Re: Removing Extensions from Client Hello Header
On Tuesday, 12 November 2019 21:22:51 CET, Benjamin Kaduk via openssl-users wrote: On Tue, Nov 12, 2019 at 01:13:49PM -0700, Phil Neumiller wrote: Thanks for all the useful device. I was able to get the server to accept this client hello message. If you're willing/able to share, it can be useful for us to know what products are buggy in that they don't implement extensions in a proper, extensible, manner and need to have the ClientHello extensions adjusted like this. If we have a list of "likely suspects" it can make diagnosing future connection issues easier. contributing a fingerprint to https://github.com/WestpointLtd/tls_prober would also be really welcome, for the same reasons -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Re: Removing Extensions from Client Hello Header
On Tue, Nov 12, 2019 at 03:08:19PM -0700, Phil Neumiller wrote: > I find the comment below about TLS 1.3 troubling. [...] > */* > * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test > it > * for TLSv1.2 for now until we add a new API. > */* > SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); > > if (testctx) { > int ret; > > if (curr->list != NULL) > ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen); > else > ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr); I don't. >From SSL_CTX_set1_sigalgs.pod: % The TLS 1.3 signature scheme names (such as "rsa_pss_pss_sha256") can also % be used with the B<_list> forms of the API. The TLS 1.3 schemes don't decompose into SIG+HASH, so this is just a constraint inherent to the old API, not a bug. -Ben
Re: Removing Extensions from Client Hello Header
I find the comment below about TLS 1.3 troubling. static int test_set_sigalgs(int idx) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; const sigalgs_list *curr; int testctx; /* Should never happen */ if (!TEST_size_t_le((size_t)idx, OSSL_NELEM(testsigalgs) * 2)) return 0; testctx = ((size_t)idx < OSSL_NELEM(testsigalgs)); curr = testctx ? [idx] : [idx - OSSL_NELEM(testsigalgs)]; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, , , cert, privkey))) return 0; */* * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it * for TLSv1.2 for now until we add a new API. */* SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION); if (testctx) { int ret; if (curr->list != NULL) ret = SSL_CTX_set1_sigalgs(cctx, curr->list, curr->listlen); else ret = SSL_CTX_set1_sigalgs_list(cctx, curr->liststr); if (!ret) { - Phillip Neumiller Platform Engineering Directstream, LLC -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Re: Removing Extensions from Client Hello Header
On Tue, Nov 12, 2019 at 01:13:49PM -0700, Phil Neumiller wrote: > Thanks for all the useful device. I was able to get the server to accept > this client hello message. If you're willing/able to share, it can be useful for us to know what products are buggy in that they don't implement extensions in a proper, extensible, manner and need to have the ClientHello extensions adjusted like this. If we have a list of "likely suspects" it can make diagnosing future connection issues easier. Thanks, Ben
Re: Removing Extensions from Client Hello Header
Thanks for all the useful device. I was able to get the server to accept this client hello message. TLSv1.3 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 257 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 253 Version: TLS 1.2 (0x0303) Random: 00010002000400090012… Session ID Length: 0 Cipher Suites Length: 2 Cipher Suites (1 suite) Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 210 Extension: supported_groups (len=4) Type: supported_groups (10) Length: 4 Supported Groups List Length: 2 Supported Groups (1 group) Supported Group: x25519 (0x001d) Extension: signature_algorithms (len=4) Type: signature_algorithms (13) Length: 4 Signature Hash Algorithms Length: 2 Signature Hash Algorithms (1 algorithm) Signature Algorithm: rsa_pss_rsae_sha512 (0x0806) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (6) Extension: key_share (len=38) Type: key_share (51) Length: 38 Key Share extension Client Key Share Length: 36 Key Share Entry: Group: x25519, Key Exchange length: 32 Group: x25519 (29) Key Exchange Length: 32 Key Exchange: 009201240249049209241249… Extension: psk_key_exchange_modes (len=2) Type: psk_key_exchange_modes (45) Length: 2 PSK Key Exchange Modes Length: 1 PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1) Extension: supported_versions (len=3) Type: supported_versions (43) Length: 3 Supported Versions length: 2 Supported Version: TLS 1.3 (0x0304) Extension: heartbeat (len=1) Type: heartbeat (15) Length: 1 Mode: Peer not allowed to send requests (2) Extension: pre_shared_key (len=130) Type: pre_shared_key (41) Length: 130 Pre-Shared Key extension Identities Length: 28 PSK Identity (length: 8) Identity Length: 8 Identity: 924900012492 Obfuscated Ticket Age: 0 PSK Identity (length: 8) Identity Length: 8 Identity: Obfuscated Ticket Age: 0 PSK Binders length: 98 PSK Binders So just one signature algorithm. Now the response I got from the OpenSSL TLS server is this server hello. TLSv1.3 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 90 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 86 Version: TLS 1.2 (0x0303) Random: 7f9801c0f94da77d9d2c100cba7ff587bec25bca39defd81… Session ID Length: 0 Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) Compression Method: null (0) Extensions Length: 46 Extension: supported_versions (len=2) Type: supported_versions (43) Length: 2 Supported Version: TLS 1.3 (0x0304) Extension: key_share (len=36) Type: key_share (51) Length: 36 Key Share extension Key Share Entry: Group: x25519, Key Exchange length: 32 Group: x25519 (29) Key Exchange Length: 32 Key Exchange: ab6c1e5e5a83cdeee70487c509bd0810668a32fa2402f7d7… Now to try the actual hardware At least openssl TLS 1.3 is OK with just 1 signature algorithm for my special case of external out of band PSK. - Phillip Neumiller Platform Engineering Directstream, LLC -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Re: Removing Extensions from Client Hello Header
On 11/11/2019 20:51, Phil Neumiller wrote: > Extension: ec_point_formats (len=4) > Type: ec_point_formats (11) > Length: 4 > EC point formats Length: 3 > Elliptic curves point formats (3) > EC point format: uncompressed (0) > EC point format: ansiX962_compressed_prime (1) > EC point format: ansiX962_compressed_char2 (2) > Extension: session_ticket (len=0) > Type: session_ticket (35) > Length: 0 > Data (0 bytes) > Extension: encrypt_then_mac (len=0) > Type: encrypt_then_mac (22) > Length: 0 > Extension: extended_master_secret (len=0) > Type: extended_master_secret (23) > Length: 0 You don't need these four for TLSv1.3 SSL_OP_NO_TICKET will turn off session_ticket. SSL_OP_NO_ENCRYPT_THEN_MAC will turn off encrypt_then_mac. SSL_OP_NO_EXTENDED_MASTER_SECRET will turn off extended_master_secret. Don't switch off encrypt-then-mac or extended-master-secret unless you *really* need to. They don't do anything in TLSv1.3 but if you ever ended up negotiating TLSv1.2 by mistake for some reason then switching these things off has security consequences. I think the only way to get rid of ec_point_formats would be to disable EC from being used completely. But, you need EC to be enabled in order use TLSv1.3 (at least in 1.1.1 - in master its different). So I don't think you can get rid of this extension. But I'd really look at why your hardware is failing when these extensions are present. Is it intolerant of one particular extension? If so I'd just disable that one. Matt
Re: Removing Extensions from Client Hello Header
On 11/11/2019 21:09, Phil Neumiller wrote: > The hardware wants to see a client hello like the following: By this do you imply that if you give it additional extensions it fails? That is a highly non-compliant implementation!! Matt
Re: Removing Extensions from Client Hello Header
On 11/11/2019 22:12, Michael Wojcik wrote: > -Original Message- >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of >> Phil Neumiller >> Sent: Monday, November 11, 2019 15:57 >> >> Code: SSL_CTX_set_options(ctx, !SSL_OP_ALL); > > That's just a verbose way of saying SSL_CTX_set_options(ctx, 0). > > Perhaps you meant SSL_CTX_set_options(ctx, ~SSL_OP_ALL)? I certainly wouldn't > recommend that - it would enable a host of options which aren't included in > SSL_OP_ALL, and which you very likely shouldn't be enabling. (And also some > you perhaps should, such as SSL_OP_SINGLE_ECDH_USE, though I don't remember > offhand if that affects TLSv1.3.) There is no need to enable SSL_OP_SINGLE_ECDH_USE. In fact that option does nothing: /* Removed from OpenSSL 1.1.0. Was 0x0008L */ # define SSL_OP_SINGLE_ECDH_USE 0x0 Matt
RE: Removing Extensions from Client Hello Header
-Original Message- > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Phil Neumiller > Sent: Monday, November 11, 2019 15:57 > > Code: SSL_CTX_set_options(ctx, !SSL_OP_ALL); That's just a verbose way of saying SSL_CTX_set_options(ctx, 0). Perhaps you meant SSL_CTX_set_options(ctx, ~SSL_OP_ALL)? I certainly wouldn't recommend that - it would enable a host of options which aren't included in SSL_OP_ALL, and which you very likely shouldn't be enabling. (And also some you perhaps should, such as SSL_OP_SINGLE_ECDH_USE, though I don't remember offhand if that affects TLSv1.3.) SSL_OP_ALL is defined as "various bug workarounds that should be rather harmless". I don't believe its use is appropriate here. As with any implementation of any protocol, there are limits to OpenSSL's ability to deal with noncompliant peers. This may be a case where you have to customize your OpenSSL build in order to get it to connect to your apparently-non-compliant server. -- Michael Wojcik Distinguished Engineer, Micro Focus
Re: Removing Extensions from Client Hello Header
The hardware wants to see a client hello like the following: Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 253 Version: TLS 1.2 (0x0303) Random: 00010002000400090012… GMT Unix Time: Dec 31, 1969 17:00:00.0 MST Random Bytes: 000100020004000900120024… Session ID Length: 0 Cipher Suites Length: 2 Cipher Suites (1 suite) Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 210 Extension: supported_groups (len=4) Type: supported_groups (10) Length: 4 Supported Groups List Length: 2 Supported Groups (1 group) Supported Group: x25519 (0x001d) Extension: signature_algorithms (len=4) Type: signature_algorithms (13) Length: 4 Signature Hash Algorithms Length: 2 Signature Hash Algorithms (1 algorithm) Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Extension: key_share (len=38) Type: key_share (51) Length: 38 Key Share extension Client Key Share Length: 36 Key Share Entry: Group: x25519, Key Exchange length: 32 Group: x25519 (29) Key Exchange Length: 32 Key Exchange: 009201240249049209241249… Extension: psk_key_exchange_modes (len=2) Type: psk_key_exchange_modes (45) Length: 2 PSK Key Exchange Modes Length: 1 PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1) Extension: supported_versions (len=3) Type: supported_versions (43) Length: 3 Supported Versions length: 2 Supported Version: TLS 1.3 (0x0304) Extension: heartbeat (len=1) Type: heartbeat (15) Length: 1 Mode: Peer not allowed to send requests (2) Extension: pre_shared_key (len=130) Type: pre_shared_key (41) Length: 130 Pre-Shared Key extension Identities Length: 28 PSK Identity (length: 8) Identity Length: 8 Identity: 924900012492 Obfuscated Ticket Age: 0 PSK Identity (length: 8) Identity Length: 8 Identity: Obfuscated Ticket Age: 0 PSK Binders length: 98 PSK Binders - Phillip Neumiller Platform Engineering Directstream, LLC -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Re: Removing Extensions from Client Hello Header
Code: SSL_CTX_set_options(ctx, !SSL_OP_ALL); - Phillip Neumiller Platform Engineering Directstream, LLC -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Re: Removing Extensions from Client Hello Header
By doing the following in my code: I was able to get the Client Hello Extensions down to. Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 365 Version: TLS 1.2 (0x0303) Random: 19ff8a9231e83985887f5e45f2c9b243f0ccaa955beb1f03… Session ID Length: 32 Session ID: ebcab15bff6e5abfc14588298b45a56f74963eda97645992… Cipher Suites Length: 8 Cipher Suites (4 suites) Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303) Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 284 Extension: ec_point_formats (len=4) Type: ec_point_formats (11) Length: 4 EC point formats Length: 3 Elliptic curves point formats (3) EC point format: uncompressed (0) EC point format: ansiX962_compressed_prime (1) EC point format: ansiX962_compressed_char2 (2) Extension: supported_groups (len=8) Type: supported_groups (10) Length: 8 Supported Groups List Length: 6 Supported Groups (3 groups) Supported Group: secp521r1 (0x0019) Supported Group: secp384r1 (0x0018) Supported Group: secp256r1 (0x0017) Extension: session_ticket (len=0) Type: session_ticket (35) Length: 0 Data (0 bytes) Extension: encrypt_then_mac (len=0) Type: encrypt_then_mac (22) Length: 0 Extension: extended_master_secret (len=0) Type: extended_master_secret (23) Length: 0 Extension: signature_algorithms (len=30) Type: signature_algorithms (13) Length: 30 Signature Hash Algorithms Length: 28 Signature Hash Algorithms (14 algorithms) Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603) Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Signature Algorithm: ed25519 (0x0807) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (7) Signature Algorithm: ed448 (0x0808) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (8) Signature Algorithm: rsa_pss_pss_sha256 (0x0809) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (9) Signature Algorithm: rsa_pss_pss_sha384 (0x080a) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (10) Signature Algorithm: rsa_pss_pss_sha512 (0x080b) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (11) Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (4) Signature Algorithm: rsa_pss_rsae_sha384 (0x0805) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (5) Signature Algorithm: rsa_pss_rsae_sha512 (0x0806) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (6) Signature Algorithm: rsa_pkcs1_sha256 (0x0401) Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Algorithm: rsa_pkcs1_sha384 (0x0501) Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Algorithm: rsa_pkcs1_sha512 (0x0601) Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Extension: supported_versions (len=3) Type: supported_versions (43) Length: 3 Supported Versions length: 2 Supported Version: TLS 1.3 (0x0304) Extension: psk_key_exchange_modes (len=2) Type: psk_key_exchange_modes (45) Length: 2 PSK Key Exchange Modes Length: 1 PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1) Extension: key_share (len=139) Type: key_share (51) Length: 139 Key Share
Re: Removing Extensions from Client Hello Header
On 11/11/2019 19:43, Benjamin Kaduk via openssl-users wrote: > On Mon, Nov 11, 2019 at 12:32:22PM -0700, Phil Neumiller wrote: >> I am speaking TLS 1.3 with openssl to a hardware device that I can't change. >> I need the client hello header to only support certain extensions, yet I Any compliant implementation should ignore extensions it doesn't understand so why do you need to do this? >> see no way in the SSL API to remove the default extensions in the TLS 1.3 >> client hello. Can I clear them all and just add the ones I want? What am I >> missing? Do I have to modify the SSL code to do this? It seems like there >> should be an orthodox way to do this. > > You have to disable them one by one; see SSL_CTX_set_options(3) and (e.g.) > SSL_OP_NO_EXTENDED_MASTER_SECRET. Only certain headers can be disabled in this way. Many of the extensions present in a TLSv1.3 ClientHello are necessary for proper functioning of the protocol. Which extensions did you actually want to disable? Matt
Re: Removing Extensions from Client Hello Header
On Mon, Nov 11, 2019 at 12:32:22PM -0700, Phil Neumiller wrote: > I am speaking TLS 1.3 with openssl to a hardware device that I can't change. > I need the client hello header to only support certain extensions, yet I > see no way in the SSL API to remove the default extensions in the TLS 1.3 > client hello. Can I clear them all and just add the ones I want? What am I > missing? Do I have to modify the SSL code to do this? It seems like there > should be an orthodox way to do this. You have to disable them one by one; see SSL_CTX_set_options(3) and (e.g.) SSL_OP_NO_EXTENDED_MASTER_SECRET. -Ben