014/07/24 19:27:14, agl wrote: > I'm concerned about the OpenSSL client behaviour here. > ...

6 years, 5 months ago (2014-07-24 20:00:58 UTC) #3

On 2014/07/24 19:27:14, agl wrote:
> I'm concerned about the OpenSSL client behaviour here.
> 
> What version is tlslite returning that's causing OpenSSL to return a different
> error? If it's reasonable behaviour then either we need to adjust OpenSSL, or
we
> need to change the fallback IETF draft to nail down the alert record's
version.
> 
> (Technically it's not a security issue because the server has already killed
the
> connection, but it might cause a bunch of confusion.)

tlslite is returning TLS 1.2 because that's the highest version it's configured
to accept. OpenSSL then rejects it because at this point it's been configured to
disable 1.0 through 1.2 and so it behaves as if it doesn't know what TLS 1.2 is
and rejects. This is the order of the block at line 603 and the block at line
633.

https://boringssl.googlesource.com/boringssl/+/master/ssl/s23_clnt.c#603

OpenSSL's behavior here seems defensible. While it would be perfectly fine for
it to accept the alert in this case, say the server implements a TLS 1.3 that
wasn't in the client yet. It seems a little off to accept a record whose
record-layer version number is higher than any version you know exists. Makes
more sense if it ended up being a ServerHello, but perhaps that should be parsed
differently in TLS 1.3.

Then again, NSS seems to be perfectly happy here and even doesn't complain if I
set self.version to (3, 4). So that ship has sailed anyway and we're not
actually allowed to change the format for null cipher alerts sent in response to
a ClientHello, even if you pick a higher version number. In which case,
reordering those two blocks seems pretty safe and we may as well report the more
specific alert value.

I think the patch for tlslite does match how a server should behave though. It
knows the client speaks client_version, so alerting at that level seems fine.
(It actually even knows the client speaks client_version + 1.) But it doesn't
know the client speaks TLS 1.2 and should avoid responding in that version. And
it'll be the version the current server implementation uses because
FALLBACK_SCSV happens after the normal version negotiation, though I should
double-check this against our servers.