ripe-atlas-probe-measurements icon indicating copy to clipboard operation
ripe-atlas-probe-measurements copied to clipboard

Published 20 hours ago verified publisher icon RIPE-NCC

sslgetcert: Add EC Point Formats extension to TLS handshake (fix connections to Vercel servers)

Open dkg opened this issue 2 years ago • 8 comments

As described in Section 5.1.2 of RFC 8422, the EC Point Formats extension is valid for TLS 1.2 and earlier. It is deprecated in TLS 1.3 (RFC 8446), but that doesn't stop some servers from requiring it. There is no harm in supplying the extension to a TLS 1.3 server.

In particular, Vercel (https://vercel.com/) TLS terminators seem to respond with a handshake failure alert if the EC Point Format extension is not present in the Client Hello.

This can be seen with measurement 49131334: https://atlas.ripe.net/measurements/49131334/#probes

This changeset should add the EC Point Format extension to the probe, which will result in successful certificate harvesting from Vercel servers, without introducing any incompatibilities to other servers.

I have not been able to test these changes as i don't have a full build environment set up for atlas probe. I welcome feedback or edits.

dkg avatar Jan 25 '23 21:01 dkg

So, if I understand you correctly, this is basically a workaround for a bug in someone else's implementation. In other areas (in particular DNS nowadays) that's a hot topic, and consensus seems to be to avoid doing it, because ultimately it complicates things rather than encourage bug fixing.

I could not immediately find what "deprecated in TLS 1.3" really means, i.e. is it now a MUST NOT or a SHOULD NOT or something else. How sure are we that adding this will not actually upset other implementations, especially compliant ones?

robert-kisteleki avatar Jan 26 '23 09:01 robert-kisteleki

it's not a MUST NOT or a SHOULD NOT -- and when it comes to the ClientHello flight (the initial flight) of a TLS handshake from a client willing to do TLS 1.2 or TLS 1.3, it's entirely reasonable to include the extension, knowing that a TLS 1.3-only server won't care.

At any rate, the sslgetcert probe itself can't do TLS 1.3 at the moment (it would need to be able to decrypt the incoming response since most of the server's first flight is ephemerally encrypted in TLS 1.3), so omitting that extension just because TLS 1.3 doesn't use it isn't a great reason.

I do agree with you that vercel's implementation should be more gracious in handling the lack of an extension, regardless of the client's behavior, but this is not about working around a nasty bug by being non-compliant with the standards. The sslgetcert client isn't even a standards-compliant TLS endpoint, since the only thing it does is emit the ClientHello of a TLS handshake and record the response from the server. But even sslgetcert was a full TLS client, emitting the ec_point_formats extension would be reasonable: its goal is to capture the certificate(s) from the widest range of TLS servers.

At any rate, i've opened a discussion over on vercel's community forum (i'm not a Vercel customer, and i don't know where else to do this) to encourage them to fix their server implementation as well, but i think until sslgetcert is intending to be TLS 1.3 only, it should go ahead and offer the EC point format extension just to be safe.

dkg avatar Feb 03 '23 23:02 dkg

@dkg do you have the option of fixing the above comments and resubmitting the patch?

Brgrds

Michel

michel-stam avatar Feb 08 '23 13:02 michel-stam

@michel-stam i'm not sure i understand what comments need to be fixed..

If you can point me toward anything wrong with the patch, i'd be happy to fix it.

dkg avatar Feb 13 '23 17:02 dkg

@michel-stam i'm not sure i understand what comments need to be fixed..

If you can point me toward anything wrong with the patch, i'd be happy to fix it.

Hi @dkg,

Will tag you on the comments if thats ok with you. If anything is unclear, please reach out.

Cheers,

Michel

michel-stam avatar Feb 14 '23 16:02 michel-stam

@michel-stam wrote:

Will tag you on the comments if thats ok with you. If anything is unclear, please reach out.

Sure, it is certainly OK to tag me on comments, but if you've already done that then i am not seeing them. Sorry if i'm just being confused about how github works. any explanation or pointers to specific comments would be welcome!

dkg avatar Feb 14 '23 21:02 dkg

Hi @dkg . Please search this page for the text: "@dkg this comment will need fixing." You will find them. If not contact me directly via email and I'll try and send you screenshots.

Regards,

Michel

michel-stam avatar Feb 15 '23 08:02 michel-stam

Thanks for the review, @michel-stam! I've pushed a new version that i think resolves all the issues.

dkg avatar Mar 03 '23 17:03 dkg