[openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method
Jouni Malinen
j at w1.fi
Fri Jul 24 09:04:09 UTC 2015
On Thu, Jul 23, 2015 at 11:09:40PM +0000, Viktor Dukhovni wrote:
> Any chance you have a standalone test program that works with
> TLSv1_client_method(), but not with SSLv23_client_method() (and
> SSLv2 disabled). Such code if added to "make test" might ensure
> the problem does not come back after is is fixed.
>
> What would be excellent is a program that is both the client and
> the server (talking to itself over a socketpair perhaps, though
> that might not be portable to Windows, but perhaps it suffices
> for the test to run on Unix-like systems...).
While I do have a fully automated test setup
(http://buildbot.w1.fi/hwsim/) that runs on a single server and can be
used with OpenSSL 0.9.8 through 1.0.2, it would be quite a stretch to
claim that to be standalone in this context.. :-)
I do have an example program that comes much closer, though. eap_example
in hostap.git is a single process that runs EAP server and peer and runs
through one authentication round. By default, it is not built with
OpenSSL or for EAP-FAST, but it is straightforward to modify that to do
so.
Here's a step-by-step example of running this test:
git clone git://w1.fi/hostap.git
cd hostap/
wget http://w1.fi/p/eap-example-openssl-eap-fast.patch
patch -p1 < eap-example-openssl-eap-fast.patch
cd eap_example/
make
./eap_example > run1
ls -l eap-fast.pac
./eap_example > run2
grep SessionTicket run2
The eap-example-openssl-eap-fast.patch comments out the EAP-FAST
workaround where I force TLSv1_method() to be used. In other words,
with this patch, SSLv23_method() is used instead. The workaround can be
re-enabled by reverting the change in src/crypto/tls_openssl.c (#if 0
--> #if 1).
The first execution of eap_example goes through the EAP-FAST
provisioning step. This works with SSLv23_method() since no
SessionTicket is used here. As a result of that provisioning round,
eap-fast.pac file is created with the information that the peer can use
to establishing connections afterwards. On the second run (and all
following runs with the PAC file present for that matter), we'll hit the
issue with SSLv23_method(). That grep for SessionTicket in run2 shows
this type of output in the failed case:
OpenSSL: ClientHello SessionTicket extension - hexdump(len=0):
EAP-FAST: SessionTicket callback
EAP-FAST: SessionTicket (PAC-Opaque) - hexdump(len=0):
EAP-FAST: Ignore invalid SessionTicket
EAP-FAST: SessionTicket callback
EAP-FAST: SessionTicket - hexdump(len=0): [NULL]
OpenSSL: ClientHello SessionTicket extension - hexdump(len=0):
While the workaround with TLSv1_method() shows this:
OpenSSL: ClientHello SessionTicket extension - hexdump(len=60): 00 02 00 38 93 ac a7 0f 32 75 a3 88 dc b1 e4 b0 83 84 04 bd 63 ed 55 a5 37 0d 69 c9 05 a2 b4 1c f0 43 b4 d5 9b e2 2c 67 74 cf c9 3d bc 82 56 97 79 1d 03 59 5e 86 d3 e3 bd d7 a4 ca
EAP-FAST: SessionTicket callback
EAP-FAST: SessionTicket (PAC-Opaque) - hexdump(len=60): 00 02 00 38 93 ac a7 0f 32 75 a3 88 dc b1 e4 b0 83 84 04 bd 63 ed 55 a5 37 0d 69 c9 05 a2 b4 1c f0 43 b4 d5 9b e2 2c 67 74 cf c9 3d bc 82 56 97 79 1d 03 59 5e 86 d3 e3 bd d7 a4 ca
EAP-FAST: SessionTicket callback
EAP-FAST: SessionTicket - hexdump(len=0): [NULL]
This may still be quite a bit too much for OpenSSL "make test" purposes,
i.e., something without the full EAP-FAST implementation is likely to be
sufficient there. I don't have such an example available, though.
Anyway, I hope this eap_example code is useful for anyone who might be
able to make SSLv23_method() case in OpenSSL support this use case.
I'm trying to run the full hostapd/wpa_supplicant test suite with all
OpenSSL releases, so I should at least notice regressions in the
relevant areas pretty quickly. In theory, I could also do this on
snapshot builds (or repository snapshots in general).
--
Jouni Malinen PGP id EFC895FA
More information about the openssl-dev
mailing list