Skip to content

Use empty renegotiate extension instead of SCSV for TLS > 1.0 #24161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

Use empty renegotiate extension instead of SCSV for TLS > 1.0 #24161

wants to merge 6 commits into from

Conversation

pimterry
Copy link
Contributor

@pimterry pimterry commented Apr 16, 2024
edited
Loading

This PR fixes #18790.

This is my very first OpenSSL PR, and day to day I don't write much C (and zero Perl) so I'd appreciate some careful review!

I've just emailed a signed CLA to the legal email now.

The idea here is:

  • The empty renegotiation SCSV exists only as an alternative to sending an empty renegotiation extension in client hellos, purely for backward compatibility with server TLS implementations that may not support extensions (SSL v3 & TLS 1.0).
  • OpenSSL however sends this SCSV instead of the extension for all initial client hellos.
  • This is allowed, but the backward compatibility benefits are irrelevant for connections > TLS 1.0, and other popular clients (at least BoringSSL and NSS) do not do this (they send the extension instead of the SCSV) so this creates a trivial way to fingerprint the client hellos of OpenSSL clients (and block them: see ClientHello extensions shuffling to frustrate TLS fingerprinting #19220)
  • This PR changes this, to send the empty extension instead of the SCSV in all client hellos with a minimum version > TLS 1.0.

#18790 has some discussion about the context and risks of this. I'm not well versed in that, but given that BoringSSL made the change in 2015 (https://boringssl-review.googlesource.com/c/boringssl/+/5143) and seems to have no issues doing this in all Chrome traffic, my assumption is those risks are very minimal.

Checklist
  • documentation is added or updated
  • tests are added or updated

@openssl-machine openssl-machine added the hold: cla required The contributor needs to submit a license agreement label Apr 16, 2024
t8m
t8m requested changes Apr 16, 2024
View reviewed changes
@t8m t8m added branch: master Merge to master branch approval: review pending This pull request needs review by a committer approval: otc review pending triaged: feature The issue/pr requests/adds a feature tests: present The PR has suitable tests present labels Apr 16, 2024
@pimterry pimterry mentioned this pull request Apr 16, 2024
Open
t8m
t8m requested changes Apr 16, 2024
View reviewed changes
@kroeckx
Copy link
Member

kroeckx commented Apr 17, 2024 via email

@pimterry
Copy link
Contributor Author

@kroeckx you're absolutely right. https://www.openssl.org/docs/man3.3/man3/SSL_CTX_set_security_level.html is clear that for v3.3 the default security level is 2, and that level 1+ disallows all TLS <1.2.

That doesn't make this wrong as such (it'll just keep adding the backward compatibility in some cases unnecessarily) but it does mean we could tighten it quite a bit further to cover those cases too, and that would be a significant improvement.

It looks like ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) is the correct way to check that the current security level for a connection s allows TLSv1, is that right?

I'll update this PR to add that later today. It looks like this is going to take quite a bit more updating of the tests, which makes sense since it now affects far more cases, but that's interesting since many will have different results at each security level. Is there any different-security-level testing I need to be aware of for that? I understand the basic test framework I think but I'm not clear how all the CI jobs etc hook together, and it'd be useful to know how to run anything like that locally.

@openssl-machine openssl-machine removed the hold: cla required The contributor needs to submit a license agreement label Apr 18, 2024
@pimterry
Copy link
Contributor Author

PR updated:

  • Now uses the security level in addition to the minimum TLS level, so the RI extension is used far more widely. RI is now sent in extension format for all cases except initial connection + TLS + SECLEVEL=0 + minimum version <= 1 (where it's sent as an SCSV) and TLS 1.3 (where it's not sent at all).
  • Updates various tests accordingly, making RI an expected default extension
  • Created separate tests in test_renegotiation to more directly cover the key various cases there:
    • SECLEVEL=0 with no minimum TLS sends RI SCSV.
    • SECLEVEL=0 but TLS1.2 minimum level sends RI extension.
    • TLS1.3 minimum level sends neither SCSV not extension.

CLA now verified too.

@pimterry pimterry requested a review from t8m April 18, 2024 16:05
@t8m t8m requested a review from mattcaswell April 18, 2024 16:45
@github-actions github-actions bot added the severity: fips change The pull request changes FIPS provider sources label Apr 18, 2024
mattcaswell
mattcaswell requested changes Apr 19, 2024
View reviewed changes
@pimterry pimterry requested a review from mattcaswell April 19, 2024 07:46
mattcaswell
mattcaswell requested changes Apr 19, 2024
View reviewed changes
Copy link
Member

@mattcaswell mattcaswell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like there is currently a conflict. Can you also rebase on the latest master (rebase NOT merge)?

@openssl-machine openssl-machine added the hold: cla required The contributor needs to submit a license agreement label Apr 19, 2024
@pimterry pimterry force-pushed the empty-RI-extension branch from eb4c60b to 16240d8 Compare April 19, 2024 11:02
@openssl-machine openssl-machine removed the hold: cla required The contributor needs to submit a license agreement label Apr 19, 2024
@pimterry
Copy link
Contributor Author

Indent fixed, now rebased & mergable on master.

mattcaswell
mattcaswell approved these changes Apr 19, 2024
View reviewed changes
Copy link
Member

@mattcaswell mattcaswell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@t8m please reconfirm

@github-actions github-actions bot removed the severity: fips change The pull request changes FIPS provider sources label Apr 19, 2024
@t8m t8m added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Apr 19, 2024
@openssl-machine openssl-machine removed the approval: done This pull request has the required number of approvals label Apr 20, 2024
@openssl-machine
Copy link
Collaborator

This pull request is ready to merge

@openssl-machine openssl-machine added the approval: ready to merge The 24 hour grace period has passed, ready to merge label Apr 20, 2024
This was referenced Apr 22, 2024
Closed
Closed
@mattcaswell
Copy link
Member

Pushed to master. Thanks for your contribution.

openssl-machine pushed a commit that referenced this pull request Apr 22, 2024
@pimterry @mattcaswell
Use empty renegotiate extension instead of SCSV for TLS > 1.0
972ee92 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from #24161)
@pimterry pimterry deleted the empty-RI-extension branch April 22, 2024 14:03
@pimterry pimterry mentioned this pull request Apr 22, 2024
Closed
fwh-dc added a commit to fwh-dc/oqs-openssl that referenced this pull request Apr 24, 2024
@fwh-dc
Fix renegotiation check that was added in openssl#24161
10d155b
fwh-dc added a commit to fwh-dc/oqs-openssl that referenced this pull request Apr 24, 2024
@fwh-dc
fixup! Fix renegotiation check that was added in openssl#24161
7c0015a
fwh-dc added a commit to fwh-dc/oqs-openssl that referenced this pull request May 2, 2024
@fwh-dc
Fix renegotiation check that was added in openssl#24161
323f90c
fwh-dc added a commit to fwh-dc/oqs-openssl that referenced this pull request May 2, 2024
@fwh-dc
fixup! Fix renegotiation check that was added in openssl#24161
d284aa7
openssl-machine pushed a commit that referenced this pull request May 10, 2024
@fwh-dc @mattcaswell
Fix renegotiation check that was added in #24161
19e072e 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from #22275)
@pimterry pimterry mentioned this pull request May 10, 2024
Open
jvdsn pushed a commit to jvdsn/openssl that referenced this pull request Jun 3, 2024
@pimterry @jvdsn
Use empty renegotiate extension instead of SCSV for TLS > 1.0
07f5525 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#24161)
openssl-machine pushed a commit that referenced this pull request Jun 27, 2024
@fwh-dc @mattcaswell
Fix renegotiation check that was added in #24161
092812b 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from #22275)
t8m pushed a commit to t8m/openssl that referenced this pull request Jan 9, 2025
@fwh-dc @t8m
Fix renegotiation check that was added in openssl#24161
86b4c0a 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#22275)
@pimterry pimterry mentioned this pull request Feb 2, 2025
Closed
2 tasks
@bugfood bugfood mentioned this pull request Mar 14, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fwh-dc fwh-dc fwh-dc left review comments

@t8m t8m t8m approved these changes

@mattcaswell mattcaswell mattcaswell approved these changes

Assignees
No one assigned
Labels
approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Merge to master branch tests: present The PR has suitable tests present triaged: feature The issue/pr requests/adds a feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support empty "renegotiation_info" as a ClientHello extension (rather than SCSV)
6 participants
@pimterry @kroeckx @openssl-machine @mattcaswell @t8m @fwh-dc
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy