Skip to content

During renegotiation OpenSSL sends in ServerHello an extension not advertised by client in the second ClientHello #14875

@tomato42

Description

@tomato42

During renegotiation, when client doesn't advertise support in the second ClientHello support for ec_point_formats extension, the server will still include it in the ServerHello.

This is violation of RFC 5246 section 7.4.1.3:

   extensions
      A list of extensions.  Note that only extensions offered by the
      client can appear in the server's list.

and violation of a MUST NOT of section 7.4.1.4:

   An extension type MUST NOT appear in the ServerHello unless the same
   extension type appeared in the corresponding ClientHello.  If a
   client receives an extension type in ServerHello that it did not
   request in the associated ClientHello, it MUST abort the handshake
   with an unsupported_extension fatal alert.

Both master (3057311) and 1.1.1 branches are affected

reproducer

openssl req -x509 -newkey rsa -keyout /tmp/localhost.key -out /tmp/localhost.crt -subj /CN=localhost -nodes -batch
openssl s_server -key /tmp/localhost.key -cert /tmp/localhost.crt -www 2>server.err >server.out &
openssl_pid=$!
git clone https://github.com/tomato42/tlsfuzzer
pushd tlsfuzzer
# won't be needed after https://github.com/tlsfuzzer/tlsfuzzer/pull/750 gets merged
git checkout renego-tests
git clone https://github.com/tlsfuzzer/tlslite-ng .tlslite-ng
ln -s .tlslite-ng/tlslite tlslite
git clone https://github.com/tlsfuzzer/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/src/ecdsa ecdsa
PYTHONPATH=. python scripts/test-renegotiation-changed-clienthello.py -d
popd
kill $openssl_pid

OpenSSL output

Could not read params of DH parameters from /tmp/cert.pem
Using default temp DH parameters
ACCEPT
read R BLOCK
read R BLOCK
read R BLOCK
read R BLOCK
406763CD417F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:309:
read R BLOCK
406763CD417F0000:error:0A000068:SSL routines:final_ems:inconsistent extms:ssl/statem/extensions.c:1165:
read R BLOCK
read R BLOCK
read R BLOCK
read R BLOCK
read R BLOCK

tlsfuzzer output

sanity ...
OK

drop supported_groups in renegotiation ...
OK

drop alpn in renegotiation ...
OK

drop supported_versions in renegotiation ...
OK

drop status_request in renegotiation ...
OK

drop ec_point_formats in renegotiation ...
Error encountered while processing node ExpectServerHello(description='second handshake') (child: <tlsfuzzer.expect.ExpectCertificate object at 0x7fc83bc5b580>) with last message being: <tlslite.messages.Message object at 0x7fc83bc17070>
Error while processing
Traceback (most recent call last):
  File "scripts/test-renegotiation-changed-clienthello.py", line 408, in main
    runner.run()
  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 239, in run
    node.process(self.state, msg)
  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 743, in process
    self._process_extensions(state, cln_hello, srv_hello)
  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 627, in _process_extensions
    raise AssertionError("Server sent unadvertised "
AssertionError: Server sent unadvertised extension of type ec_point_formats

drop psk_key_exchange_modes in renegotiation ...
OK

drop extended_master_secret in renegotiation ...
OK

drop key_share in renegotiation ...
OK

drop post_handshake_auth in renegotiation ...
OK

drop pre_shared_key in renegotiation ...
OK

sanity - renegotiation ...
OK

drop 18 in renegotiation ...
OK

sanity ...
OK

Test how server behaves when the renegotiation Client Hello is
changed compared to the initial ClientHello.

If the renegotiation is supposed to be disabled use the
test-renegotiation-disabled.py or
test-renegotiation-disabled-client-cert.py scripts to verify
that.

Test end
====================
version: 1
====================
TOTAL: 14
SKIP: 0
PASS: 13
XFAIL: 0
FAIL: 1
XPASS: 0
====================
FAILED:
        'drop ec_point_formats in renegotiation'

Metadata

Metadata

Assignees

No one assigned

    Labels

    branch: 1.1.1Applies to OpenSSL_1_1_1-stable branch (EOL)branch: masterApplies to master branchtriaged: bugThe issue/pr is/fixes a bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions