[Bug 2019094] Re: [SRU] Focal: TLS 1.3 doesn't work on strict firewall/middlebox

Andreas Hasenack 2019094 at bugs.launchpad.net
Thu Jun 15 21:47:00 UTC 2023 

If I run the server just with

openssl s_server -cert nsnx2.pem -key nsnx2.key

Then it will spit out the connection details, and I can see that it uses
either TLSv1.3:

  CIPHER is TLS_AES_256_GCM_SHA384


Or a TLSv1.2 cipher, when the gnutls restriction is in place:

  CIPHER is ECDHE-RSA-AES256-GCM-SHA384


Can we try this in focal?
/etc/gnutls/client
[overrides]
disabled-version = tls1.3

Maybe something was fixed in later curl/pycurl versions, or even gnutls?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/2019094

Title:
  [SRU] Focal: TLS 1.3 doesn't work on strict firewall/middlebox

Status in gnutls28 package in Ubuntu:
  Invalid
Status in gnutls28 source package in Focal:
  In Progress

Bug description:
  [ Impact ]

   * On Focal, the TLS 1.3 handshake might fail on strict
     (or misbehaving) proprietary firewall/middlebox that
     requires a non-empty Session ID (as TLS 1.2) per RFC.

   * The RFC specifies the ClientHello should always have
     a non-empty session ID, but this _is_ empty in Focal.

   * RFC 8446, Appendix D.4. Middlebox Compatibility Mode [1]
     """
     ... a significant number of middleboxes misbehave
     when a TLS client/server pair negotiates TLS 1.3.
     ... handshake look more like a TLS 1.2 handshake:

     -  The client always provides a non-empty session ID
        in the ClientHello, ...
     """

   * Reverse build dependencies that link against the
     static libraries in libgnutls28-dev
     would need No-Change Rebuilds to pick up this fix.
     (see `reverse-depends -b -r focal libgnutls28-dev`)

     However, none were found (details in comment #8).

  [ Test Plan ]

   * Check whether TLS 1.3 handshake has `Session ID:`

     - Focal (no):
        $ gnutls-cli --priority NORMAL:-VERS-ALL:+VERS-TLS1.3 ubuntu.com </dev/null
        ...
        - Description: (TLS1.3-X.509)-...
        - Options:
        - Handshake was completed
        ...

     - Jammy (yes):
        $ gnutls-cli --priority NORMAL:-VERS-ALL:+VERS-TLS1.3 ubuntu.com </dev/null
        ...
        - Description: (TLS1.3-X.509)-...
        - Session ID: CB:7D:DF:...
        - Options:
        - Handshake was completed
        ...

   * Check tests run at build time (`Testsuite summary for GnuTLS`).

     Tests passed per the build log from PPA with test packages:

        ===================================
        Testsuite summary for GnuTLS 3.6.13
        ===================================

   * Check autopkgtests from gnutls28 against PPA/SRU [4,6].

     Tests passed against PPA with test packages:

        autopkgtest [12:40:02]: @@@@@@@@@@@@@@@@@@@@ summary
        run-upstream-testsuite PASS

   * Check autopkgtests from reverse test triggers against PPA/SRU
     (see comment #12).

        $ reverse-depends -b -r focal src:gnutls28
        Reverse-Testsuite-Triggers
        * ...

   * (Internal) Verify the original reporter's proprietary
     firewall/middlebox now works with TLS 1.3 from GnuTLS.

  There is a test package available in the following ppa:

  https://launchpad.net/~mruffell/+archive/ubuntu/sf359157-test

  If you install the test package, the session ID is set
  correctly.

  [ Regression Potential ]

   * TLS 1.3 handshake now includes non-empty Session ID
     in ClientHello, so there's a behavior change in the
     Client side-only, but it does affect how particular
     Servers handle the client, depending on Session ID.

   * Thus, theoretically, if issues were to occur, that
     likely would manifest as client connection errors
     with TLS 1.3 (failures would be realized early and
     fast), and a workaround available is using TLS 1.2.

   * Even though changes to TLS handshake understandably
     may be scary (considering the impact of regressions),
     the proposed change is specified by the RFC (and is
     there to help w/ wider compatibility) and is already
     implemented in later versions (3.7.1 in Hirsute [5]).

  [ Other Info ]

   * Bionic is not impacted (TLS 1.2 only)
   * Jammy and later already fixed (TLS 1.3 on GnuTLS 3.7+)

  The fixes required are:

  commit e0bb98e1f71f94691f600839ff748d3a9f469d3e
  Author: Norbert Pocs <npocs at redhat.com>
  Date:   Fri Oct 30 17:18:30 2020 +0100
  Subject: Fix non-empty session id (TLS13_APPENDIX_D4)
  Link: https://gitlab.com/gnutls/gnutls/-/commit/e0bb98e1f71f94691f600839ff748d3a9f469d3e

  commit 5416fdc259d8df9b797d249f3e5d58789b2e2cf9
  Author: Daiki Ueno <ueno at gnu.org>
  Date:   Wed Feb 3 15:50:08 2021 +0100
  Subject: gnutls_session_is_resumed: don't check session ID in TLS 1.3
  Link: https://gitlab.com/gnutls/gnutls/-/commit/5416fdc259d8df9b797d249f3e5d58789b2e2cf9

  commit 05ee0d49fe93d8812ef220c7b830c4b3553ac4fd
  Author: Daiki Ueno <ueno at gnu.org>
  Date:   Sun Jan 24 07:34:24 2021 +0100
  Subject: handshake: TLS 1.3: don't generate session ID in resumption mode
  Link: https://gitlab.com/gnutls/gnutls/-/commit/05ee0d49fe93d8812ef220c7b830c4b3553ac4fd

  commit 24c9a24640c137b47bb1e8cc5fee2315f57219ad
  Author: Daiki Ueno <ueno at gnu.org>
  Date: Thu, 22 Apr 2021 16:42:01 +0200
  Subject: handshake: don't regenerate legacy_session_id in second CH after HRR
  Link: https://gitlab.com/gnutls/gnutls/-/commit/24c9a24640c137b47bb1e8cc5fee2315f57219ad

  [ Links ]

  [1] https://www.rfc-editor.org/rfc/rfc8446#appendix-D.4
  [4] https://autopkgtest.ubuntu.com/packages/g/gnutls28
  [5] https://launchpad.net/ubuntu/+source/gnutls28/3.7.1-3ubuntu1
  [6] https://autopkgtest.ubuntu.com/results/autopkgtest-focal-mruffell-sf359157-test/focal/amd64/g/gnutls28/20230524_124015_b6884@/log.gz

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/2019094/+subscriptions

More information about the foundations-bugs mailing list