[openssl-users] renegotiation expected to fail when trust configuration has changed.

Pfluegl, Andreas andreas.pfluegl at etm.at
Thu Nov 22 15:58:28 UTC 2018 

Hi,

We have a C++ client application and a C++ server application using OpenSSL 1.1.0f to encrypt the TCP/IP communication.

We enforce mutual authentication (also the server requests certificates from the clients and verifies if they are issued by a CA it trusts).


We are able to update certificates (Host certificates and trusted CA certificates) on clients and servers without stopping the executables or interrupting the communication. We managed the update of the trusted CA certificates by using TLS Extension #3 (trusted_ca_keys) specified in RFC6066.

We are able to remove old obsolete certificates (Host certificates and trusted CA certificates) on clients and servers without stopping the executables or interrupting the communication. New established TCP/IP sessions will always use the newest certificates.
The update of a trusted CA certificate might look like this:

  *   Server and clients are deployed with certificates issued by CA1, the CA1 certificate is deployed as trusted root certificate.
  *   Certificates issued by CAnew and the CAnew certificate will be deployed to the server and all clients. Whenever a new TCP/IP session is established the new certificates are used.
  *   Once all CAnew certificates are deployed, the CA1 certificates can be removed from the server and the clients.


We also want to force established TCP sessions to move from obsolete certificates the newest certificates be triggering a renegotiation. We expect the renegotiation to fail, if the host does not have the right set of certificates.
This works fine, if we trigger the renegotiation at the client, but the real benefit would be to do the renegotiation on the server. So we could remove all already connected malicious clients which have managed to steal obsolete certificates. But sadly this does not work the way we implemented it.

we implemented the renegotiation by essentially calling
SSL_renegotiate() and
SSL_do_handshake()

But see our trace for a better illustration what is going on.
Note!
  We use SSL_CTX_set_info_callback() to get insights into OpenSSL states and set the following essential configurations:
    SSL_CTX_set_verify(m_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, &verify_callback);
    SSL_CTX_add_client_custom_ext(m_ctx, TLSEXT_TYPE_trusted_ca_keys, &client_add_cb, nullptr, nullptr, &client_parse_cb, nullptr);
    SSL_CTX_add_server_custom_ext(m_ctx, TLSEXT_TYPE_trusted_ca_keys, &server_add_cb, nullptr, nullptr, &server_parse_cb, nullptr);


Scenario 1:  Client triggered renegotiation (Note! works as expected)

Client trace (Dist):

Comment

Trace snippet



___________HANDSHAKE_START_     fd=13 in state SSL negotiation finished successfully
___________CONNECT_LOOP__OK____ fd=13 in state SSL negotiation finished successfully

OpenSSL called custom extension callback

++ client_add_cb Entered
{

Client_add_cb calls sendTrustedCAKeys()

The list of trused CA's sent to the server.

  ++ sendTrustedCAKeys Entered
  {
    CA directory: /opt/IowaDev/Projects/WCCILProject/config/CertStore//trusted
    <== send peer a list of my trusted CAs. SHA1: A7:8F:B0:9A:96:A4:A0:4E:6F:B3:BF:4D:24:B3:85:0D:4A:64:9B:30
                                       Subject  : /C=AT/ST=OOE/O=ETM/OU=INNO/CN=CA1 file: af83623b.0
                                       Out      : A7:8F:B0:9A:96:A4:A0:4E:6F:B3:BF:4D:24:B3:85:0D:4A:64:9B:30
  } ++ sendTrustedCAKeys returns : 1 elapsed time: 3685525ns




} ++ client_add_cb returns : 1 elapsed time: 14254269ns



___________CONNECT_LOOP__OK____ fd=13 in state SSLv3/TLS write client hello
___________CONNECT_EXIT__       fd=13 in state SSLv3/TLS write client hello



Server trace (Proxy):

Comment

Trace snippet



___________HANDSHAKE_START_     fd=316 in state before SSL initialization
___________ACCEPT__LOOP__OK____ fd=316 in state before SSL initialization
___________ACCEPT__LOOP__OK____ fd=316 in state before SSL initialization

I expect server_parse_cb() returning 0 to cause the interruption of the connection.

Can you confirm this?

++ CertFileTLSContextHandler::server_parse_cb Entered
{
  == server_parse_cb: ext_type: 3 inlen: 61 in: A7:8F:B0:9A:96:A4:A0:4E:6F:B3:BF:4D:24:B3:85:0D:4A:64:9B:30
  ++ CertificateStoreDirectory::findCertBy by SHA1 Entered
  {
    certificate: fde47a0f.1 ignored! does not match A7:8F:B0:9A:96:A4:A0:4E:6F:B3:BF:4D:24:B3:85:0D:4A:64:9B:30
  } ++ CertificateStoreDirectory::findCertBy returns :   elapsed time: 1302748ns

} ++ CertFileTLSContextHandler::server_parse_cb returns : 0 elapsed time: 1351234ns



___________WRITE___ALERT_ fd=316 in state SSLv3/TLS read client hello err: fatal: decode error
___________ACCEPT__EXIT__ fd=316 in state error
11152:error:1417D0E3:SSL routines:tls_process_client_hello:parse tlsext:ssl\statem\statem_srvr.c:1209:



Scenario 2: Server triggered renegotiation (Expected to interrupt connection as well.)

Server trace (Proxy):


Comment

Trace snippet



++ TLSContextHandler::renegotiate Entered
{
  Trusting CA certificate "/C=AT/ST=OOE/O=ETM/OU=INNO/CN=CA2" file fde47a0f.1
  Use host certificate: "/C=AT/ST=OOE/L=LINZ/O=ETM/OU=INNO/CN=Sys2:Single"
           issued by  : "/C=AT/ST=OOE/O=ETM/OU=INNO/CN=CA2"
           file       : Single.1.cert.pem

  Use private key file: Single.1.key.pem



  ++ TLSContextHandler::doHandshake Entered
  {
    ___________HANDSHAKE_START_ fd=920 in state SSL negotiation finished successfully
    ___________ACCEPT__LOOP__OK____ fd=920 in state SSL negotiation finished successfully
    ___________ACCEPT__LOOP__OK____ fd=920 in state SSLv3/TLS write hello request


Here I am missing server_parse_cb() (see Server trace scenario 1)





    ___________ACCEPT__EXIT__       fd=920 in state SSL negotiation finished successfully
    SSL_do_handshake(ssl) rc: 1, SSL error: [0] SSL_ERROR_NONE, OS error: [0] No error

  } ++ TLSContextHandler::doHandshake returns : 1 elapsed time: 310500ns




} TLSContextHandler::renegotiate returns : 1 elapsed time: 3564000ns


Client trace (Dist):


Comment

Trace snippet



___________HANDSHAKE_START_     fd=13 in state SSL negotiation finished successfully
___________CONNECT_LOOP__OK____ fd=13 in state SSL negotiation finished successfully

client_add_cb ist called, but the server never gets the data! (see above)

++ client_add_cb Entered
{
  ++ sendTrustedCAKeys Entered
  {
    <== send peer a list of my trusted CAs. SHA1: A7:8F:B0:9A:96:A4:A0:4E:6F:B3:BF:4D:24:B3:85:0D:4A:64:9B:30
                                       Subject  : /C=AT/ST=OOE/O=ETM/OU=INNO/CN=CA1 file: af83623b.0
                                       Out      : A7:8F:B0:9A:96:A4:A0:4E:6F:B3:BF:4D:24:B3:85:0D:4A:64:9B:30
  } ++ sendTrustedCAKeys returns : 1 elapsed time: 3685525ns
} ++ client_add_cb returns : 1 elapsed time: 14254269ns



___________CONNECT_LOOP__OK____ fd=13 in state SSLv3/TLS write client hello
___________CONNECT_EXIT__       fd=13 in state SSLv3/TLS write client hello



Could you please advice how to solve this issue.

With best regards,
Andreas Pflügl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181122/554ad1b1/attachment-0001.html>

More information about the openssl-users mailing list