[openssl-dev] 1.1.0-pre4: ALPN mismatch terminates connection

Christian Heimes christian at python.org
Thu Mar 17 10:08:36 UTC 2016 

Hi,

I think I found a regression in 1.1.0-pre4's ALPN code.

I'm currently porting Python's ssl module to OpenSSL 1.1.0-pre4. One of
Python's unit tests for ALPN is failing. In the test case both client
and server advertise ALPN but have no overlapping protocols. In OpenSSL
1.1.0-pre3 and all earlier versions of OpenSSL, the client was still
able to establish a connection. With pre4, the server terminates the
connection during handshake:

140348419344128:error:1417A0E2:SSL
routines:tls_post_process_client_hello:clienthello
tlsext:ssl/statem/statem_srvr.c:1520:

I tried all four possible combinations of client and server with 1.0.2g
and 1.1.0-pre4. Test cases with 1.1.0-pre4 on the server side always
fail. A 1.0.2g server works like expected. The problem can be reproduced
easily. I have attached output of the commands, too.

1st screen:
$ curl -o server.pem
https://raw.githubusercontent.com/python/cpython/master/Lib/test/keycert.pem
$ openssl s_server -alpn egg

2nd screen:
$ openssl s_client -connect localhost:4433 -alpn foo,bar

The regression was most likely introduced in
817cd0d52f0462039d1fe60462150be7f59d2002. It looks like
tls1_alpn_handle_client_hello_late() doesn't handle SSL_TLSEXT_ERR_NOACK
as success.

Christian
-------------- next part --------------
$ ../openssl/1.1.0-pre4/bin/openssl s_server -alpn egg
Using default temp DH parameters
ACCEPT
ALPN protocols advertised by the client: foo, bar
ERROR
140080267302656:error:1417A0E2:SSL routines:tls_post_process_client_hello:clienthello tlsext:ssl/statem/statem_srvr.c:1520:
shutting down SSL
CONNECTION CLOSED
ACCEPT


$ ../openssl/1.1.0-pre4/bin/openssl s_client -connect localhost:4433 -alpn foo,bar
CONNECTED(00000003)
139674129954560:error:14094460:SSL routines:ssl3_read_bytes:reason(1120):ssl/record/rec_layer_s3.c:1481:SSL alert number 120
---
no peer certificate available
---
No client certificate CA names sent
---
SCTs present (0)
Warning: CT validation is disabled, so not all SCTs may be displayed. Re-run with "-requestct".
---
SSL handshake has read 7 bytes and written 0 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1458207817
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

----------------------------------------------------------------


$ openssl s_server -alpn egg
Using default temp DH parameters
ACCEPT
ALPN protocols advertised by the client: foo, bar
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDDf9sxOUQCanqlzesEMnCHaJGwQgo5fpYghA8O5rA8Z
cFvuL7xFeZ+dvDI72xvEqb6hBgIEVup74aIEAgIBLKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: P-256:P-521:P-384:secp256k1
Shared Elliptic curves: P-256:P-521:P-384:secp256k1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported


$ openssl s_client -connect localhost:4433 -alpn foo,bar
CONNECTED(00000003)
depth=0 C = XY, L = Castle Anthrax, O = Python Software Foundation, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XY, L = Castle Anthrax, O = Python Software Foundation, CN = localhost
verify return:1
---
Certificate chain
 0 s:/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost
   i:/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICVDCCAb2gAwIBAgIJANfHOBkZr8JOMA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNV
BAYTAlhZMRcwFQYDVQQHEw5DYXN0bGUgQW50aHJheDEjMCEGA1UEChMaUHl0aG9u
IFNvZnR3YXJlIEZvdW5kYXRpb24xEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xMDEw
MDgyMzAxNTZaFw0yMDEwMDUyMzAxNTZaMF8xCzAJBgNVBAYTAlhZMRcwFQYDVQQH
Ew5DYXN0bGUgQW50aHJheDEjMCEGA1UEChMaUHl0aG9uIFNvZnR3YXJlIEZvdW5k
YXRpb24xEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA21vT5isq7F68amYuuNpSFlKDPrMUCa4YWYqZRt2OZ+/3NKaZ2xAiSwr7
6MrQF70t5nLbSPpqE5+5VrS58SY+g/sXLiFd6AplH1wJZwh78DofbFYXUggktFMt
pTyiX8jtP66bkcPkDADA089RI1TQR6Ca+n7HFa7c1fabVV6i3zkCAwEAAaMYMBYw
FAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBBQUAA4GBAHPctQBEQ4wd
BJ6+JcpIraopLn8BGhbjNWj40mmRqWB/NAWF6M5ne7KpGAu7tLeG4hb1zLaldK8G
lxy2GPSRF6LFS48dpEj2HbMv2nvv6xxalDMJ9+DicWgAKTQ6bcX2j3GUkCR0g/T1
CRlNBAAlvhKzO7Clpf9l0YKBEfraJByX
-----END CERTIFICATE-----
subject=/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost
issuer=/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1131 bytes and written 341 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5E7C2E42414AA123E2EC1F703033F4C84D4C00DC90BE5AD61358E687F556A7BE
    Session-ID-ctx:
    Master-Key: DFF6CC4E51009A9EA9737AC10C9C21DA246C10828E5FA5882103C3B9AC0F19705BEE2FBC45799F9DBC323BDB1BC4A9BE
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - ca ef 0a c5 71 44 90 a6-3b ee 68 7f db 9d 3c 8d   ....qD..;.h...<.
    0010 - 2f 9f 42 0f cf b7 5e c0-48 11 6b 54 19 f4 1a 9f   /.B...^.H.kT....
    0020 - 02 a1 42 83 03 ed e2 1f-00 cd 7c b0 ef c5 f5 b6   ..B.......|.....
    0030 - a4 87 f6 98 af 06 d9 67-39 4d 8e 1f ad e8 53 6a   .......g9M....Sj
    0040 - c5 18 91 07 ff 01 33 96-a4 0f f9 99 0f 4d 72 23   ......3......Mr#
    0050 - cd 32 3f 48 e8 9b cb dc-6c 4a 6a 2f 04 c7 95 78   .2?H....lJj/...x
    0060 - 6f fb 85 26 32 a2 b5 b5-4d 56 6b 05 b5 77 0c 29   o..&2...MVk..w.)
    0070 - e1 32 30 fa 19 ee 50 e6-7a d6 57 92 07 51 1a 52   .20...P.z.W..Q.R
    0080 - d9 2f a8 44 59 7f 99 01-e9 eb bc 6d 71 17 11 07   ./.DY......mq...
    0090 - 01 74 7f 74 08 58 16 c1-2f b9 af 10 16 50 bf 32   .t.t.X../....P.2

    Start Time: 1458207713
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

More information about the openssl-dev mailing list