Add option to disable Extended Master Secret#3910
Add option to disable Extended Master Secret#3910tmshort wants to merge 2 commits intoopenssl:masterfrom
Conversation
|
Can you explain the use case? I could maybe understand that a client might not want to send that extension because it might break some other implementation, but I see no point in the server not using it when the client supports it. |
|
Yes, it's a broken server. |
|
Out of curiosity, what is the server and how is it broken? (EMS-specific, or is this extension intolerance?) We ship EMS in all our clients with no way to disable it. I don't recall seeing evidence of compatibility problems. |
|
Specifically, it's IBM HTTP Server for WebSphere Application Server, Version 8.5.5.7, which runs on top of Java. If we remove the EMS extension, it works; but reordering extensions might also work (but that's harder to do in 1.1.0 vs master due to code changes), and it could be related to a server not handling empty extensions at the end of the extension list correctly. A possibly similar problem was reported on NSS: Which reordered the extensions. Disabling EMS was the easiest solution vs. reordering extensions. There's also #2669, which may be related. |
|
I think you mean #2691. The other seems to be about encrypt then mac? |
|
I guess I prefer a solution that tries to avoid the problem, instead of having to disable it. |
|
@kroeckx, I agree. I'm looking into that now, but I have to wait for the test server to be setup. That being said, we have use for disabling EMS; and there's also an option to disable EtM, which has similar arguments for/against the ability to disable. |
|
And I just found this on the IETF mailing list: So, I will be looking at moving EMS, EtM and SessionTickets to not be last. As pointed above, this is easy on master, harder on 1.1.0. |
|
Further investigation has shown that WebSphere 8.5.5 cannot handle EtM, so porting the SSL_OP_NO_ENCRYPT_THEN_MAC option from master to 1.1.0 might be a good idea. |
#3922 FWIW |
|
Is this resolved now by moving the sig algs extension? |
|
@mattcaswell the fundamental issue of WebSphere is fixed with the sigalgs changes. However, being able to disable EMS might still be a useful feature. |
|
@mattcaswell do you think we should leave this open or close it after the sigalg extension was moved? |
|
I think the change still has merit, regardless of the sigalg commit. But I'm not going to force the issue. |
ssl/statem/extensions_clnt.c
Outdated
There was a problem hiding this comment.
I'm not sure if this change is necessary. If the option is set then we will not have proposed EMS. If the server sends an unsolicited ems response then the extensions system should barf. So we should only ever get here if we proposed it - which means the option is not set.
There was a problem hiding this comment.
Correct. This is just safety, but not strictly necessary.
There was a problem hiding this comment.
I will point out that tls_parse_stoc_etm() - immediately above this function - does check for SSL_OP_NO_ENCRYPT_THEN_MAC. This behavior should fall under the same umbrella.
test/sslapitest.c
Outdated
There was a problem hiding this comment.
Doesn't this function need to set the max protocol to TLSv1.2?
tmshort
force-pushed
the
master-no-ems
branch
from
e309428 to
dbddd9a
Compare
tmshort
force-pushed
the
master-no-ems
branch
from
dbddd9a to
15a8aa0
Compare
|
Rebased |
kaduk
left a comment
kaduk
left a comment
There was a problem hiding this comment.
@mattcaswell did your concerns get adequately addressed?
|
What's the current motivation for this change? It sounds from the thread that issues with WebSphere were since resolved. |
|
There are some setups such as those described in https://tools.ietf.org/html/draft-erb-lurk-rsalg-01 that are not easily adopted to be compatible with EMS. |
|
ping @mattcaswell ? |
|
Done @mattcaswell |
include/openssl/ssl.h
Outdated
There was a problem hiding this comment.
Why not just delete all these reserved values - since they are no longer reserved, i.e. master will become OpenSSL 3.0.0.
There was a problem hiding this comment.
It seems helpful to have annotations to remind anyone preparing a change for backport of the constraints involved
include/openssl/ssl.h
Outdated
There was a problem hiding this comment.
I wonder if these signature changes will result in any compilation issues for end user applications.
There was a problem hiding this comment.
For (most) 64-bit platforms, it shouldn't make much of a difference; assuming unsigned long ~ uint64_t
For 32-bit platforms, there will be some issues, and users would have to cast them away, or handle the return value properly. Since all the values are in the lower 32-bits, casting won't have issues until more options are used.
There was a problem hiding this comment.
It's unclear that this counts as "API compatible; e.g., I expect modern compilers to warn about the truncated return value.
There was a problem hiding this comment.
Yes, compiles will warn, but it won't break anything until upper-32-bit option values are defined.
There was a problem hiding this comment.
I think this warrants a discussion on openssl-project
There was a problem hiding this comment.
I started to write an email to the list about this, but in putting it together I think I answered the question I was going to ask. Specificially openssl/web#82 says:
"No existing public interface can be modified except where changes are unlikely to break source compatibility."
On thinking about this I think a warning is likely to be sufficient to break some builds. Many builds treat warnings as errors. So I'm thinking that this change is probably a step too far.
My suggestion is to remove it from this PR - since really this is just an incidental tangent to the main point of this PR. If we are only targetting 3.0 then we can reuse one of the currently "reserved" SSL_OP_ values for now. We should probably also raise an issue that we're running out of SSL_OP_ values and we can figure out in a separate PR the best way of handling it.
There was a problem hiding this comment.
Thanks (I should've come back to look at this earlier). Certainly have a 64-suffix version would allow for extension. This would only be an issue with 32-bit platforms. Let's say we drop those. ;) /s
There was a problem hiding this comment.
Indeed, if we are only targeting 3.0.0, then we are fine re-using the bit. But, I do see a use for adding it to 1.1.1, but not critically.
There was a problem hiding this comment.
This would only be an issue with 32-bit platforms. Let's say we drop those.
Technically those with a 32-bit long. This includes 64-bit Windows. :-(
There was a problem hiding this comment.
I was being sarcastic! :) But I undid the 64-bit changes.
test/sslapitest.c
Outdated
There was a problem hiding this comment.
This could be done more easily in the arguments to create_ssl_ctx_pair
Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either an SSL or an SSL_CTX. When processing a ClientHello, if this flag is set, do not indicate that the EMS TLS extension was received in either the ssl3 object or the SSL_SESSION. Retain most of the sanity checks between the previous and current session during session resumption, but weaken the check when the current SSL object is configured to not use EMS.
tmshort
force-pushed
the
master-no-ems
branch
from
16ce933 to
72bef04
Compare
|
The build failure appears to be related to the sparse_array implementation. |
|
|
The last commit should fix the test issues. |
|
CI red crosses are unrelated. |
mattcaswell
added
branch: master
|
Needs 2nd review. @openssl/committers |
paulidale
added
approval: done
|
Pushed. Thanks. |
Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either an SSL or an SSL_CTX. When processing a ClientHello, if this flag is set, do not indicate that the EMS TLS extension was received in either the ssl3 object or the SSL_SESSION. Retain most of the sanity checks between the previous and current session during session resumption, but weaken the check when the current SSL object is configured to not use EMS. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #3910)
|
Did we conclude that we can't have I have used it in OpenConnect (here) to avoid asking for extms when resuming the (fake) DTLS session. But that's only for OpenSSL HEAD; with OpenSSL 1.1.0 and 1.1.1 it's still requesting it in the ClientHello. The only reason I get away with this for now is because neither Cisco's server nor the free ocserv implementation actually support it. If they did, they should refuse to resume the session as discussed. |
Yes, that was the decision. |
|
Thanks. Are we open to... less elegant solutions such as perhaps never allowing extms for That's only a partial solution though; Cisco have now finally updated to support a standard version of DTLS (v1.2) at least in the virtual ASA applicances. And they're still using the session resume hack, instead of proper negotiation with PSK, as we do in the open ocserv server. Not quite sure how to address that, other than relying on the server not to accept extms even if we do offer it. We are manually generating the ASN.1 session state so perhaps we could put something special in there like a That wouldn't have the problems of the original patch because Not sure I like it though. Better ideas? |
|
Hello, I have some concern about it. we have a lot of customers with CryptoPro 4.0R3 (it is russian gost implementation). CryptoPro 4.0R3 does not like EMS in server helo handshake. so, what are we supposed to do with are we supposed to
I mean that not being ported to 1.1.1 branch is weird and left us no choice for today. |
|
From my experience, I can confirm that some GOST implementations do not support EMS correctly, so the option (disabled by default, of cause) would be rather useful. |
The option SSL_OP_NO_EXTENDED_MASTER_SECRET add in openssl#3910. And it is valid for versions below (D)TLS 1.2.
The option SSL_OP_NO_EXTENDED_MASTER_SECRET was added in #3910. And it is valid for versions below (D)TLS 1.2. Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #17597)
12 participants
Add SSL_OP_NO_EXTENDED_MASTER_SECRET, that can be set on either
an SSL or an SSL_CTX. When processing a ClientHello, if this flag
is set, do not indicate that the EMS TLS extension was received in
either the ssl3 object or the SSL_SESSION.
Add a commit to increase SSL options to be 64 bits on all platforms.
Checklist