Re: [TLS] Interop failure due to wrong encoding of ServerDHParams
Hannes Mehnert <hannes@mehnert.org> Tue, 07 April 2015 13:46 UTC
Return-Path: <hannes@mehnert.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F0CA1B35A7 for <tls@ietfa.amsl.com>; Tue, 7 Apr 2015 06:46:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.388
X-Spam-Level:
X-Spam-Status: No, score=0.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pno1uuChvXgr for <tls@ietfa.amsl.com>; Tue, 7 Apr 2015 06:46:16 -0700 (PDT)
Received: from mail.mehnert.org (mail.mehnert.org [213.73.89.200]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1156D1B359C for <tls@ietf.org>; Tue, 7 Apr 2015 06:46:16 -0700 (PDT)
Received: from [192.168.1.101] (i5E86DD8A.versanet.de [94.134.221.138]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client CN "hannes@mehnert.org", Issuer "mehnert root CA" (not verified)) by mail.mehnert.org (Postfix) with ESMTPS id 7344E12A7 for <tls@ietf.org>; Tue, 7 Apr 2015 15:46:14 +0200 (CEST)
Message-ID: <5523DF8B.8010409@mehnert.org>
Date: Tue, 07 Apr 2015 15:45:47 +0200
From: Hannes Mehnert <hannes@mehnert.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: tls@ietf.org
References: <5523C7D5.8090703@redhat.com> <20150407143148.2f76a26f@pc1.fritz.box>
In-Reply-To: <20150407143148.2f76a26f@pc1.fritz.box>
OpenPGP: id=DF7C28EE
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/my_COutkA9gWcfHsvXHcPav-FEI>
Subject: Re: [TLS] Interop failure due to wrong encoding of ServerDHParams
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2015 13:46:18 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 Hi, On 04/07/2015 14:31, Hanno Böck wrote: > On Tue, 07 Apr 2015 14:04:37 +0200 Florian Weimer > <fweimer@redhat.com> wrote: > >> I've encountered a TLS 1.2 server implementation which sometimes >> sends a ServerDHParams structure as part of the >> ServerKeyExchange message which indicates a length of 127 bytes >> for the dh_Ys parameter, but the parameter actually sent contains >> 128 bytes. As a result, parsing the ServerKeyExchange message >> fails, leading to a handshake failure. (Maybe this happens if >> the most significant byte of dh_Ys is zero.) > > Hannes from ocaml-tls said something very similar a few days ago in > a talk at CCC Berlin. But I think he also said he observed > something like that on their servers, but doesn't know which > implementation caused it. What I discovered while running https://tls.openmirage.org (a handshake visualisation for TLS-1.* (it picks protocol version and ciphersuite at random!) - gathered around 30000 TLS sessions) was that our own OCaml-TLS implementation padded the DH parameters with 0 bytes (both the public on the wire, as well as the shared secret). When looking through the session traces, it seems that another implementation does exactly the same: padding with 0 if the DH shared/public has leading zeroes. Using the list of ciphersuites and named curve extension as fingerprint (obviously a very probabilistic approach, see below), the recorded HTTP user-agents are: 293 Google-HTTP-Java-Client/1.17.0-rc (gzip) 174 Mozilla/5.0 () 13 other Thus, it seems to be likely that some Java implementation has this behaviour. Maybe someone with more insight into the Java implementation(s) could look deeper into this!? hannes Here is the fingerprint: ciphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_RSA_WITH_RC4_128_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_EMPTY_RENEGOTIATION_INFO_SCSV extensions: EllipticCurves: SECP256R1 SECT163K1 SECT163R2 SECP192R1 SECP224R1 SECT233K1 SECT233R1 SECT283K1 SECT283R1 SECP384R1 SECT409K1 SECT409R1 SECP521R1 SECT571K1 SECT571R1 SECP160K1 SECP160R1 SECP160R2 SECT163R1 SECP192K1 SECT193R1 SECT193R2 SECP224K1 SECT239K1 SECP256K1 ECPointFormats: UNCOMPRESSED -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCQAGBQJVI9+LAAoJELyJZYjffCjuF00P/00ZeIsxcmSCHzkAn60HXEYg rVeW4aQ1ewIgGETCkQluh9QbJosKjh9w+I9FtbZnUYVd5DAb5kXpN4pKwGkc63GA U830XQ2Uy4no7TViUhvb+TnWVPpIvXAqE8IGNtvGPhRsg9JlcZzINFcECGXPK9ee /14ZlQGx00pn6vOc7Nh6oLNhcw7FViSzRwk9J9+zoa8khaGIRTCKHyw9VHCTDm13 v1U86ajfleqRqXV00NA6/pNICm1q86yW/ONcZ6pG/MQGncyzk88BXs755wlOooww vPGl6LFrYFLfpKJhbJ8KPA/G9F5kpGmjYwPitXCNxrGttnXilS4bcjSnEhvSinWc 8CB1BsWupPtDnnvN0GXoY61clxcfx+mczzepwUzgQaaI1+HEeze3IqwcyCUeXo9U bXbUki9g49cnC2k8IGyPZhR/6YRkKlGQMKcGbMR/oFQjWIIDF00beR0RZspZSzWN BHodOei2hq+XyqIZCVHm4Qf5s02sLDxBov/XTn1HMP9HBxtakbjWlHHD/k8gtIAa lJb2CKPXxZI1WuG02jz6xBcmYV1+FiFs/2M64HIoiosufmhXtiwYG0a2jqFYvv/y Ar6bTtL01m3wvUqbG9SOhCxaL8AHlk+BU1zFbQRMmBj15R6TQqJ7iWc7Fq1USwSP fx4JXDb1y5uqJ3g3AqoK =lSY1 -----END PGP SIGNATURE-----
- [TLS] Interop failure due to wrong encoding of Se… Florian Weimer
- Re: [TLS] Interop failure due to wrong encoding o… Hanno Böck
- Re: [TLS] Interop failure due to wrong encoding o… Hannes Mehnert