Handshake failure: TLSv1.3 early data?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Handshake failure: TLSv1.3 early data?

Angus Robertson - Magenta Systems Ltd
My public web servers shows several handshake failures daily due to
'TLSv1.3 early data', sometimes after a previous successful TLSv1.3
connection, but not always.

I'm not currently attempting to handle any early data, I thought it was
disabled by default.  

Is there something I should be doing like using
SSL_CTX_set_allow_early_data_cb() to reject the early data?  Or setting
SSL_CTX_set_recv_max_early_data() to zero?

Maybe these errors are the result of bad client implementations and I
should just ignore them.  

Like all public servers, there are thousands of hacking attempts daily,
and other silly accesses, like why would anyone want to negotiate
protocol 0x0103 while also sending the EC Group extension?  

Angus

Reply | Threaded
Open this post in threaded view
|

Re: Handshake failure: TLSv1.3 early data?

Matt Caswell-2


On 23/03/2020 11:09, Angus Robertson - Magenta Systems Ltd wrote:
> My public web servers shows several handshake failures daily due to
> 'TLSv1.3 early data', sometimes after a previous successful TLSv1.3
> connection, but not always.

Do you have specific error messages?


>
> I'm not currently attempting to handle any early data, I thought it was
> disabled by default.

It is. You don't need to do anything to disable early data.

> Maybe these errors are the result of bad client implementations and I
> should just ignore them.  

Possibly - but it would be good to see error messages.

Matt

>
> Like all public servers, there are thousands of hacking attempts daily,
> and other silly accesses, like why would anyone want to negotiate
> protocol 0x0103 while also sending the EC Group extension?  
>
> Angus
>
Reply | Threaded
Open this post in threaded view
|

Re: Handshake failure: TLSv1.3 early data?

Angus Robertson - Magenta Systems Ltd
> > My public web servers shows several handshake failures daily
> > due to 'TLSv1.3 early data', sometimes after a previous
> > successful TLSv1.3 connection, but not always.
>
> Do you have specific error messages?

I seem to only report the state rather than an error once the socket is
closed, take a few hours to get some more failures with real errors.

Angus

Reply | Threaded
Open this post in threaded view
|

Re: Handshake failure: TLSv1.3 early data?

Matt Caswell-2


On 23/03/2020 12:06, Angus Robertson - Magenta Systems Ltd wrote:
>>> My public web servers shows several handshake failures daily
>>> due to 'TLSv1.3 early data', sometimes after a previous
>>> successful TLSv1.3 connection, but not always.
>>
>> Do you have specific error messages?
>
> I seem to only report the state rather than an error once the socket is
> closed, take a few hours to get some more failures with real errors.

The state machine can (briefly) transition through the early data state
even though early data is not being accepted, i.e. its there long enough
to say "nothing to do here". So one explanation is that you're in that
state when you hit the error - even though its nothing to do with early
data itself.

Matt

Reply | Threaded
Open this post in threaded view
|

Re: Handshake failure: TLSv1.3 early data?

OpenSSL - User mailing list
In reply to this post by Matt Caswell-2
Is it possible the browsers are trying to send early data?

Reply | Threaded
Open this post in threaded view
|

Re: Handshake failure: TLSv1.3 early data?

Angus Robertson - Magenta Systems Ltd
> Is it possible the browsers are trying to send early data?
 
I doubt it, I was not reporting the error, trying to report errors
before they disappear with clean-up code is an art, and does not always
work, so mostly I now see:

error:00000000:lib(0):func(0):reason(0), State: TLSv1.3 early data,
connection closed unexpectedly

but sometimes

error:140E0197:SSL routines:SSL_shutdown:shutdown while in init, State:
SSL negotiation finished successfully

But only four failures are logged on the live server so far, there will
be more handshake failures overnight that might be more helpful.

Suspect the real issue is simply the client abandoning the connection,
and different places leave different errors.  Some failures are obvious
like TLSv1 which is disabled on the server.  

But I was worried our TLSv1.3 implementation was missing something
important.  Read a lot about early data, but not really why anyone uses
it in practice, if it is used. Quite content to continue to ignore
early data.    

Angus

Reply | Threaded
Open this post in threaded view
|

Re: Handshake failure: TLSv1.3 early data?

Angus Robertson - Magenta Systems Ltd
> error:140E0197:SSL routines:SSL_shutdown:shutdown while in init,
> State: SSL negotiation finished successfully

And lots more similar overnight:

error:140E0197:SSL routines:SSL_shutdown:shutdown while in init, State:
TLSv1.3 early data

It seems some browsers open three to five sockets at the same time and
then don't complete SSL negotiation on all of them, just closing them
in various states.  

So not really negotiation failures.  

Angus


Reply | Threaded
Open this post in threaded view
|

Re: Handshake failure: TLSv1.3 early data?

OpenSSL - User mailing list
>    It seems some browsers open three to five sockets at the same time and
    then don't complete SSL negotiation on all of them, just closing them
    in various states.  
 
Yes, this is exactly what they do.