Zero length finished messages with resumed sessions?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Zero length finished messages with resumed sessions?

Viktor Dukhovni

Has anyone seen the type of problem reported on the postfix-users list today?

    http://archives.neohapsis.com/archves/postfix/2013-05/0158.html

    (and earlier posts upthread).

TLS handshakes without session resumption succeed, while resumed
sessions always fail, with the server sending a zero-length "finished"
message (which encrypts to 32 bytes).  I don't yet which TLS toolkit
the server is running.  The version of OpenSSL on the client does
not seem to matter.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Zero length finished messages with resumed sessions?

Viktor Dukhovni
On Thu, May 09, 2013 at 12:11:38AM +0000, Viktor Dukhovni wrote:

> Has anyone seen the type of problem reported on the postfix-users list today?
>
>     http://archives.neohapsis.com/archves/postfix/2013-05/0158.html
>
>     (and earlier posts upthread).
>
> TLS handshakes without session resumption succeed, while resumed
> sessions always fail, with the server sending a zero-length "finished"
> message (which encrypts to 32 bytes).  I don't yet which TLS toolkit
> the server is running.  The version of OpenSSL on the client does
> not seem to matter.

However disabling TLS extensions in the client does.  With "no-tlsext",
the server does not resume past sessions.  Perhaps the server's
implementation of session tickets is the culprit.  Has anyone else
observed such servers in the wild?

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Zero length finished messages with resumed sessions?

Dr. Stephen Henson
On Thu, May 09, 2013, Viktor Dukhovni wrote:

> On Thu, May 09, 2013 at 12:11:38AM +0000, Viktor Dukhovni wrote:
>
> > Has anyone seen the type of problem reported on the postfix-users list today?
> >
> >     http://archives.neohapsis.com/archves/postfix/2013-05/0158.html
> >
> >     (and earlier posts upthread).
> >
> > TLS handshakes without session resumption succeed, while resumed
> > sessions always fail, with the server sending a zero-length "finished"
> > message (which encrypts to 32 bytes).  I don't yet which TLS toolkit
> > the server is running.  The version of OpenSSL on the client does
> > not seem to matter.
>
> However disabling TLS extensions in the client does.  With "no-tlsext",
> the server does not resume past sessions.  Perhaps the server's
> implementation of session tickets is the culprit.  Has anyone else
> observed such servers in the wild?
>

Try it with -no_ticket

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Zero length finished messages with resumed sessions?

Viktor Dukhovni
On Thu, May 09, 2013 at 05:58:14PM +0200, Dr. Stephen Henson wrote:

> > However disabling TLS extensions in the client does.  With "no-tlsext",
> > the server does not resume past sessions.  Perhaps the server's
> > implementation of session tickets is the culprit.  Has anyone else
> > observed such servers in the wild?
> >
>
> Try it with -no_ticket

Yes, that works, as does using SSLv3.  With SMTP however, one cannot
reasonably keep track of which destinations need a particular
work-around unless they are very few in number.  Otherwise, one is
forced to apply the work-around globally, and I am reluctant to
disable session tickets for all mail deliveries.  (Stable Postfix
releases don't yet have the means to do this).

So I'm more interested in any leads about which servers are prone
to this misbehaviour.  Did any past OpenSSL versions mishandle
session tickets and acccept the session only to then fail to
negotiate correctly  (zero length finished)?

It seems likely that the servers are running some OpenSSL version
or other, but so far I only have directl access to the client, not
the server.

Is there anything in past versions of OpenSSL that would have
trouble with session tickets?  Maybe a poor interaction between
tickets and an external session cache?  (Postfix uses the session
callbacks to save and restore sessions from an on-disk shared
database).  I've tried a bunch of different OpenSSL versions, and
can't reproduce the issue with any server I compile.  (I am not
fool enough to break this foolproof system).

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Zero length finished messages with resumed sessions?

Viktor Dukhovni
On Thu, May 09, 2013 at 04:54:33PM +0000, Viktor Dukhovni wrote:

> So I'm more interested in any leads about which servers are prone
> to this misbehaviour.  Did any past OpenSSL versions mishandle
> session tickets and acccept the session only to then fail to
> negotiate correctly  (zero length finished)?
>
> It seems likely that the servers are running some OpenSSL version
> or other, but so far I only have directl access to the client, not
> the server.
>
> Is there anything in past versions of OpenSSL that would have
> trouble with session tickets?  Maybe a poor interaction between
> tickets and an external session cache?  (Postfix uses the session
> callbacks to save and restore sessions from an on-disk shared
> database).  I've tried a bunch of different OpenSSL versions, and
> can't reproduce the issue with any server I compile.  (I am not
> fool enough to break this foolproof system).

One of the servers is:

    OpenSSL 0.9.9-dev 09 May 2008
    built on: NetBSD 5.1_STABLE
    platform: NetBSD-x86_64
    options:  bn(64,64) md2(int) rc4(1x,char) des(idx,cisc,4,int)
    blowfish(idx)
    compiler: gcc version 4.1.3 20080704 (prerelease) (NetBSD nb3 20111107)
    OPENSSLDIR: "/etc/openssl"

does that ring any bells?  Can anyone think of a specific ticket-related
bug fixed between 0.9.9-dev and 1.0.0 that can account for malformed
handshakes with zero-length finished messages?

With any luck this issue is limited to a small number of older
NetBSD servers running 0.9.9-dev.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Zero length finished messages with resumed sessions?

Dr. Stephen Henson
On Thu, May 09, 2013, Viktor Dukhovni wrote:

> On Thu, May 09, 2013 at 04:54:33PM +0000, Viktor Dukhovni wrote:
>
> > So I'm more interested in any leads about which servers are prone
> > to this misbehaviour.  Did any past OpenSSL versions mishandle
> > session tickets and acccept the session only to then fail to
> > negotiate correctly  (zero length finished)?
> >
> > It seems likely that the servers are running some OpenSSL version
> > or other, but so far I only have directl access to the client, not
> > the server.
> >
> > Is there anything in past versions of OpenSSL that would have
> > trouble with session tickets?  Maybe a poor interaction between
> > tickets and an external session cache?  (Postfix uses the session
> > callbacks to save and restore sessions from an on-disk shared
> > database).  I've tried a bunch of different OpenSSL versions, and
> > can't reproduce the issue with any server I compile.  (I am not
> > fool enough to break this foolproof system).
>
> One of the servers is:
>
>     OpenSSL 0.9.9-dev 09 May 2008
>     built on: NetBSD 5.1_STABLE
>     platform: NetBSD-x86_64
>     options:  bn(64,64) md2(int) rc4(1x,char) des(idx,cisc,4,int)
>     blowfish(idx)
>     compiler: gcc version 4.1.3 20080704 (prerelease) (NetBSD nb3 20111107)
>     OPENSSLDIR: "/etc/openssl"
>
> does that ring any bells?  Can anyone think of a specific ticket-related
> bug fixed between 0.9.9-dev and 1.0.0 that can account for malformed
> handshakes with zero-length finished messages?
>
> With any luck this issue is limited to a small number of older
> NetBSD servers running 0.9.9-dev.
>

In case it isn't clear there never was an official 0.9.9 release so this is
presumably based on a development version snapshot.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Zero length finished messages with resumed sessions?

Viktor Dukhovni
On Thu, May 09, 2013 at 08:13:57PM +0200, Dr. Stephen Henson wrote:

> > One of the servers is:
> >
> >     OpenSSL 0.9.9-dev 09 May 2008
> >     built on: NetBSD 5.1_STABLE
> >     platform: NetBSD-x86_64
> >     options:  bn(64,64) md2(int) rc4(1x,char) des(idx,cisc,4,int)
> >     blowfish(idx)
> >     compiler: gcc version 4.1.3 20080704 (prerelease) (NetBSD nb3 20111107)
> >     OPENSSLDIR: "/etc/openssl"
> >
> > does that ring any bells?  Can anyone think of a specific ticket-related
> > bug fixed between 0.9.9-dev and 1.0.0 that can account for malformed
> > handshakes with zero-length finished messages?
> >
> > With any luck this issue is limited to a small number of older
> > NetBSD servers running 0.9.9-dev.
> >
>
> In case it isn't clear there never was an official 0.9.9 release so this is
> presumably based on a development version snapshot.

Yes, I know.  Some NetBSD releases in development concurrently with
what was OpenSSL 0.9.9 at the time ended up shipping some snapshot
of 0.9.9-dev when they were released ahead of OpenSSL 1.0.0,
presumably with some backported patches over time.

So perhaps they got the trouble they deserve by shipping an unstable
library in an unstable release.

If possible I would like to know which bug fix made the problem go
away, so that we can be sure it is really gone, and perhaps we can
tell users which versions are likely to have problems.

If the bug was eliminated "accidentally" as part of a rewrite or
while fixing related issues, then I may not get the answer I'm
looking for.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]