[openssl-dev] TLS 1.3 client hello issue

Mahesh Bhoothapuri maheshbhooth at gmail.com
Mon Sep 18 14:25:18 UTC 2017 

Thanks for responding.  Yes,  I have done the steps mentioned above.   Here
are my settings:

    int min_version = TLS1_3_VERSION, max_version = TLS1_3_VERSION;

    meth = isClient ? tlsv1_3_client_method() : tlsv1_3_server_method();
    //meth = isClient ? TLS_client_method() : TLS_server_method();

    ///////////////////////////////////////////////////////////
    // Create new SSL context using the chosen SSL_METHOD
    ctx = SSL_CTX_new(meth);
    if (ctx == NULL)
    {
        // throw error
    }

    if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
    {
        //  throw error
    }

    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
    {
        // throw error
    }

    // Configure SSL to use the cipher suite specified
    // TLS1_3_TXT_AES_128_GCM_SHA256
    // ./include/openssl/tls1.h:# define
TLS1_3_TXT_AES_128_GCM_SHA256                     "TLS13-AES-128-GCM-SHA256"
    int set_cipher;
    if (! (set_cipher = SSL_CTX_set_cipher_list(ctx, cipherSuite.c_str())) )
    {
        throw (InvalidTestConfiguration("OpenSslApi::OpenSslInitContext",
                    "Failed to set ciphers"));
    }

The set_min_proto/set_max_proto calls succeed.

If I want to get the AES_128_GCM_SHA256 Cipher for TLS 1.3 to be used, are
these the steps to be used?

Should I instead, select also, AES128-GCM-SHA256 a TLS 1.2 cipher in the
list, and set the min_proto to TLS 1.2, and max_proto to 1.3 ?  I need to
avoid hitting the default case below:


static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
{
    OSSL_STATEM *st = &s->statem;

    /*
     * Note: There are no cases for TLS_ST_BEFORE because we haven't
negotiated
     * TLSv1.3 yet at that point. They are handled by
     * ossl_statem_client_write_transition().
     */
    switch (st->hand_state) {
    default:



"




On Mon, Sep 18, 2017 at 5:40 AM, Benjamin Kaduk <bkaduk at akamai.com> wrote:

> On 09/18/2017 01:07 AM, Mahesh Bhoothapuri wrote:
>
> Hi,
>
> I am sending a Tls 1.3 client hello, and am seeing an issue with
>
> ossl_statem_client_write_transition in statem_clnt.c.
>
>
>     /*
>      * Note that immediately before/after a ClientHello we don't know what
>      * version we are going to negotiate yet, so we don't take this branch
> until
>      * later
>      */
>
> /*
>  * ossl_statem_client_write_transition() works out what handshake state to
>  * move to next when the client is writing messages to be sent to the
> server.
>  */
> WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
> {
>
>     if (SSL_IS_TLS13(s))
>         return ossl_statem_client13_write_transition(s);
> }
>
> And in:
>
>
> /*
>  * ossl_statem_client_write_transition() works out what handshake state to
>  * move to next when the client is writing messages to be sent to the
> server.
>  */
> WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
> {
>
>    /*
>      * Note: There are no cases for TLS_ST_BEFORE because we haven't
> negotiated
>      * TLSv1.3 yet at that point. They are handled by
>      * ossl_statem_client_write_transition().
>      */
>
>     switch (st->hand_state) {
>     default:
>         /* Shouldn't happen */
>         return WRITE_TRAN_ERROR;
>
> }
>
> With a TLS 1.3 client hello, using tls 1.3 version, the st->hand_state is
>
>
> Sorry, I just want to clarify what you are doing -- are you taking
> SSL_CTX_new(TLS_method()) and then calling SSL_CTX_set_min_proto_version(ctx,
> TLS1_3_VERSION) and SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION)?
>
> I note that there is no version-specific TLSv1_3_method() available, and
> in any case, it's of questionable wisdom to attempt to force TLS 1.3 only
> while the specification is still in draft status -- in any case where the
> client and server implementations are not tightly controlled, negotiation
> failures seem quite likely.
>
> TLS_ST_BEFORE and so, the default error is returned.
>
> When I added :
>
>     case TLS_ST_BEFORE:
>         st->hand_state = TLS_ST_CW_CLNT_HELLO;
>         return WRITE_TRAN_CONTINUE;
>
>
> The reason there is not currently a case for TLS_ST_BEFORE is that whether
> or not we're going to be using TLS 1.3 is supposed to be determined on the
> server as part of version negotiation, so when we're sending a ClientHello,
> our version is in an indeterminate status -- the general-purpose TLS method
> must be used at that part of the handshake.
>
> The client hello gets sent out, but I only saw a TLS 1.2 version being
> sent.
> Is this a bug?
>
>
> The legacy_version field in a TLS 1.3 ClientHello will be 0x0303, matching
> the historical value for TLS 1.2.  The actual list of versions are conveyed
> in a "supported_versions" extension, which is what you need to be looking
> at.
>
> -Ben
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170918/4b330266/attachment-0001.html>

More information about the openssl-dev mailing list