mbedtls icon indicating copy to clipboard operation
mbedtls copied to clipboard

Published 20 hours ago verified publisher icon Mbed-TLS

programs/ssl/ssl_server2 bug

Open hey3e opened this issue 1 year ago • 2 comments

Summary

programs/ssl/ssl_server2 refuses following tls1.3 connections from a peer if that peer used to establish tls1.2 connections with the server previously.

System information

Mbed TLS version (number or commit id): 3.4.0 f1c032adb Operating system and version: Ubuntu 22.04.2 LTS Configuration (if not default, please attach mbedtls_config.h): #define MBEDTLS_SSL_PROTO_TLS1_3 Compiler and options (if you used a pre-built binary, please indicate how you obtained it): default Additional environment information: no

Expected behavior

programs/ssl/ssl_server2 allows following tls1.3 connections from a peer if that peer used to establish tls1.2 connections with the server previously.

Actual behavior

programs/ssl/ssl_server2 refuses following tls1.3 connections from a peer if that peer used to establish tls1.2 connections with the server previously.

Steps to reproduce

server: ./programs/ssl/ssl_server2 client: ./programs/ssl/ssl_client2 force_version=tls12 server shows Successful connection

Then, ctrl+c to close client, keep server running, restart client with ./programs/ssl/ssl_client2 force_version=tls13 server shows Last error was: -0x7780 - SSL - A fatal alert message was received from our peer

Additional information

Did not see this behavior in other tls implementations.

hey3e avatar Dec 22 '23 13:12 hey3e

Form include/mbedtls/mbedtls_config.h:

* \def MBEDTLS_SSL_PROTO_TLS1_3
*
* Enable support for TLS 1.3.
*
* \note The support for TLS 1.3 is not comprehensive yet, in particular
*       pre-shared keys are not supported.
*       See docs/architecture/tls13-support.md for a description of the TLS
*       1.3 support that this option enables.

From docs/architecture/tls13-support.md:

  • Supported versions: - TLS 1.2 and TLS 1.3 with version negotiation on the client side, not server side.

In summary, the server side doesn't have version negotiation yet. This is a documented limitation of TLS 1.3 in the library, which is a feature still in development.

yanesca avatar Jan 12 '24 09:01 yanesca

Thanks for the report. I have checked and this is still relevant in 3.5 where we support version negotiation on server side. When a connection is closed, ssl_server2 uses mbedtls_ssl_session_reset() to reset the SSL context to prepare for the following connection. In mbedtls_ssl_session_reset() the TLS maximum negotiable version is not reset properly: if the last connection negotiated TLS 1.2 that's the new maximum.

ronald-cron-arm avatar Jan 12 '24 12:01 ronald-cron-arm

Fixed released in Mbed TLS v3.6 by

commit ad736991bb59211118a29fe115367c24495300c2
Merge: 2f387e98a c522255e3
Author: Janos Follath <[email protected]>
Date:   Fri Feb 9 16:04:59 2024 +0000

    Merge pull request #1177 from ronald-cron-arm/tls-max-version-reset

    Reset properly the TLS maximum negotiable version

tom-cosgrove-arm avatar Apr 08 '24 09:04 tom-cosgrove-arm