s2n-tls icon indicating copy to clipboard operation
s2n-tls copied to clipboard

Published 20 hours ago verified publisher icon aws

[AL2] Integrationv2 test_client_authentication failures

Open dougch opened this issue 4 years ago • 3 comments

Security issue notifications

If you discover a potential security issue in s2n we ask that you notify AWS Security via our vulnerability reporting page. Please do not create a public github issue.

Problem:

~10% failure rate for the test_client_authentication:

=============================================================================================== 448 failed, 4592 passed in 2645.95s (0:44:05) ================================================================================================
ERROR: InvocationError for command /home/ec2-user/gitrepos/s2n/tests/integrationv2/.tox/py38/bin/pytest -n 2 --cache-clear -rpfsq --provider-version=openssl-1.1.1 --fips-mode=0 --no-pq=1 test_client_authentication.py (exited with code 1)
__________________________________________________________________________________________________________________ summary ___________________________________________________________________________________________________________________
ERROR:   py38: commands failed

repro steps:

  • start an EC2 m6g instance with amazonlinux2, checkout s2n
  • sudo ./codebuild/bin/install_al2_dependencies.sh
  • sudo ./codebuild/bin/install_default_dependencies.sh
  • sudo S2N_PRINT_STACKTRACE=1 INTEGV2_TEST=all TESTS=integrationv2 S2N_NO_PQ=1 S2N_NO_SSLYZE=true S2N_LIBCRYPTO=openssl-1.1.1 ./codebuild/bin/s2n_codebuild.sh

Solution:

A description of the possible solution in terms of S2N architecture. Highlight and explain any potentially controversial design decisions taken.

  • Does this change what S2N sends over the wire? If yes, explain.
  • Does this change any public APIs? If yes, explain.
  • Which versions of TLS will this impact?

Requirements / Acceptance Criteria:

What must a solution address in order to solve the problem? How do we know the solution is complete?

  • RFC links: Links to relevant RFC(s)
  • Related Issues: Link any relevant issues
  • Will the Usage Guide or other documentation need to be updated?
  • Testing: How will this change be tested? Call out new integration tests, functional tests, or particularly interesting/important unit tests.
    • Will this change trigger SAW changes? Changes to the state machine, the s2n_handshake_io code that controls state transitions, the DRBG, or the corking/uncorking logic could trigger SAW failures.
    • Should this change be fuzz tested? Will it handle untrusted input? Create a separate issue to track the fuzzing work.

Out of scope:

Is there anything the solution will intentionally NOT address?

dougch avatar Nov 17 '20 23:11 dougch

What were the commonalities in the failures? This feels like an unsupported algorithm or flag or similar.

rday avatar Nov 18 '20 13:11 rday

What were the commonalities in the failures? This feels like an unsupported algorithm or flag or similar.

the theme appears to be RSA with TLS1.0, examples:

FAILED test_client_authentication.py::test_client_auth_with_s2n_server[RSA_2048_SHA256-TLS1.0-P-384-OpenSSL-ECDHE-RSA-AES256-SHA] - AssertionError: assert TimeoutException(TimeoutExpired(['s2nd', '-X', '--self-service-blinding', '--non...
FAILED test_client_authentication.py::test_client_auth_with_s2n_server[RSA_2048_SHA384-TLS1.0-P-384-OpenSSL-ECDHE-RSA-AES128-SHA] - AssertionError: assert TimeoutException(TimeoutExpired(['s2nd', '-X', '--self-service-blinding', '--non...
FAILED test_client_authentication.py::test_client_auth_with_s2n_server[RSA_2048_SHA512-TLS1.0-P-384-OpenSSL-ECDHE-RSA-AES256-SHA] - AssertionError: assert TimeoutException(TimeoutExpired(['s2nd', '-X', '--self-service-blinding', '--non...

dougch avatar Nov 18 '20 18:11 dougch

There is a theme here... the happy_path_test is also failing:


FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-DHE-RSA-AES256-GCM-SHA384]
--
970 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-AES128-SHA]
971 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-AES256-SHA]
972 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-AES128-SHA256]
973 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-AES256-SHA256]
974 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-ECDHE-RSA-AES128-SHA]
975 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-ECDHE-RSA-AES256-SHA]
976 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-ECDHE-RSA-AES128-SHA256]
977 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-ECDHE-RSA-AES256-SHA384]
978 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-ECDHE-RSA-AES128-GCM-SHA256]
979 | FAILED test_happy_path.py::test_s2n_server_happy_path[RSA_4096_SHA256-TLS1.2-P-256-JavaSSL-ECDHE-RSA-AES256-GCM-SHA384]

dougch avatar Nov 20 '20 21:11 dougch