Re: [TLS] Servers respond with BadRecordMac after ClientFinished, sent when PSK+EarlyData
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 09 August 2022 06:52 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FAE1C15C504 for <tls@ietfa.amsl.com>; Mon, 8 Aug 2022 23:52:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RX0KmVMY7Br9 for <tls@ietfa.amsl.com>; Mon, 8 Aug 2022 23:51:59 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BC3EC15AD43 for <tls@ietf.org>; Mon, 8 Aug 2022 23:51:36 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 1B76D19248; Tue, 9 Aug 2022 09:51:34 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id PwNRqcMjh4US; Tue, 9 Aug 2022 09:51:33 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id CF65772; Tue, 9 Aug 2022 09:51:31 +0300 (EEST)
Date: Tue, 09 Aug 2022 09:51:31 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Kristijan Sedlak <xpepermint@gmail.com>
Cc: tls@ietf.org
Message-ID: <YvID85L+ICWVh9gi@LK-Perkele-VII2.locald>
References: <987212E5-9A26-4408-9BD5-2D26FA106D3F@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <987212E5-9A26-4408-9BD5-2D26FA106D3F@gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QV5b8mHQQ7nuXj8Viy-Zm7MP0CE>
Subject: Re: [TLS] Servers respond with BadRecordMac after ClientFinished, sent when PSK+EarlyData
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 06:52:04 -0000
On Mon, Aug 08, 2022 at 08:15:41PM +0200, Kristijan Sedlak wrote: > Hello everyone. > > I decided to get involved here since I hit a dead end when resolving > an Alert(20) error that I get from almost all servers when using PSK > with EarlyData. > > Here's the initial issue I opened https://github.com/thekuwayama/tttls1.3/issues/48. > It relates to a specific implementation but my questions are general. > There's also a code snippet that you can run and see the issue > yourself. > > So it happens that when sending a GET request as EarlyData and then > completing the handshake with EndOfEarlyData following the > ClientFinished message, a server (e.g. ssltest.louis.info) > successfully sends a complete response but finishes the request with > Alert(20) message. It doesn't happen on 1-RTT nor 0-RTT(without early > data). If I don't send ClientFinished in 0-RTT+EarlyData I don't get > Alert(20) and everything works as expected. > > I don't see anything in the spec that would describe something like > this or would point to a different way for calculating the > ClientFinished for 0-RTT+EarlyData case. Is maybe this sentence from > the spec "PSK-based authentication happens as a side effect of key > exchange." something that some of us miss interpreter and states > that Finished message should be verified and sent only in 1-RTT? > > What could be the case here? Wild guess, the transcript is not computed over correct messages or in correct order. When server accepts early data, the sequence of messages client sends is: - ClientHello - (0-RTT data) - EndOfEarlyData - client Finished And the sequence of messages in transcript used to compute the client finished is (note the EoED, RFC 8446 section 4.4.1 is very explicit about it): - ClientHello - ServerHello - EncryptedExtensions - server Finished - EndOfEarlyData (This assumes there is no extension that would add new messages in play. There can not be HelloRetryRequest because that implicitly rejects early data.) -Ilari
- [TLS] Servers respond with BadRecordMac after Cli… Kristijan Sedlak
- Re: [TLS] Servers respond with BadRecordMac after… Ilari Liusvaara
- Re: [TLS] Servers respond with BadRecordMac after… Kristijan Sedlak
- Re: [TLS] Servers respond with BadRecordMac after… Nick Harper
- Re: [TLS] Servers respond with BadRecordMac after… Ilari Liusvaara
- Re: [TLS] Servers respond with BadRecordMac after… Kristijan Sedlak
- Re: [TLS] Servers respond with BadRecordMac after… Eric Rescorla
- Re: [TLS] Servers respond with BadRecordMac after… Kristijan Sedlak
- Re: [TLS] Servers respond with BadRecordMac after… Kristijan Sedlak
- Re: [TLS] Servers respond with BadRecordMac after… tomoya kuwayama