Bug#873055: libgnutls30: Safe renegotiation breaks on session resumption with OpenSSL client
Andreas Metzler
ametzler at bebt.de
Thu Aug 24 18:28:25 UTC 2017
Control; forwarded -1 https://gitlab.com/gnutls/gnutls/issues/259
On 2017-08-24 Thomas Klute <thomas2.klute at uni-dortmund.de> wrote:
> Package: libgnutls30
> Version: 3.5.14-3
> Severity: normal
> If the %SAFE_RENEGOTIATION flag is enabled in the priorities string of
> a GnuTLS server, Client Hellos from OpenSSL clients attempting session
> resumption are rejected with a "safe renegotiation failed" error, even
> though the client does support safe renegotiation. Note that the
> handshake works as expected if the session cache entry or ticket has
> expired (without resumption, of course), so the bug only affects
> otherwise successful resumption.
> I have initially observed this bug using mod_gnutls (package
> libapache2-mod-gnutls), but it is fully reproducible using only the
> GnuTLS and OpenSSL command line tools. The logs below have been
> produced by running a gnutls-serv server and connecting using openssl
> s_client and gnutls-cli (separated by three pings for clarity in
> client logs and packet capture), both set to immediately disconnect
> and resume after the initial handshake. The GnuTLS client can resume
> the TLS session as expected, while the OpenSSL client is rejected.
> Commands to reproduce:
> (server)$ gnutls-serv --priority="NORMAL:%SAFE_RENEGOTIATION"
> --x509keyfile=server/secret.key --x509certfile=server/x509-chain.pem -p 4433
> (OpenSSL client)$ openssl s_client -connect localhost:4433 -reconnect
> (GnuTLS client)$ gnutls-cli -p 4433 --x509cafile=authority/x509.pem
> --resume localhost
> A packet capture taken during this process shows a difference in how
> GnuTLS and OpenSSL signal safe renegotiation support in the Client
> Hello: GnuTLS sends the renegotiation_info extension, OpenSSL includes
> the TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the list of cipher suites.
> According to RFC 5746 both are equally valid for both full and
> session-resumption handshakes, but the GnuTLS server appears to ignore
> the SCSV during session resumption.
[...]
Hello,
thank you, I have forwarded the issue upstream after verifying that it
still applies to 3.6.0.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list