[openssl-dev] TLS 1.3 client hello issue

Mon Sep 18 12:40:15 UTC 2017

On 09/18/2017 01:07 AM, Mahesh Bhoothapuri wrote:
>
> Hi,
>
> I am sending a Tls 1.3 client hello, and am seeing an issue with
>
> ossl_statem_client_write_transition in statem_clnt.c.
>
>
>     /*
>      * Note that immediately before/after a ClientHello we don't know what
>      * version we are going to negotiate yet, so we don't take this
> branch until
>      * later
>      */
>
> /*
>  * ossl_statem_client_write_transition() works out what handshake state to
>  * move to next when the client is writing messages to be sent to the
> server.
>  */
> WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
> {
>
>     if (SSL_IS_TLS13(s))
>         return ossl_statem_client13_write_transition(s);
> }
>
> And in:
>
>
> /*
>  * ossl_statem_client_write_transition() works out what handshake state to
>  * move to next when the client is writing messages to be sent to the
> server.
>  */
> WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
> {
>
>    /*
>      * Note: There are no cases for TLS_ST_BEFORE because we haven't
> negotiated
>      * TLSv1.3 yet at that point. They are handled by
>      * ossl_statem_client_write_transition().
>      */
>
>     switch (st->hand_state) {
>     default:
>         /* Shouldn't happen */
>         return WRITE_TRAN_ERROR;
>
> }
>
> With a TLS 1.3 client hello, using tls 1.3 version, the st->hand_state is

Sorry, I just want to clarify what you are doing -- are you taking
SSL_CTX_new(TLS_method()) and then calling
SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION) and
SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION)?

I note that there is no version-specific TLSv1_3_method() available, and
in any case, it's of questionable wisdom to attempt to force TLS 1.3
only while the specification is still in draft status -- in any case
where the client and server implementations are not tightly controlled,
negotiation failures seem quite likely.

> TLS_ST_BEFORE and so, the default error is returned.
>
> When I added :
>
>     case TLS_ST_BEFORE:
>         st->hand_state = TLS_ST_CW_CLNT_HELLO;
>         return WRITE_TRAN_CONTINUE;
>

The reason there is not currently a case for TLS_ST_BEFORE is that
whether or not we're going to be using TLS 1.3 is supposed to be
determined on the server as part of version negotiation, so when we're
sending a ClientHello, our version is in an indeterminate status -- the
general-purpose TLS method must be used at that part of the handshake.

> The client hello gets sent out, but I only saw a TLS 1.2 version being
> sent.
> Is this a bug?

The legacy_version field in a TLS 1.3 ClientHello will be 0x0303,
matching the historical value for TLS 1.2.  The actual list of versions
are conveyed in a "supported_versions" extension, which is what you need
to be looking at.

-Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170918/16e10059/attachment.html>