[gnutls-devel] _gnutls_extension_list_check() isn't RFC 5746 compliant

Henrik Grubbström grubba at grubba.org
Mon Dec 30 19:03:02 CET 2013 

Hi.

The gnutls-cli-debug 3.2.8 test "Checking for SSL 3.0 support" fails 
against servers that implement RFC 5746.

The client code sends the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV:

Received on the server from the client:
    10    : SSL_rsa_with_3des_ede_cbc_sha
    5     : SSL_rsa_with_rc4_128_sha
    4     : SSL_rsa_with_rc4_128_md5
    22    : SSL_dhe_rsa_with_3des_ede_cbc_sha
    19    : SSL_dhe_dss_with_3des_ede_cbc_sha
    49170 : TLS_ecdhe_rsa_with_3des_ede_cbc_sha
    49169 : TLS_ecdhe_rsa_with_rc4_128_sha
    49160 : TLS_ecdhe_ecdsa_with_3des_ede_cbc_sha
    49159 : TLS_ecdhe_ecdsa_with_rc4_128_sha
    255   : TLS_empty_renegotiation_info_scsv

For which according to RFC 5746 3.6 the server should:

   o When a ClientHello is received, the server MUST check if it
     includes the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV.  If it does,
     set the secure_renegotiation flag to TRUE.

   o If the secure_renegotiation flag is set to TRUE, the server MUST
     include an empty "renegotiation_info" extension in the ServerHello
     message.

However the test in _gnutls_extension_list_check() doesn't like receiving 
extensions it didn't request as extensions, and the test fails:

|<3>| HSK[0x657090]: SERVER HELLO (2) was received. Length 67[67], frag offset 0, frag length: 67, sequence: 0
|<3>| HSK[0x657090]: Server's version: 3.0
|<3>| HSK[0x657090]: SessionID length: 16
|<3>| HSK[0x657090]: SessionID: 52c1acce50696b6553534c3300000000
|<3>| HSK[0x657090]: Selected cipher suite: ECDHE_RSA_ARCFOUR_128_SHA1
|<3>| HSK[0x657090]: Selected compression method: NULL (0)
|<3>| EXT[0x657090]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
|<2>| ASSERT: gnutls_extensions.c:177

I see a couple of possible approaches to fixing the bug (in order of 
desirability):

   o Have SAFE RENEGOTIATION added to session->internals.extensions_sent
     whenever TLS_EMPTY_RENEGOTIATION_INFO_SCSV is in the list of supported
     cipher suites.

   o Have a special case in _gnutls_extension_list_check() that
     just ignores this extension.

   o Stop sending TLS_EMPTY_RENEGOTIATION_INFO_SCSV in this test.

Thanks and a Happy New Year!

-- 
Henrik Grubbström					grubba at grubba.org
Roxen Internet Software AB				grubba at roxen.com

More information about the Gnutls-devel mailing list