IETF Logo Mail Archive

Re: [TLS] Servers respond with BadRecordMac after ClientFinished, sent when PSK+EarlyData

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 09 August 2022 16:16 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0FE6C14F718 for <tls@ietfa.amsl.com>; Tue, 9 Aug 2022 09:16:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WFkrWRdxJdyz for <tls@ietfa.amsl.com>; Tue, 9 Aug 2022 09:16:22 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49778C14CF17 for <tls@ietf.org>; Tue, 9 Aug 2022 09:16:21 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id F3C7AD01EE; Tue, 9 Aug 2022 19:16:18 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id kkwXKvY2XjR1; Tue, 9 Aug 2022 19:16:18 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id B35FA72; Tue, 9 Aug 2022 19:16:16 +0300 (EEST)
Date: Tue, 09 Aug 2022 19:16:16 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Kristijan Sedlak <xpepermint@gmail.com>
Cc: tls@ietf.org
Message-ID: <YvKIUKFo5NcQL8tY@LK-Perkele-VII2.locald>
References: <987212E5-9A26-4408-9BD5-2D26FA106D3F@gmail.com> <YvID85L+ICWVh9gi@LK-Perkele-VII2.locald> <311E53EC-C6D0-44F2-BA8E-ED15939ACEF1@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <311E53EC-C6D0-44F2-BA8E-ED15939ACEF1@gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/l0cjzi72TbtlUZCzzsk1RJqmoUs>
Subject: Re: [TLS] Servers respond with BadRecordMac after ClientFinished, sent when PSK+EarlyData
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 16:16:24 -0000

On Tue, Aug 09, 2022 at 09:05:31AM +0200, Kristijan Sedlak wrote:
> 
> thank’s for replying. I did verify the transcript as well. Everything
> seems to be correct. I bet if it wasn't the 1-RTT and
> 0-RTT(no-early-data) would fail too. Something weird is going on only
> in 0-RTT(early-data) case.

Well, if an implmentation incorrectly omitted EOED from transcript, that
would only fail in accepted early-data case, not in other cases.
However, looking at the library source, it seems to properly include
EOED in the transcript (however, I am not a Ruby programmer).


Wild thing to try, and extremely unlikely to work, but does removing the
EOED from the transcript (but still sending the message!) make the
server accept the client finished? If yes, the server is buggy: TLS 1.3
is very clear that EOED is part of the transcript.


> Can you maybe point me to an URL with the correct TLS1.3
> implementation where I could safely test the client?

Well, I would try testing against some major CDN that accepts early
data, as they likely have the most debugged server implementations.
As for safety, if you don't have automated repeats, I would think that
would be unlikely to trip any sort of attack detection with the CDN.

I have written a TLS implementation, but it will not support early
data.


On Tue, Aug 09, 2022 at 09:55:37AM +0200, Kristijan Sedlak wrote:
> After some sleep, I went playing with the content of the EarlyData
> sent to the server and it turned out that the "Connection: close"
> header must be present in the HTTP1.1 request. After adding it, the
> error was gone and the connection closed with Alert(0).

Well, what I think is happening here is that the server can only ever
send one alert per connection. The Connection: close then causes it
to send close_notify from early data, and so when the finished MAC is
bad, it can not send alert for it. Or else that the close from early
data causes it to get confused and silently abort the handshake.

> Is this the expected behavior and Keep-Alieve is not allowed when
> EarlyData is used or it's just the remote server implementation
> specific? If I understand the spec correctly, the behavior of the
> EarlyData part is mostly up to the implementor, and you must know
> the rules up front, right?

Keep-Alive is definitely supposed to work with early data.

The behavior specified is that if early data is accepted, the
client data consists of concatenation of the early data and the
application data the client sends. If early data is not proposed, or
it gets rejected, then client data consists of application data the
client sends.


Note that for HTTP, only GET and HEAD (and in future, QUERY) are
allowed in early data. And the requests might get 425 error, which
MUST be retried.



-Ilari

v2.23.0 | Report a Bug | By Email